0003168
Final Report EBA Guidelines on ICT and security risk management
European Banking Authority
Regulation or Statute
Free
EBA/GL/2019/04
Final Report EBA Guidelines on ICT and security risk management
2019-11-29
The document as a whole was last reviewed and released on 2020-06-02T00:00:00-0700.
0003168
Free
European Banking Authority
Regulation or Statute
EBA/GL/2019/04
Final Report EBA Guidelines on ICT and security risk management
2019-11-29
The document as a whole was last reviewed and released on 2020-06-02T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Final Report EBA Guidelines on ICT and security risk management that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Final Report EBA Guidelines on ICT and security risk management are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Where, in accordance with Article 68(1) of Directive (EU) 2015/2366, a PSP has agreed with the payer spending limits for payment transactions executed through specific payment instruments, the PSP should provide the payer with the option to adjust these limits up to the maximum agreed limit. 3.8 95 {payment service user} Where product functionality permits, PSPs should allow PSUs to disable specific payment functionalities related to the payment services offered by the PSP to the PSU. 3.8 94] | Technical Security | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Business Processes | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Business Processes | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Communicate | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Business Processes | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Business Processes | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Business Processes | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Establish/Maintain Documentation | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Business Processes | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Configuration | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 | Business Processes | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Data and Information Management | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Business Processes | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Communicate | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Establish/Maintain Documentation | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Technical Security | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Establish/Maintain Documentation | Preventive | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Testing | Detective | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Testing | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Testing | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Testing | Detective | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Testing | Detective | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Testing | Detective | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition/Sale of Assets or Services | Corrective | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Process or Activity | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Establish Roles | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Human Resources Management | Corrective | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [Financial institutions should report risk assessment results to the management body in a clear and timely manner. Such reporting is without prejudice to the obligation of PSPs to provide competent authorities with an updated and comprehensive risk assessment, as laid down in Article 95(2) of Directive (EU) 2015/2366. 3.3.5 24] | Testing | Detective | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Testing | Detective | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [{independent review} The internal audit function should, following a risk-based approach, have the capacity to independently review and provide objective assurance of the compliance of all ICT and security-related activities and units of a financial institution with the financial institution's policies and procedures and with external requirements, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.3.1 11 ¶ 2 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 [{Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Audits and Risk Management | Detective | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [A formal follow-up process including provisions for the timely verification and remediation of critical ICT audit findings should be established. 3.3.6 27] | Establish/Maintain Documentation | Corrective | |
| Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and Risk Management | Detective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Business Processes | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Establish/Maintain Documentation | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Establish Roles | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b)] | Establish/Maintain Documentation | Preventive | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {internal factor} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: relevant internal and external factors, including business and ICT administrative functions; 3.4.5 38(a)] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [{supporting activity} Financial institutions should classify the identified business functions, supporting processes and information assets referred to in paragraphs 15 and 16 in terms of criticality. 3.3.3 17 Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66 A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project risk assessment; 3.6.1 63(c)] | Establish/Maintain Documentation | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 [The ICT and security risk management framework should include processes in place to: identify and assess whether there are any ICT and security risks resulting from any major change in ICT system or ICT services, processes or procedures, and/or after any significant operational or security incident. 3.3.1 13(f) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Business Processes | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{payment service user} PSPs should establish and implement processes to enhance PSUs' awareness of the security risks linked to the payment services by providing PSUs with assistance and guidance. 3.8 92] | Behavior | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Financial institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services. For instance, financial institutions may perform gap analysis against information security standards, compliance reviews, internal and external audits of the information systems, or physical security reviews. Furthermore, the institution should consider good practices such as source code reviews, vulnerability assessments, penetration tests and red team exercises. 3.4.6 41] | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The ICT and security risk management framework should include processes in place to: determine the risk appetite for ICT and security risks, in accordance with the risk appetite of the financial institution; 3.3.1 13(a) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 {backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{risk mitigation activity} Without prejudice to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and Article 19 of PSD2, financial institutions should ensure the effectiveness of the risk-mitigating measures as defined by their risk management framework, including the measures set out in these guidelines, when operational functions of payment services and/or ICT services and ICT systems of any activity are outsourced, including to group entities, or when using third parties. 3.2.3 7 {ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Testing | Detective | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [The ICT and security risk management framework should include processes in place to: define mitigation measures, including controls, to mitigate ICT and security risks; 3.3.1 13(c) Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Establish/Maintain Documentation | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Establish/Maintain Documentation | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Business Processes | Preventive | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Human Resources Management | Preventive | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources Management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 {establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 [A financial institution should implement a programme and/or a project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. 3.6.1 61] | Establish Roles | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Establish Roles | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Establish Roles | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Establish/Maintain Documentation | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Technical Security | Corrective | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Assign and staff all roles appropriately. CC ID 00784 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Testing | Detective | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Behavior | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 The ICT project management policy should ensure that information security requirements are analysed and approved by a function that is independent from the development function. 3.6.1 64] | Testing | Detective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 [{information security and awareness training} Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security training and awareness (Section 3.4.7). 3.4.1 30(g)] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{payment service user} PSPs should keep PSUs informed about updates in security procedures that affect PSUs regarding the provision of payment services. 3.8 97] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Business Processes | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Business Processes | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [Financial institutions should identify, establish and maintain updated mapping of their business functions, roles and supporting processes to identify the importance of each and their interdependencies related to ICT and security risks. 3.3.2 15] | Establish/Maintain Documentation | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [The security monitoring process should also help a financial institution to understand the nature of operational or security incidents, to identify trends and to support the organisation's investigations. 3.4.5 40] | Process or Activity | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Communicate | Corrective | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 | Business Processes | Detective | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Testing | Detective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Establish Roles | Detective | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66] | Establish/Maintain Documentation | Detective | |
| Address Information Security during the business planning processes. CC ID 06495 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Data and Information Management | Preventive | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: the planned strategy and evolution of the architecture of ICT, including third party dependencies; 3.2.2 5(b) Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 {organizational structure} The ICT strategy should be aligned with financial institutions' overall business strategy and should define: how financial institutions' ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties; 3.2.2 5(a)] | Establish/Maintain Documentation | Preventive | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Establish/Maintain Documentation | Preventive | |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Human Resources Management | Preventive | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Establish/Maintain Documentation | Preventive | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Establish/Maintain Documentation | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Establish/Maintain Documentation | Preventive | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Business Processes | Corrective | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: 3.2.2 5] | Business Processes | Preventive | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Establish/Maintain Documentation | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Establish/Maintain Documentation | Preventive | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Actionable Reports or Measurements | Preventive | |
| Review and approve the closure report. CC ID 16947 | Actionable Reports or Measurements | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Establish/Maintain Documentation | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Establish/Maintain Documentation | Preventive | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: project objectives; 3.6.1 63(a)] | Establish/Maintain Documentation | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Establish/Maintain Documentation | Preventive | |
| Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: key milestones; 3.6.1 63(e)] | Establish/Maintain Documentation | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Establish/Maintain Documentation | Preventive | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Establish/Maintain Documentation | Preventive | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Establish/Maintain Documentation | Preventive | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Establish/Maintain Documentation | Preventive | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Establish/Maintain Documentation | Preventive | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Actionable Reports or Measurements | Preventive | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Actionable Reports or Measurements | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Actionable Reports or Measurements | Preventive | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Actionable Reports or Measurements | Preventive | |
| Review and approve the Strategic Information Technology Plan. CC ID 13094 | Human Resources Management | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitor and Evaluate Occurrences | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [{performance plan} Financial institutions should implement performance and capacity planning and monitoring processes to prevent, detect and respond to important performance issues of ICT systems and ICT capacity shortages in a timely manner. 3.5 56] | Monitor and Evaluate Occurrences | Detective | |
| Monitor all outbound traffic from all systems. CC ID 12970 | Monitor and Evaluate Occurrences | Preventive | |
| Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Behavior | Detective | |
| Monitor systems for errors and faults. CC ID 04544 | Monitor and Evaluate Occurrences | Detective | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Communicate | Corrective | |
| Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Financial institutions should implement logging and monitoring procedures for critical ICT operations to allow the detection, analysis and correction of errors. 3.5 52] | Log Management | Detective | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Communicate | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Communicate | Preventive | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Configuration | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Establish/Maintain Documentation | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 | Configuration | Preventive | |
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Behavior | Preventive | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Behavior | Preventive | |
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Technical Security | Detective | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: transactions to detect misuse of access by third parties or other entities and internal misuse of access; 3.4.5 38(b)] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
| Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Audits and Risk Management | Preventive | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 | Technical Security | Preventive | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Technical Security | Preventive | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Technical Security | Preventive | |
| Define and assign log management roles and responsibilities. CC ID 06311 | Establish Roles | Preventive | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Log Management | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 | Log Management | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Technical Security | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Configuration | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Log Management | Detective | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Configuration | Preventive | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 | Configuration | Preventive | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Log Management | Detective | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 | Configuration | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Configuration | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Communicate | Preventive | |
| Define the frequency to capture and log events. CC ID 06313 | Log Management | Preventive | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Log Management | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Communicate | Preventive | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Communicate | Preventive | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitor and Evaluate Occurrences | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Technical Security | Corrective | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Establish/Maintain Documentation | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Investigate | Detective | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitor and Evaluate Occurrences | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Investigate | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Investigate | Detective | |
| Assess customer satisfaction. CC ID 00652 | Testing | Detective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Establish/Maintain Documentation | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitor and Evaluate Occurrences | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitor and Evaluate Occurrences | Detective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Monitor and Evaluate Occurrences | Detective | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Technical Security | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Log Management | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitor and Evaluate Occurrences | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitor and Evaluate Occurrences | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Communicate | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Log Management | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 {internal threat} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: potential internal and external threats. 3.4.5 38(c) A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62 Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 [For PSPs, the testing framework should also encompass the security measures relevant to (1) payment terminals and devices used for the provision of payment services, (2) payment terminals and devices used for authenticating the payment service users (PSU), and (3) devices and software provided by the PSP to the PSU to generate/receive an authentication code. 3.4.6 47] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
| Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a testing program. CC ID 00654 [Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT and security risk assessment process. 3.4.6 42] | Behavior | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [Based on the security threats observed and the changes made, testing should be performed to incorporate scenarios of relevant and known potential attacks. 3.4.6 48] | Technical Security | Detective | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 [The information security testing framework should ensure that tests: are carried out by independent testers with sufficient knowledge, skills and expertise in testing information security measures and who are not involved in the development of the information security measures; 3.4.6 43(a)] | Human Resources Management | Preventive | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Technical Security | Detective | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Testing | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Testing | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Testing | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Data and Information Management | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Testing | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Behavior | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Testing | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [Financial institutions should ensure that tests of security measures are conducted in the event of changes to infrastructure, processes or procedures and if changes are made because of major operational or security incidents or due to the release of new or significantly changed internet-facing critical applications. 3.4.6 45] | Establish/Maintain Documentation | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Testing | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Communicate | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
| Scan organizational networks for rogue devices. CC ID 00536 | Testing | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Scan the network for wireless access points. CC ID 00370 | Testing | Detective | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
| Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Technical Security | Corrective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Configuration | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Configuration | Corrective | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Process or Activity | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Process or Activity | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Define the test frequency for each testing program. CC ID 13176 [{ongoing basis} Financial institutions should perform ongoing and repeated tests of the security measures. For all critical ICT systems (paragraph 17), these tests should be performed at least on an annual basis and, for PSPs, they will be part of the comprehensive assessment of the security risks related to the payment services they provide, in accordance with Article 95(2) of PSD2. Noncritical systems should be tested regularly using a risk-based approach, but at least every 3 years. 3.4.6 44] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Communicate | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Establish/Maintain Documentation | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Establish Roles | Preventive | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Testing | Preventive | |
| Retain penetration test results according to internal policy. CC ID 10049 | Records Management | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Records Management | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 | Testing | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Technical Security | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 | Technical Security | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Testing | Detective | |
| Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
| Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
| Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Technical Security | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
| Test the system for covert channels. CC ID 10652 | Testing | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [{be commensurate with} The information security testing framework should ensure that tests: include vulnerability scans and penetration tests (including threat-led penetration testing where necessary and appropriate) commensurate to the level of risk identified with the business processes and systems. 3.4.6 43(b)] | Technical Security | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Technical Security | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Testing | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Testing | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Testing | Detective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Configuration | Detective | |
| Document and maintain test results. CC ID 17028 | Testing | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Establish/Maintain Documentation | Preventive | |
| Include time information in the test results. CC ID 17105 | Establish/Maintain Documentation | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Communicate | Preventive | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Establish/Maintain Documentation | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62] | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Financial institutions should monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets of the financial institution. 3.2.3 9] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e)] | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Monitor and Evaluate Occurrences | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Actionable Reports or Measurements | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Establish/Maintain Documentation | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Communicate | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Financial institutions should establish a sound business continuity management (BCM) process to maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption in line with Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.7 77] | Establish/Maintain Documentation | Preventive | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Testing | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Investigate | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Investigate | Detective | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Communicate | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Establish/Maintain Documentation | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Establish/Maintain Documentation | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Establish/Maintain Documentation | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Establish/Maintain Documentation | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Establish/Maintain Documentation | Preventive | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Testing | Detective | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Establish/Maintain Documentation | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36] | Establish/Maintain Documentation | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Establish/Maintain Documentation | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Establish/Maintain Documentation | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Establish/Maintain Documentation | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Establish/Maintain Documentation | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Establish/Maintain Documentation | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Systems Continuity | Corrective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [Financial institutions should ensure that their ICT systems and ICT services are designed and aligned with their BIA, for example with redundancy of certain critical components to prevent disruptions caused by events impacting those components. 3.7.1 79] | Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88] | Establish/Maintain Documentation | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Communicate | Corrective | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Systems Continuity | Corrective | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Establish/Maintain Documentation | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Establish/Maintain Documentation | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Establish/Maintain Documentation | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be updated in line with lessons learned from incidents, tests, new risks identified and threats, and changed recovery objectives and priorities. 3.7.3 84(c) {business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b) {Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{off-site storage}{secure storage} Financial institutions should ensure that data and ICT system backups are stored securely and are sufficiently remote from the primary site so they are not exposed to the same risks. 3.5 58] | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: 3.7.3 84 {response and recovery plan}{be infeasible} The plans should also consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics or unforeseen circumstances. 3.7.3 85 {put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a) The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Establish/Maintain Documentation | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Systems Continuity | Detective | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Configuration | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Configuration | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Physical and Environmental Protection | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Physical and Environmental Protection | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Configuration | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Physical and Environmental Protection | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Physical and Environmental Protection | Preventive | |
| Implement redundancy in life-safety systems. CC ID 02228 | Physical and Environmental Protection | Preventive | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Establish/Maintain Documentation | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Establish/Maintain Documentation | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Establish/Maintain Documentation | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Establish/Maintain Documentation | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
| Review and prioritize the importance of each business process. CC ID 11689 | Establish/Maintain Documentation | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Establish/Maintain Documentation | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Process or Activity | Corrective | |
| Define and prioritize critical business records. CC ID 11687 | Establish/Maintain Documentation | Preventive | |
| Identify all critical business records. CC ID 00737 | Records Management | Detective | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Establish/Maintain Documentation | Detective | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Establish/Maintain Documentation | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Establish/Maintain Documentation | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Establish/Maintain Documentation | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Data and Information Management | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Establish/Maintain Documentation | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Establish/Maintain Documentation | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Establish/Maintain Documentation | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Establish/Maintain Documentation | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Establish/Maintain Documentation | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Establish/Maintain Documentation | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Establish/Maintain Documentation | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Establish/Maintain Documentation | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Establish/Maintain Documentation | Preventive | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Testing | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Testing | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Testing | Detective | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Establish/Maintain Documentation | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Physical and Environmental Protection | Corrective | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Establish/Maintain Documentation | Detective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Physical and Environmental Protection | Preventive | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Data and Information Management | Detective | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Communicate | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Testing | Detective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Configuration | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Establish/Maintain Documentation | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Data and Information Management | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 | Process or Activity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Back up all records. CC ID 11974 | Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Establish/Maintain Documentation | Preventive | |
| Encrypt backup data. CC ID 00958 | Configuration | Preventive | |
| Log the execution of each backup. CC ID 00956 | Establish/Maintain Documentation | Preventive | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Testing | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Testing | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Testing | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Testing | Corrective | |
| Digitally sign disk images, as necessary. CC ID 06814 | Establish/Maintain Documentation | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{internal stakeholder}{timely manner} In the event of a disruption or emergency, and during the implementation of the BCPs, financial institutions should ensure that they have effective crisis communication measures in place so that all relevant internal and external stakeholders, including the competent authorities when required by national regulations, and also relevant providers (outsourcing providers, group entities, or third party providers) are informed in a timely and appropriate manner. 3.7.5 91] | Establish/Maintain Documentation | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Establish/Maintain Documentation | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Establish/Maintain Documentation | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Communicate | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Communicate | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Testing | Detective | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Acquisition/Sale of Assets or Services | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Establish/Maintain Documentation | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Establish/Maintain Documentation | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Acquisition/Sale of Assets or Services | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Acquisition/Sale of Assets or Services | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Business Processes | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Validate information security continuity controls regularly. CC ID 12008 | Systems Continuity | Preventive | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Communicate | Preventive | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Establish/Maintain Documentation | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{periodic testing} Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least annually, in accordance with paragraph 89. 3.7.4 87] | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Establish/Maintain Documentation | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Establish/Maintain Documentation | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Establish/Maintain Documentation | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Establish/Maintain Documentation | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Establish/Maintain Documentation | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Establish/Maintain Documentation | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Establish/Maintain Documentation | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Establish/Maintain Documentation | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Establish/Maintain Documentation | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Establish/Maintain Documentation | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Establish/Maintain Documentation | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{ability} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: 3.7.4 89] | Testing | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include procedures to verify the ability of their staff and contractors, ICT systems and ICT services to respond adequately to the scenarios defined in paragraph 89(a). 3.7.4 89(c)] | Testing | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Testing | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Testing | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Testing | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 | Testing | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Actionable Reports or Measurements | Preventive | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Testing | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Communicate | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Testing | Detective | |
| Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 | Testing | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Document the organization's business processes. CC ID 13035 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Establish/Maintain Documentation | Detective | |
| Correlate business processes and applications. CC ID 16300 | Business Processes | Preventive | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Process or Activity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Process or Activity | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Establish Roles | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Establish/Maintain Documentation | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Establish/Maintain Documentation | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Establish/Maintain Documentation | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Establish/Maintain Documentation | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: logical security (Section 3.4.2); 3.4.1 30(b)] | Establish/Maintain Documentation | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
| Include operations management in the information security program. CC ID 12385 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: ICT operations security (Section 3.4.4); 3.4.1 30(d) Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the information security program. CC ID 12382 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: physical security (Section 3.4.3); 3.4.1 30(c)] | Establish/Maintain Documentation | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: security monitoring (Section 3.4.5); 3.4.1 30(e)] | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: organisation and governance in accordance with paragraphs 10 and 11; 3.4.1 30(a)] | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: 3.4.1 30 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security reviews, assessment and testing (Section 3.4.6); 3.4.1 30(f)] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Business Processes | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: clear information security objectives, focusing on ICT systems and ICT services, staff and processes. 3.2.2 5(c) Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Human Resources Management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Communicate | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Establish/Maintain Documentation | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Establish/Maintain Documentation | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Communicate | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{internal organization} All financial institutions should comply with the provisions set out in these guidelines in such a way that is proportionate to, and takes account of, the financial institutions' size, their internal organisation, and the nature, scope, complexity and riskiness of the services and products that the financial institutions provide or intend to provide. 3.1 1] | Establish/Maintain Documentation | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Business Processes | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
| Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
| Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: ensuring that mechanisms are in place to verify the integrity of software, firmware and data; 3.4.4 36(e)] | Establish/Maintain Documentation | Preventive | |
| Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Establish Roles | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Data and Information Management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Data and Information Management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{internal system] In addition, financial institutions should identify, establish and maintain updated mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, staff, contractors, third parties and dependencies on other internal and external systems and processes, to be able to, at least, manage the information assets that support their critical business functions and processes. 3.3.2 16] | Establish/Maintain Documentation | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
| Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Configuration | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Business Processes | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Establish/Maintain Documentation | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Communicate | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Behavior | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Process or Activity | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Maintenance | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Communicate | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
| Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Establish/Maintain Documentation | Preventive | |
| Assign roles and responsibilities in the customer service program. CC ID 13911 | Human Resources Management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the roles and responsibilities for different incident scenarios (e.g. errors, malfunctioning, cyber-attacks); 3.5.1 60(b)] | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the procedures to identify, track, log, categorise and classify incidents according to a priority, based on business criticality; 3.5.1 60(a) Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: collaborate with relevant stakeholders to effectively respond to and recover from the incident; 3.5.1 60(f)(i)] | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [the management body is informed on an ad hoc basis in the event of significant incidents and, at least, informed of the impact, the response and the additional controls to be defined as a result of the incidents. 3.5.1 60(d)(ii) To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: provide timely information to external parties (e.g. customers, other market participants, the supervisory authority) as appropriate and in line with an applicable regulation. 3.5.1 60(f)(ii)] | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 [{payment service user} PSPs should provide PSUs with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions, enabling them to detect fraudulent or malicious use of their accounts. 3.8 96] | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [incidents with a potentially high adverse impact on critical ICT systems and ICT services are reported to the relevant senior management and ICT senior management; 3.5.1 60(d)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
| Establish, implement, and maintain a customer service business function. CC ID 00847 | Business Processes | Preventive | |
| Permit authorized individuals to accompany consumers at the organization's place of business. CC ID 16959 | Business Processes | Preventive | |
| Confirm the customer agrees with the resolution process associated with the complaint. CC ID 13630 | Communicate | Detective | |
| Document the resolution of issues reported to customer service. CC ID 12918 | Establish/Maintain Documentation | Preventive | |
| Provide and display incident management contact information to customers. CC ID 06386 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Establish/Maintain Documentation | Corrective | |
| Investigate and take action regarding help desk queries. CC ID 06324 | Behavior | Corrective | |
| Log help desk queries. CC ID 00848 | Log Management | Preventive | |
| Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain help desk query clearance procedures. CC ID 00850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain help desk query trend analysis procedures. CC ID 00851 | Establish/Maintain Documentation | Preventive | |
| Provide customer security advice, as necessary. CC ID 13674 | Communicate | Preventive | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Communicate | Preventive | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Communicate | Preventive | |
| Display customer security advice prominently. CC ID 13667 | Establish/Maintain Documentation | Preventive | |
| Review and update security advice for customers, as necessary. CC ID 06868 | Establish/Maintain Documentation | Preventive | |
| Compare customer security advice with industry peers. CC ID 06869 | Business Processes | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Establish/Maintain Documentation | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Establish/Maintain Documentation | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Establish/Maintain Documentation | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Establish/Maintain Documentation | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Establish/Maintain Documentation | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Establish/Maintain Documentation | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Establish/Maintain Documentation | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Establish/Maintain Documentation | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Establish/Maintain Documentation | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c) {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Communicate | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: 3.5.1 60(f)] | Establish/Maintain Documentation | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {be operational}{be secure} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: incident response procedures to mitigate the impacts related to the incidents and to ensure that the service becomes operational and secure in a timely manner; 3.5.1 60(e)] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Establish/Maintain Documentation | Preventive | |
| Use proactive performance management. CC ID 00937 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Business Processes | Detective | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
| Identify and allocate departmental costs. CC ID 00871 | Business Processes | Detective | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Establish/Maintain Documentation | Detective | |
| Review and approve the Information Technology budget. CC ID 13644 | Business Processes | Corrective | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Business Processes | Corrective | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Establish/Maintain Documentation | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [A financial institution should ensure that measures are in place to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. 3.6.2 69 {development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Maintenance | Preventive | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
| Manage change requests. CC ID 00887 | Business Processes | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
| Test proposed changes prior to their approval. CC ID 00548 | Testing | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
| Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Implement changes according to the change control program. CC ID 11776 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 A financial institution should establish and implement an ICT project management policy that includes as a minimum: change management requirements. 3.6.1 63(f) Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Process or Activity | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Configuration | Corrective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
| Patch software. CC ID 11825 | Technical Security | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
| Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Business Processes | Corrective | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
| Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings. 3.4.3 35] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Communicate | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Financial institutions' physical security measures should be defined, documented and implemented to protect their premises, data centres and sensitive areas from unauthorised access and from environmental hazards. 3.4.3 33] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Establish/Maintain Documentation | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Establish/Maintain Documentation | Preventive | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and Environmental Protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Configuration | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Configuration | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Investigate | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Investigate | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Communicate | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Establish/Maintain Documentation | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Establish/Maintain Documentation | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Establish/Maintain Documentation | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Establish/Maintain Documentation | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
| Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Records Management | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Records Management | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Business Processes | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Data and Information Management | Detective | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and Environmental Protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and Environmental Protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and Environmental Protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Data and Information Management | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and Environmental Protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Records Management | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Log Management | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Records Management | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and Environmental Protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and Environmental Protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Configuration | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Business Processes | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and Environmental Protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and Environmental Protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and Environmental Protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Communicate | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Communicate | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and Environmental Protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Establish/Maintain Documentation | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Behavior | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Behavior | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Behavior | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Behavior | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Behavior | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Configuration | Preventive | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Investigate | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Technical Security | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Establish/Maintain Documentation | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and Environmental Protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Technical Security | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Configuration | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Technical Security | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Establish/Maintain Documentation | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and Environmental Protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and Environmental Protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Establish/Maintain Documentation | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Business Processes | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Establish/Maintain Documentation | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Establish/Maintain Documentation | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Establish Roles | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Records Management | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and Environmental Protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and Environmental Protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Business Processes | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Establish/Maintain Documentation | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Behavior | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and Environmental Protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and Environmental Protection | Preventive | |
| Control physical access to network cables. CC ID 00723 | Process or Activity | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and Environmental Protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and Environmental Protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and Environmental Protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and Environmental Protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and Environmental Protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and Environmental Protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and Environmental Protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Establish/Maintain Documentation | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and Environmental Protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and Environmental Protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and Environmental Protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and Environmental Protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Establish/Maintain Documentation | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and Environmental Protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and Environmental Protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and Environmental Protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and Environmental Protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and Environmental Protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and Environmental Protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and Environmental Protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Configuration | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and Environmental Protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and Environmental Protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and Environmental Protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and Environmental Protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and Environmental Protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and Environmental Protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and Environmental Protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and Environmental Protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and Environmental Protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and Environmental Protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and Environmental Protection | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records Management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records Management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Technical Security | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of secure configuration baselines of all network components; 3.4.4 36(b) Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Use the latest approved version of all assets. CC ID 00897 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Technical Security | Preventive | |
| Install the most current Windows Service Pack. CC ID 01695 | Configuration | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 | Configuration | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | Communicate | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | Configuration | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 | Configuration | Preventive | |
| Disable all unnecessary user identifiers. CC ID 02185 [{generic user account} User accountability: financial institutions should limit, as much as possible, the use of generic and shared user accounts and ensure that users can be identified for the actions performed in the ICT systems. 3.4.2 31(b)] | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | Configuration | Preventive | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Log Management | Detective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Systems Design, Build, and Implementation | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Establish/Maintain Documentation | Preventive | |
| Perform a feasibility study for product requests. CC ID 06895 | Acquisition/Sale of Assets or Services | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Human Resources Management | Preventive | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Establish/Maintain Documentation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems Design, Build, and Implementation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Communicate | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems Design, Build, and Implementation | Preventive | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Establish/Maintain Documentation | Preventive | |
| Define and document organizational structures for the System Development Life Cycle program. CC ID 12549 | Establish/Maintain Documentation | Preventive | |
| Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566 | Establish/Maintain Documentation | Preventive | |
| Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559 | Establish/Maintain Documentation | Preventive | |
| Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558 | Establish/Maintain Documentation | Preventive | |
| Include system development authorities in the System Development Life Cycle documentation. CC ID 12564 | Establish/Maintain Documentation | Preventive | |
| Include system design authorities in the System Development Life Cycle documentation. CC ID 12572 | Establish/Maintain Documentation | Preventive | |
| Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568 | Establish/Maintain Documentation | Preventive | |
| Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556 | Establish/Maintain Documentation | Preventive | |
| Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565 | Establish/Maintain Documentation | Preventive | |
| Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557 | Establish/Maintain Documentation | Preventive | |
| Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555 | Establish/Maintain Documentation | Preventive | |
| Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561 | Establish/Maintain Documentation | Preventive | |
| Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560 | Establish/Maintain Documentation | Preventive | |
| Define and document organizational structures for system and network monitoring. CC ID 12554 | Establish/Maintain Documentation | Preventive | |
| Define and document organizational structures for systems operations. CC ID 12553 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a full set of system procedures. CC ID 01074 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user-machine interaction specification. CC ID 01076 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a processing requirements definition document. CC ID 01077 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an output requirements definition document. CC ID 01078 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a database management standard. CC ID 01079 | Establish/Maintain Documentation | Preventive | |
| Compile databases to protect their structural intellectual property. CC ID 07044 | Technical Security | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [A financial institution should ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements (including information security requirements) are clearly defined and approved by the relevant business management. 3.6.2 68] | Establish/Maintain Documentation | Preventive | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems Design, Build, and Implementation | Preventive | |
| Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922 | Establish/Maintain Documentation | Detective | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 | Establish/Maintain Documentation | Preventive | |
| Document legal requirements and how they influence system design requirements. CC ID 11793 | Establish/Maintain Documentation | Preventive | |
| Compare system design requirements against system design requests. CC ID 06619 | Testing | Detective | |
| Resolve conflicting design and development inputs. CC ID 13703 | Process or Activity | Corrective | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 | Systems Design, Build, and Implementation | Preventive | |
| Identify and document system design constraints. CC ID 06923 | Establish/Maintain Documentation | Preventive | |
| Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 | Establish/Maintain Documentation | Preventive | |
| Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348 | Systems Design, Build, and Implementation | Preventive | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 | Systems Design, Build, and Implementation | Preventive | |
| Identify and document system development constraints. CC ID 11698 | Establish/Maintain Documentation | Preventive | |
| Identify and document the system boundaries of the system design project. CC ID 06924 | Establish/Maintain Documentation | Preventive | |
| Determine if commercial off the shelf products meet the system design requirements. CC ID 06926 | Testing | Detective | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Establish/Maintain Documentation | Detective | |
| Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076 | Systems Design, Build, and Implementation | Preventive | |
| Include performance criteria in the system requirements specification. CC ID 11540 | Technical Security | Preventive | |
| Include accommodating increases in capacity in the system requirements specification. CC ID 11562 | Technical Security | Preventive | |
| Include product upgrade methodologies in the system requirements specification. CC ID 11563 | Technical Security | Preventive | |
| Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 | Technical Security | Preventive | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Physical and Environmental Protection | Preventive | |
| Analyze anti-counterfeit measures for their longevity. CC ID 11553 | Physical and Environmental Protection | Preventive | |
| Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: 3.6.1 63] | Establish/Maintain Documentation | Preventive | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems Design, Build, and Implementation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Establish/Maintain Documentation | Preventive | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Establish/Maintain Documentation | Preventive | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems Design, Build, and Implementation | Detective | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d)] | Establish/Maintain Documentation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 | Testing | Detective | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Establish/Maintain Documentation | Preventive | |
| Identify accreditation tasks. CC ID 00999 | Systems Design, Build, and Implementation | Detective | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Establish/Maintain Documentation | Preventive | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Testing | Detective | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Establish/Maintain Documentation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Establish/Maintain Documentation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Establish/Maintain Documentation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Establish/Maintain Documentation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Establish/Maintain Documentation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Establish/Maintain Documentation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Establish/Maintain Documentation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Establish/Maintain Documentation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Establish/Maintain Documentation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Technical Security | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Technical Security | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Technical Security | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Technical Security | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Technical Security | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Technical Security | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Technical Security | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Process or Activity | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Process or Activity | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Process or Activity | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Technical Security | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Process or Activity | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Technical Security | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems Design, Build, and Implementation | Corrective | |
| Standardize Application Programming Interfaces. CC ID 12167 | Technical Security | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Establish/Maintain Documentation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: roles and responsibilities; 3.6.1 63(b)] | Establish Roles | Preventive | |
| Assign the role of information security management as a part of developing systems. CC ID 06823 | Establish Roles | Preventive | |
| Disseminate and communicate continuously and routinely regarding system development project requirements. CC ID 06899 | Behavior | Detective | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Testing | Detective | |
| Evaluate system development projects for compliance with the system requirements specifications. CC ID 06903 | Systems Design, Build, and Implementation | Preventive | |
| Evaluate each system development project to verify it remains feasible. CC ID 06904 | Systems Design, Build, and Implementation | Preventive | |
| Cancel or suspend system development projects if the benefits do not outweigh the disadvantages. CC ID 06905 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Establish/Maintain Documentation | Preventive | |
| Configure the test environment similar to the production environment. CC ID 06837 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Configuration | Preventive | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Communicate | Preventive | |
| Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Establish/Maintain Documentation | Preventive | |
| Return test payment cards after their use. CC ID 06398 | Behavior | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Establish/Maintain Documentation | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Testing | Detective | |
| Protect test data in the development environment. CC ID 12014 | Technical Security | Preventive | |
| Control the test data used in the development environment. CC ID 12013 | Systems Design, Build, and Implementation | Preventive | |
| Select the test data carefully. CC ID 12011 | Systems Design, Build, and Implementation | Preventive | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Testing | Detective | |
| Test security functionality during the development process. CC ID 12015 | Testing | Preventive | |
| Include system performance in the scope of system testing. CC ID 12624 | Process or Activity | Preventive | |
| Include security controls in the scope of system testing. CC ID 12623 [Financial institutions should test ICT systems, ICT services and information security measures to identify potential security weaknesses, violations and incidents. 3.6.2 71] | Process or Activity | Preventive | |
| Include business logic in the scope of system testing. CC ID 12622 | Process or Activity | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Testing | Detective | |
| Review and test source code. CC ID 01086 | Testing | Detective | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Establish Roles | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Establish/Maintain Documentation | Preventive | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Testing | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Testing | Detective | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Communicate | Preventive | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Establish/Maintain Documentation | Preventive | |
| Test quality control procedures for proper implementation. CC ID 06610 | Testing | Detective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Perform a final system test prior to implementing a new system. CC ID 01108 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Testing | Detective | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 | Human Resources Management | Preventive | |
| Conduct a final security audit prior to implementing a new system. CC ID 06833 | Testing | Detective | |
| Integrate additional security controls for newly implemented systems into interconnected systems, as necessary. CC ID 06272 | Technical Security | Preventive | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Establish/Maintain Documentation | Preventive | |
| Document the acceptance status for all products passing the System Development Life Cycle implementation phase. CC ID 06211 | Establish/Maintain Documentation | Preventive | |
| Control products that do not conform to the system acceptance criteria. CC ID 06212 | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Business Processes | Preventive | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Establish/Maintain Documentation | Preventive | |
| Include documentation for all systems in the user documentation. CC ID 12285 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Establish/Maintain Documentation | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 | Establish/Maintain Documentation | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Establish/Maintain Documentation | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Control access rights to organizational assets. CC ID 00004 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a) Electronic access by applications to data and ICT systems should be limited to a minimum required to provide the relevant service. 3.4.2 32] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Technical Security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access recertification: access rights should be periodically reviewed to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required. 3.4.2 31(f)] | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Log Management | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g) Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Technical Security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Configuration | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Communicate | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Establish Roles | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Process or Activity | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical Security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical Security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Secure the Domain Name System. CC ID 00540 | Configuration | Preventive | |
| Implement segregation of duties. CC ID 11843 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical Security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical Security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Establish/Maintain Documentation | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Establish Roles | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical Security | Preventive | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Configuration | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Configuration | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Configuration | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical Security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Establish/Maintain Documentation | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Establish/Maintain Documentation | Preventive | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 | Establish/Maintain Documentation | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical Security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Process or Activity | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical Security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Configuration | Preventive | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Testing | Detective | |
| Control remote access through a network access control. CC ID 01421 | Technical Security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Configuration | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical Security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Configuration | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical Security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical Security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Configuration | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Monitor and Evaluate Occurrences | Detective | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 [Furthermore, as part of the response and recovery plans, a financial institution should consider and implement continuity measures to mitigate failures of third party providers, which are of key importance for a financial institution's ICT service continuity (in line with the provisions of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) regarding business continuity plans). 3.7.3 86] | Establish/Maintain Documentation | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{operational incident}{security incident} To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: operational and security incident handling procedures including escalation and reporting. 3.2.3 8(b)] | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Testing | Detective | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a) To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Preventive | |
| Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Leadership and high level objectives | Preventive | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Preventive | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Preventive | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e)] | Monitoring and measurement | Detective | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Monitoring and measurement | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 [{Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Preventive | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Audits and risk management | Detective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {internal factor} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: relevant internal and external factors, including business and ICT administrative functions; 3.4.5 38(a)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [{supporting activity} Financial institutions should classify the identified business functions, supporting processes and information assets referred to in paragraphs 15 and 16 in terms of criticality. 3.3.3 17 Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 {backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Detective | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Monitoring and measurement | Detective | |
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Monitoring and measurement | Preventive | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT and security risk assessment process. 3.4.6 42] | Monitoring and measurement | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{payment service user} PSPs should establish and implement processes to enhance PSUs' awareness of the security risks linked to the payment services by providing PSUs with assistance and guidance. 3.8 92] | Audits and risk management | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{payment service user} PSPs should keep PSUs informed about updates in security procedures that affect PSUs regarding the provision of payment services. 3.8 97] | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Investigate and take action regarding help desk queries. CC ID 06324 | Operational management | Corrective | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
| Disseminate and communicate continuously and routinely regarding system development project requirements. CC ID 06899 | Systems design, build, and implementation | Detective | |
| Return test payment cards after their use. CC ID 06398 | Systems design, build, and implementation | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Leadership and high level objectives | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Detective | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Corrective | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: 3.2.2 5] | Leadership and high level objectives | Preventive | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Audits and risk management | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
| Correlate business processes and applications. CC ID 16300 | Operational management | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Operational management | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Operational management | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Establish, implement, and maintain a customer service business function. CC ID 00847 | Operational management | Preventive | |
| Permit authorized individuals to accompany consumers at the organization's place of business. CC ID 16959 | Operational management | Preventive | |
| Compare customer security advice with industry peers. CC ID 06869 | Operational management | Preventive | |
| Use proactive performance management. CC ID 00937 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Operational management | Detective | |
| Identify and allocate departmental costs. CC ID 00871 | Operational management | Detective | |
| Review and approve the Information Technology budget. CC ID 13644 | Operational management | Corrective | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Corrective | |
| Manage change requests. CC ID 00887 | Operational management | Preventive | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Detective | |
| Implement changes according to the change control program. CC ID 11776 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 A financial institution should establish and implement an ICT project management policy that includes as a minimum: change management requirements. 3.6.1 63(f) Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Corrective | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Leadership and high level objectives | Corrective | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Corrective | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Preventive | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Monitoring and measurement | Preventive | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Monitoring and measurement | Preventive | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Corrective | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Operational management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 [{payment service user} PSPs should provide PSUs with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions, enabling them to detect fraudulent or malicious use of their accounts. 3.8 96] | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
| Confirm the customer agrees with the resolution process associated with the complaint. CC ID 13630 | Operational management | Detective | |
| Provide customer security advice, as necessary. CC ID 13674 | Operational management | Preventive | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Preventive | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 | Monitoring and measurement | Preventive | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Monitoring and measurement | Preventive | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Preventive | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 | Monitoring and measurement | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Corrective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Detective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Preventive | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Technical security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Operational and Systems Continuity | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Preventive | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Operational management | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
| Install the most current Windows Service Pack. CC ID 01695 | System hardening through configuration management | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 | System hardening through configuration management | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 | System hardening through configuration management | Preventive | |
| Disable all unnecessary user identifiers. CC ID 02185 [{generic user account} User accountability: financial institutions should limit, as much as possible, the use of generic and shared user accounts and ensure that users can be identified for the actions performed in the ICT systems. 3.4.2 31(b)] | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Configure the test environment similar to the production environment. CC ID 06837 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address Information Security during the business planning processes. CC ID 06495 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [the management body is informed on an ad hoc basis in the event of significant incidents and, at least, informed of the impact, the response and the additional controls to be defined as a result of the incidents. 3.5.1 60(d)(ii) To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: provide timely information to external parties (e.g. customers, other market participants, the supervisory authority) as appropriate and in line with an applicable regulation. 3.5.1 60(f)(ii)] | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 | Operational management | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Detective | |
| Define and assign log management roles and responsibilities. CC ID 06311 | Monitoring and measurement | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Audits and risk management | Preventive | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [{independent review} The internal audit function should, following a risk-based approach, have the capacity to independently review and provide objective assurance of the compliance of all ICT and security-related activities and units of a financial institution with the financial institution's policies and procedures and with external requirements, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.3.1 11 ¶ 2 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Audits and risk management | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Identify and define all critical roles. CC ID 00777 [A financial institution should implement a programme and/or a project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. 3.6.1 61] | Human Resources management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational management | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Operational management | Preventive | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: roles and responsibilities; 3.6.1 63(b)] | Systems design, build, and implementation | Preventive | |
| Assign the role of information security management as a part of developing systems. CC ID 06823 | Systems design, build, and implementation | Preventive | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [Financial institutions should identify, establish and maintain updated mapping of their business functions, roles and supporting processes to identify the importance of each and their interdependencies related to ICT and security risks. 3.3.2 15] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Leadership and high level objectives | Preventive | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66] | Leadership and high level objectives | Detective | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: the planned strategy and evolution of the architecture of ICT, including third party dependencies; 3.2.2 5(b) Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 {organizational structure} The ICT strategy should be aligned with financial institutions' overall business strategy and should define: how financial institutions' ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties; 3.2.2 5(a)] | Leadership and high level objectives | Preventive | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Preventive | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Preventive | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Preventive | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Leadership and high level objectives | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: project objectives; 3.6.1 63(a)] | Leadership and high level objectives | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: key milestones; 3.6.1 63(e)] | Leadership and high level objectives | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Preventive | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Preventive | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Preventive | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Preventive | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Preventive | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Monitoring and measurement | Preventive | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Monitoring and measurement | Detective | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 [For PSPs, the testing framework should also encompass the security measures relevant to (1) payment terminals and devices used for the provision of payment services, (2) payment terminals and devices used for authenticating the payment service users (PSU), and (3) devices and software provided by the PSP to the PSU to generate/receive an authentication code. 3.4.6 47] | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [Financial institutions should ensure that tests of security measures are conducted in the event of changes to infrastructure, processes or procedures and if changes are made because of major operational or security incidents or due to the release of new or significantly changed internet-facing critical applications. 3.4.6 45] | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 [{ongoing basis} Financial institutions should perform ongoing and repeated tests of the security measures. For all critical ICT systems (paragraph 17), these tests should be performed at least on an annual basis and, for PSPs, they will be part of the comprehensive assessment of the security risks related to the payment services they provide, in accordance with Article 95(2) of PSD2. Noncritical systems should be tested regularly using a risk-based approach, but at least every 3 years. 3.4.6 44] | Monitoring and measurement | Preventive | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Preventive | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [A formal follow-up process including provisions for the timely verification and remediation of critical ICT audit findings should be established. 3.3.6 27] | Audits and risk management | Corrective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b)] | Audits and risk management | Preventive | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Audits and risk management | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66 A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project risk assessment; 3.6.1 63(c)] | Audits and risk management | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 [The ICT and security risk management framework should include processes in place to: identify and assess whether there are any ICT and security risks resulting from any major change in ICT system or ICT services, processes or procedures, and/or after any significant operational or security incident. 3.3.1 13(f) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The ICT and security risk management framework should include processes in place to: determine the risk appetite for ICT and security risks, in accordance with the risk appetite of the financial institution; 3.3.1 13(a) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [The ICT and security risk management framework should include processes in place to: define mitigation measures, including controls, to mitigate ICT and security risks; 3.3.1 13(c) Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23] | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Audits and risk management | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 | Technical security | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Technical security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Preventive | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 | Technical security | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings. 3.4.3 35] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Financial institutions' physical security measures should be defined, documented and implemented to protect their premises, data centres and sensitive areas from unauthorised access and from environmental hazards. 3.4.3 33] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Financial institutions should establish a sound business continuity management (BCM) process to maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption in line with Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.7 77] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Preventive | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Preventive | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36] | Operational and Systems Continuity | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Operational and Systems Continuity | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be updated in line with lessons learned from incidents, tests, new risks identified and threats, and changed recovery objectives and priorities. 3.7.3 84(c) {business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b) {Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{off-site storage}{secure storage} Financial institutions should ensure that data and ICT system backups are stored securely and are sufficiently remote from the primary site so they are not exposed to the same risks. 3.5 58] | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: 3.7.3 84 {response and recovery plan}{be infeasible} The plans should also consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics or unforeseen circumstances. 3.7.3 85 {put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a) The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Preventive | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Detective | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Preventive | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Preventive | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Detective | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Preventive | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Preventive | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{internal stakeholder}{timely manner} In the event of a disruption or emergency, and during the implementation of the BCPs, financial institutions should ensure that they have effective crisis communication measures in place so that all relevant internal and external stakeholders, including the competent authorities when required by national regulations, and also relevant providers (outsourcing providers, group entities, or third party providers) are informed in a timely and appropriate manner. 3.7.5 91] | Operational and Systems Continuity | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Operational and Systems Continuity | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Operational and Systems Continuity | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Operational and Systems Continuity | Preventive | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 [{information security and awareness training} Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security training and awareness (Section 3.4.7). 3.4.1 30(g)] | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Document the organization's business processes. CC ID 13035 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Operational management | Detective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Operational management | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: logical security (Section 3.4.2); 3.4.1 30(b)] | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: ICT operations security (Section 3.4.4); 3.4.1 30(d) Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
| Include physical security in the information security program. CC ID 12382 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: physical security (Section 3.4.3); 3.4.1 30(c)] | Operational management | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: security monitoring (Section 3.4.5); 3.4.1 30(e)] | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: organisation and governance in accordance with paragraphs 10 and 11; 3.4.1 30(a)] | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: 3.4.1 30 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: clear information security objectives, focusing on ICT systems and ICT services, staff and processes. 3.2.2 5(c) Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Operational management | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{internal organization} All financial institutions should comply with the provisions set out in these guidelines in such a way that is proportionate to, and takes account of, the financial institutions' size, their internal organisation, and the nature, scope, complexity and riskiness of the services and products that the financial institutions provide or intend to provide. 3.1 1] | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational management | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
| Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
| Define integrity controls. CC ID 01909 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: ensuring that mechanisms are in place to verify the integrity of software, firmware and data; 3.4.4 36(e)] | Operational management | Preventive | |
| Define availability controls. CC ID 01911 | Operational management | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{internal system] In addition, financial institutions should identify, establish and maintain updated mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, staff, contractors, third parties and dependencies on other internal and external systems and processes, to be able to, at least, manage the information assets that support their critical business functions and processes. 3.3.2 16] | Operational management | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the procedures to identify, track, log, categorise and classify incidents according to a priority, based on business criticality; 3.5.1 60(a) Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60] | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [incidents with a potentially high adverse impact on critical ICT systems and ICT services are reported to the relevant senior management and ICT senior management; 3.5.1 60(d)(i)] | Operational management | Preventive | |
| Document the resolution of issues reported to customer service. CC ID 12918 | Operational management | Preventive | |
| Provide and display incident management contact information to customers. CC ID 06386 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Operational management | Corrective | |
| Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 | Operational management | Preventive | |
| Establish, implement, and maintain help desk query clearance procedures. CC ID 00850 | Operational management | Preventive | |
| Establish, implement, and maintain help desk query trend analysis procedures. CC ID 00851 | Operational management | Preventive | |
| Display customer security advice prominently. CC ID 13667 | Operational management | Preventive | |
| Review and update security advice for customers, as necessary. CC ID 06868 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c) {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: 3.5.1 60(f)] | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {be operational}{be secure} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: incident response procedures to mitigate the impacts related to the incidents and to ensure that the service becomes operational and secure in a timely manner; 3.5.1 60(e)] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Operational management | Preventive | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Operational management | Detective | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Operational management | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Corrective | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of secure configuration baselines of all network components; 3.4.4 36(b) Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Preventive | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Preventive | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Systems design, build, and implementation | Preventive | |
| Define and document organizational structures for the System Development Life Cycle program. CC ID 12549 | Systems design, build, and implementation | Preventive | |
| Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562 | Systems design, build, and implementation | Preventive | |
| Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566 | Systems design, build, and implementation | Preventive | |
| Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559 | Systems design, build, and implementation | Preventive | |
| Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558 | Systems design, build, and implementation | Preventive | |
| Include system development authorities in the System Development Life Cycle documentation. CC ID 12564 | Systems design, build, and implementation | Preventive | |
| Include system design authorities in the System Development Life Cycle documentation. CC ID 12572 | Systems design, build, and implementation | Preventive | |
| Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568 | Systems design, build, and implementation | Preventive | |
| Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567 | Systems design, build, and implementation | Preventive | |
| Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556 | Systems design, build, and implementation | Preventive | |
| Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565 | Systems design, build, and implementation | Preventive | |
| Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557 | Systems design, build, and implementation | Preventive | |
| Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563 | Systems design, build, and implementation | Preventive | |
| Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555 | Systems design, build, and implementation | Preventive | |
| Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561 | Systems design, build, and implementation | Preventive | |
| Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560 | Systems design, build, and implementation | Preventive | |
| Define and document organizational structures for system and network monitoring. CC ID 12554 | Systems design, build, and implementation | Preventive | |
| Define and document organizational structures for systems operations. CC ID 12553 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a full set of system procedures. CC ID 01074 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a user-machine interaction specification. CC ID 01076 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a processing requirements definition document. CC ID 01077 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain an output requirements definition document. CC ID 01078 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a database management standard. CC ID 01079 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [A financial institution should ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements (including information security requirements) are clearly defined and approved by the relevant business management. 3.6.2 68] | Systems design, build, and implementation | Preventive | |
| Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922 | Systems design, build, and implementation | Detective | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 | Systems design, build, and implementation | Preventive | |
| Document legal requirements and how they influence system design requirements. CC ID 11793 | Systems design, build, and implementation | Preventive | |
| Identify and document system design constraints. CC ID 06923 | Systems design, build, and implementation | Preventive | |
| Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 | Systems design, build, and implementation | Preventive | |
| Identify and document system development constraints. CC ID 11698 | Systems design, build, and implementation | Preventive | |
| Identify and document the system boundaries of the system design project. CC ID 06924 | Systems design, build, and implementation | Preventive | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Systems design, build, and implementation | Detective | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: 3.6.1 63] | Systems design, build, and implementation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Systems design, build, and implementation | Preventive | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Systems design, build, and implementation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Systems design, build, and implementation | Preventive | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Systems design, build, and implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Systems design, build, and implementation | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Preventive | |
| Document the acceptance status for all products passing the System Development Life Cycle implementation phase. CC ID 06211 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Systems design, build, and implementation | Preventive | |
| Include documentation for all systems in the user documentation. CC ID 12285 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 [Furthermore, as part of the response and recovery plans, a financial institution should consider and implement continuity measures to mitigate failures of third party providers, which are of key importance for a financial institution's ICT service continuity (in line with the provisions of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) regarding business continuity plans). 3.7.3 86] | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{operational incident}{security incident} To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: operational and security incident handling procedures including escalation and reporting. 3.2.3 8(b)] | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Preventive | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a) To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Preventive | |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
| Review and approve the Strategic Information Technology Plan. CC ID 13094 | Leadership and high level objectives | Preventive | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Detective | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 [The information security testing framework should ensure that tests: are carried out by independent testers with sufficient knowledge, skills and expertise in testing information security measures and who are not involved in the development of the information security measures; 3.4.6 43(a)] | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Corrective | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Human Resources management | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 {establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Human Resources management | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Operational management | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
| Assign roles and responsibilities in the customer service program. CC ID 13911 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the roles and responsibilities for different incident scenarios (e.g. errors, malfunctioning, cyber-attacks); 3.5.1 60(b)] | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Preventive | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 | Systems design, build, and implementation | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Financial institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services. For instance, financial institutions may perform gap analysis against information security standards, compliance reviews, internal and external audits of the information systems, or physical security reviews. Furthermore, the institution should consider good practices such as source code reviews, vulnerability assessments, penetration tests and red team exercises. 3.4.6 41] | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Financial institutions should implement logging and monitoring procedures for critical ICT operations to allow the detection, analysis and correction of errors. 3.5 52] | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Monitoring and measurement | Preventive | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Monitoring and measurement | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Detective | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Detective | |
| Define the frequency to capture and log events. CC ID 06313 | Monitoring and measurement | Preventive | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Monitoring and measurement | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Preventive | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
| Log help desk queries. CC ID 00848 | Operational management | Preventive | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | System hardening through configuration management | Detective | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [A financial institution should ensure that measures are in place to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. 3.6.2 69 {development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Leadership and high level objectives | Detective | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [{performance plan} Financial institutions should implement performance and capacity planning and monitoring processes to prevent, detect and respond to important performance issues of ICT systems and ICT capacity shortages in a timely manner. 3.5 56] | Monitoring and measurement | Detective | |
| Monitor all outbound traffic from all systems. CC ID 12970 | Monitoring and measurement | Preventive | |
| Monitor systems for errors and faults. CC ID 04544 | Monitoring and measurement | Detective | |
| Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: transactions to detect misuse of access by third parties or other entities and internal misuse of access; 3.4.5 38(b)] | Monitoring and measurement | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 | Monitoring and measurement | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitoring and measurement | Detective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Preventive | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Monitoring and measurement | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Detective | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 {internal threat} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: potential internal and external threats. 3.4.5 38(c) A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62 Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Monitoring and measurement | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Preventive | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Detective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Corrective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Financial institutions should monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets of the financial institution. 3.2.3 9] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Detective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Detective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Corrective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Detective | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security reviews, assessment and testing (Section 3.4.6); 3.4.1 30(f)] | Operational management | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and environmental protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Preventive | |
| Implement redundancy in life-safety systems. CC ID 02228 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Corrective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Systems design, build, and implementation | Preventive | |
| Analyze anti-counterfeit measures for their longevity. CC ID 11553 | Systems design, build, and implementation | Preventive | |
| Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555 | Systems design, build, and implementation | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [The security monitoring process should also help a financial institution to understand the nature of operational or security incidents, to identify trends and to support the organisation's investigations. 3.4.5 40] | Leadership and high level objectives | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Preventive | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Preventive | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Preventive | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Corrective | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: collaborate with relevant stakeholders to effectively respond to and recover from the incident; 3.5.1 60(f)(i)] | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Operational management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Resolve conflicting design and development inputs. CC ID 13703 | Systems design, build, and implementation | Corrective | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Systems design, build, and implementation | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Preventive | |
| Include system performance in the scope of system testing. CC ID 12624 | Systems design, build, and implementation | Preventive | |
| Include security controls in the scope of system testing. CC ID 12623 [Financial institutions should test ICT systems, ICT services and information security measures to identify potential security weaknesses, violations and incidents. 3.6.2 71] | Systems design, build, and implementation | Preventive | |
| Include business logic in the scope of system testing. CC ID 12622 | Systems design, build, and implementation | Preventive | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Detective | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records management | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Detective | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Corrective | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [Financial institutions should ensure that their ICT systems and ICT services are designed and aligned with their BIA, for example with redundancy of certain critical components to prevent disruptions caused by events impacting those components. 3.7.1 79] | Operational and Systems Continuity | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Corrective | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Detective | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Preventive | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Preventive | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Systems design, build, and implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Preventive | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems design, build, and implementation | Preventive | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 | Systems design, build, and implementation | Preventive | |
| Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348 | Systems design, build, and implementation | Preventive | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 | Systems design, build, and implementation | Preventive | |
| Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076 | Systems design, build, and implementation | Preventive | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Preventive | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems design, build, and implementation | Detective | |
| Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Detective | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Corrective | |
| Evaluate system development projects for compliance with the system requirements specifications. CC ID 06903 | Systems design, build, and implementation | Preventive | |
| Evaluate each system development project to verify it remains feasible. CC ID 06904 | Systems design, build, and implementation | Preventive | |
| Cancel or suspend system development projects if the benefits do not outweigh the disadvantages. CC ID 06905 | Systems design, build, and implementation | Preventive | |
| Control the test data used in the development environment. CC ID 12013 | Systems design, build, and implementation | Preventive | |
| Select the test data carefully. CC ID 12011 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
| Control products that do not conform to the system acceptance criteria. CC ID 06212 | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Monitoring and measurement | Detective | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 | Monitoring and measurement | Preventive | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Monitoring and measurement | Preventive | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Corrective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Detective | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Preventive | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [Based on the security threats observed and the changes made, testing should be performed to incorporate scenarios of relevant and known potential attacks. 3.4.6 48] | Monitoring and measurement | Detective | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Monitoring and measurement | Detective | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Preventive | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [{be commensurate with} The information security testing framework should ensure that tests: include vulnerability scans and penetration tests (including threat-led penetration testing where necessary and appropriate) commensurate to the level of risk identified with the business processes and systems. 3.4.6 43(b)] | Monitoring and measurement | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Audits and risk management | Preventive | |
| Control access rights to organizational assets. CC ID 00004 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a) Electronic access by applications to data and ICT systems should be limited to a minimum required to provide the relevant service. 3.4.2 32] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access recertification: access rights should be periodically reviewed to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required. 3.4.2 31(f)] | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g) Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Preventive | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Human Resources management | Corrective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
| Patch software. CC ID 11825 | Operational management | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Detective | |
| Use the latest approved version of all assets. CC ID 00897 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Records management | Preventive | |
| Compile databases to protect their structural intellectual property. CC ID 07044 | Systems design, build, and implementation | Preventive | |
| Include performance criteria in the system requirements specification. CC ID 11540 | Systems design, build, and implementation | Preventive | |
| Include accommodating increases in capacity in the system requirements specification. CC ID 11562 | Systems design, build, and implementation | Preventive | |
| Include product upgrade methodologies in the system requirements specification. CC ID 11563 | Systems design, build, and implementation | Preventive | |
| Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Preventive | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Preventive | |
| Protect test data in the development environment. CC ID 12014 | Systems design, build, and implementation | Preventive | |
| Integrate additional security controls for newly implemented systems into interconnected systems, as necessary. CC ID 06272 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Where, in accordance with Article 68(1) of Directive (EU) 2015/2366, a PSP has agreed with the payer spending limits for payment transactions executed through specific payment instruments, the PSP should provide the payer with the option to adjust these limits up to the maximum agreed limit. 3.8 95 {payment service user} Where product functionality permits, PSPs should allow PSUs to disable specific payment functionalities related to the payment services offered by the PSP to the PSU. 3.8 94] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Leadership and high level objectives | Detective | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Assess customer satisfaction. CC ID 00652 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Detective | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Detective | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Detective | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Detective | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Detective | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Detective | |
| Document and maintain test results. CC ID 17028 | Monitoring and measurement | Preventive | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [Financial institutions should report risk assessment results to the management body in a clear and timely manner. Such reporting is without prejudice to the obligation of PSPs to provide competent authorities with an updated and comprehensive risk assessment, as laid down in Article 95(2) of Directive (EU) 2015/2366. 3.3.5 24] | Audits and risk management | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{risk mitigation activity} Without prejudice to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and Article 19 of PSD2, financial institutions should ensure the effectiveness of the risk-mitigating measures as defined by their risk management framework, including the measures set out in these guidelines, when operational functions of payment services and/or ICT services and ICT systems of any activity are outsourced, including to group entities, or when using third parties. 3.2.3 7 {ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Audits and risk management | Detective | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Detective | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Detective | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Detective | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{periodic testing} Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least annually, in accordance with paragraph 89. 3.7.4 87] | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{ability} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: 3.7.4 89] | Operational and Systems Continuity | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include procedures to verify the ability of their staff and contractors, ICT systems and ICT services to respond adequately to the scenarios defined in paragraph 89(a). 3.7.4 89(c)] | Operational and Systems Continuity | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Operational and Systems Continuity | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Operational and Systems Continuity | Preventive | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Operational and Systems Continuity | Detective | |
| Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 | Operational and Systems Continuity | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Assign and staff all roles appropriately. CC ID 00784 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Human Resources management | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 The ICT project management policy should ensure that information security requirements are analysed and approved by a function that is independent from the development function. 3.6.1 64] | Human Resources management | Detective | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Operational management | Preventive | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Detective | |
| Compare system design requirements against system design requests. CC ID 06619 | Systems design, build, and implementation | Detective | |
| Determine if commercial off the shelf products meet the system design requirements. CC ID 06926 | Systems design, build, and implementation | Detective | |
| Perform a risk assessment for each system development project. CC ID 01000 | Systems design, build, and implementation | Detective | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Systems design, build, and implementation | Detective | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Detective | |
| Restrict production data from being used in the test environment. CC ID 01103 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Systems design, build, and implementation | Detective | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Systems design, build, and implementation | Detective | |
| Test security functionality during the development process. CC ID 12015 | Systems design, build, and implementation | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Detective | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Detective | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Detective | |
| Test quality control procedures for proper implementation. CC ID 06610 | Systems design, build, and implementation | Detective | |
| Perform a final system test prior to implementing a new system. CC ID 01108 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Detective | |
| Conduct a final security audit prior to implementing a new system. CC ID 06833 | Systems design, build, and implementation | Detective | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Detective | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include updates on emerging issues in the security awareness program. CC ID 13184 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Leadership and high level objectives | Communicate | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Business Processes | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Communicate | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Technical Security | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Technical Security | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Configuration | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Establish/Maintain Documentation | |
| Correct or mitigate vulnerabilities. CC ID 12497 [A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62] | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Human Resources Management | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [A formal follow-up process including provisions for the timely verification and remediation of critical ICT audit findings should be established. 3.3.6 27] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Establish/Maintain Documentation | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Systems Continuity | |
| Report changes in the continuity plan to senior management. CC ID 12757 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Communicate | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Systems Continuity | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Process or Activity | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Testing | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Communicate | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Human Resources management | Technical Security | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: collaborate with relevant stakeholders to effectively respond to and recover from the incident; 3.5.1 60(f)(i)] | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [the management body is informed on an ad hoc basis in the event of significant incidents and, at least, informed of the impact, the response and the additional controls to be defined as a result of the incidents. 3.5.1 60(d)(ii) To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: provide timely information to external parties (e.g. customers, other market participants, the supervisory authority) as appropriate and in line with an applicable regulation. 3.5.1 60(f)(ii)] | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 [{payment service user} PSPs should provide PSUs with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions, enabling them to detect fraudulent or malicious use of their accounts. 3.8 96] | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Provide and display incident management contact information to customers. CC ID 06386 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Operational management | Establish/Maintain Documentation | |
| Investigate and take action regarding help desk queries. CC ID 06324 | Operational management | Behavior | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Review and approve the Information Technology budget. CC ID 13644 | Operational management | Business Processes | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Business Processes | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Establish/Maintain Documentation | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Operational management | Configuration | |
| Patch software. CC ID 11825 | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Business Processes | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
| Resolve conflicting design and development inputs. CC ID 13703 | Systems design, build, and implementation | Process or Activity | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Testing | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Business Processes | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Leadership and high level objectives | Testing | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Establish Roles | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [{performance plan} Financial institutions should implement performance and capacity planning and monitoring processes to prevent, detect and respond to important performance issues of ICT systems and ICT capacity shortages in a timely manner. 3.5 56] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Monitoring and measurement | Behavior | |
| Monitor systems for errors and faults. CC ID 04544 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Financial institutions should implement logging and monitoring procedures for critical ICT operations to allow the detection, analysis and correction of errors. 3.5 52] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Actionable Reports or Measurements | |
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Monitoring and measurement | Technical Security | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38 Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: transactions to detect misuse of access by third parties or other entities and internal misuse of access; 3.4.5 38(b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Human Resources Management | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Log Management | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Log Management | |
| Monitor and evaluate system performance. CC ID 00651 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Investigate | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Investigate | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Investigate | |
| Assess customer satisfaction. CC ID 00652 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Technical Security | |
| Monitor and evaluate user account activity. CC ID 07066 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Log Management | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Communicate | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Log Management | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Testing | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Testing | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [Based on the security threats observed and the changes made, testing should be performed to incorporate scenarios of relevant and known potential attacks. 3.4.6 48] | Monitoring and measurement | Technical Security | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Testing | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Testing | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Technical Security | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Testing | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Testing | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Technical Security | |
| Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Technical Security | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Testing | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Testing | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Technical Security | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Testing | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Technical Security | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Testing | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Testing | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Testing | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Configuration | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Financial institutions should monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets of the financial institution. 3.2.3 9] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e)] | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [Financial institutions should report risk assessment results to the management body in a clear and timely manner. Such reporting is without prejudice to the obligation of PSPs to provide competent authorities with an updated and comprehensive risk assessment, as laid down in Article 95(2) of Directive (EU) 2015/2366. 3.3.5 24] | Audits and risk management | Testing | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Audits and risk management | Testing | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. 3.4.6 46] | Audits and risk management | Audits and Risk Management | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Audits and Risk Management | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Audits and risk management | Testing | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Financial institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services. For instance, financial institutions may perform gap analysis against information security standards, compliance reviews, internal and external audits of the information systems, or physical security reviews. Furthermore, the institution should consider good practices such as source code reviews, vulnerability assessments, penetration tests and red team exercises. 3.4.6 41] | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{risk mitigation activity} Without prejudice to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and Article 19 of PSD2, financial institutions should ensure the effectiveness of the risk-mitigating measures as defined by their risk management framework, including the measures set out in these guidelines, when operational functions of payment services and/or ICT services and ICT systems of any activity are outsourced, including to group entities, or when using third parties. 3.2.3 7 {ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Audits and risk management | Testing | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Testing | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Monitor and Evaluate Occurrences | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Audits and Risk Management | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Investigate | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Investigate | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Data and Information Management | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Investigate | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Physical and Environmental Protection | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Physical and Environmental Protection | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Testing | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Investigate | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Investigate | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Testing | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Systems Continuity | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Systems Continuity | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Systems Continuity | |
| Define and prioritize critical business functions. CC ID 00736 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Records Management | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Testing | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Testing | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Testing | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine which data elements to back up. CC ID 13483 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Data and Information Management | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Testing | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Systems Continuity | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Testing | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Testing | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Testing | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Testing | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Business Processes | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test the continuity plan, as necessary. CC ID 00755 [{ability} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: 3.7.4 89] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Operational and Systems Continuity | Testing | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
| Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Testing | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [{switch} Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs (as well as testing of services provided by third parties, where applicable); this should include the switch-over of critical business functions, supporting processes and information assets to the disaster recovery environment and demonstrating that they can be run in this way for a sufficiently representative period of time and that normal functioning can be restored afterwards; 3.7.4 89(a)] | Operational and Systems Continuity | Testing | |
| Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 | Operational and Systems Continuity | Testing | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Assign and staff all roles appropriately. CC ID 00784 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3 A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. 3.6.1 65] | Human Resources management | Testing | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 The ICT project management policy should ensure that information security requirements are analysed and approved by a function that is independent from the development function. 3.6.1 64] | Human Resources management | Testing | |
| Document the organization's business processes. CC ID 13035 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Operational management | Establish/Maintain Documentation | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Confirm the customer agrees with the resolution process associated with the complaint. CC ID 13630 | Operational management | Communicate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {be operational}{be secure} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: incident response procedures to mitigate the impacts related to the incidents and to ensure that the service becomes operational and secure in a timely manner; 3.5.1 60(e)] | Operational management | Establish/Maintain Documentation | |
| Use proactive performance management. CC ID 00937 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Operational management | Business Processes | |
| Identify and allocate departmental costs. CC ID 00871 | Operational management | Business Processes | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Operational management | Establish/Maintain Documentation | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Testing | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Business Processes | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Technical Security | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Testing | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | System hardening through configuration management | Log Management | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Compare system design requirements against system design requests. CC ID 06619 | Systems design, build, and implementation | Testing | |
| Determine if commercial off the shelf products meet the system design requirements. CC ID 06926 | Systems design, build, and implementation | Testing | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Perform a risk assessment for each system development project. CC ID 01000 | Systems design, build, and implementation | Testing | |
| Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Systems design, build, and implementation | Testing | |
| Disseminate and communicate continuously and routinely regarding system development project requirements. CC ID 06899 | Systems design, build, and implementation | Behavior | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Testing | |
| Restrict production data from being used in the test environment. CC ID 01103 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Systems design, build, and implementation | Testing | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Testing | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Testing | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Testing | |
| Test quality control procedures for proper implementation. CC ID 06610 | Systems design, build, and implementation | Testing | |
| Perform a final system test prior to implementing a new system. CC ID 01108 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Testing | |
| Conduct a final security audit prior to implementing a new system. CC ID 06833 | Systems design, build, and implementation | Testing | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Testing | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Testing | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Testing | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes | |
| Include technology in the analysis of the external environment. CC ID 12837 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [Financial institutions should identify, establish and maintain updated mapping of their business functions, roles and supporting processes to identify the importance of each and their interdependencies related to ICT and security risks. 3.3.2 15] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [The security monitoring process should also help a financial institution to understand the nature of operational or security incidents, to identify trends and to support the organisation's investigations. 3.4.5 40] | Leadership and high level objectives | Process or Activity | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
| Address Information Security during the business planning processes. CC ID 06495 [Financial institutions should ensure that performance of their ICT operations is aligned to their business requirements. Financial institutions should maintain and improve, when possible, efficiency of their ICT operations, including but not limited to the need to consider how to minimise potential errors arising from the execution of manual tasks. 3.5 51] | Leadership and high level objectives | Data and Information Management | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: the planned strategy and evolution of the architecture of ICT, including third party dependencies; 3.2.2 5(b) Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6 {organizational structure} The ICT strategy should be aligned with financial institutions' overall business strategy and should define: how financial institutions' ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties; 3.2.2 5(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: 3.2.2 5] | Leadership and high level objectives | Business Processes | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: project objectives; 3.6.1 63(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: key milestones; 3.6.1 63(e)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be periodically reviewed to ensure their relevance and appropriateness. Financial institutions should also establish processes to monitor and measure the effectiveness of the implementation of their ICT strategy. 3.2.2 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Review and approve the Strategic Information Technology Plan. CC ID 13094 | Leadership and high level objectives | Human Resources Management | |
| Monitor all outbound traffic from all systems. CC ID 12970 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Communicate | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Establish/Maintain Documentation | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 | Monitoring and measurement | Configuration | |
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Monitoring and measurement | Behavior | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Monitoring and measurement | Behavior | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 | Monitoring and measurement | Technical Security | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Monitoring and measurement | Technical Security | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Monitoring and measurement | Technical Security | |
| Define and assign log management roles and responsibilities. CC ID 06311 | Monitoring and measurement | Establish Roles | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Monitoring and measurement | Log Management | |
| Make logs available for review by the owning entity. CC ID 12046 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Technical Security | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Monitoring and measurement | Configuration | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Configuration | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 | Monitoring and measurement | Configuration | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Configuration | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Communicate | |
| Define the frequency to capture and log events. CC ID 06313 | Monitoring and measurement | Log Management | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Monitoring and measurement | Log Management | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Monitoring and measurement | Communicate | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Technical Security | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Establish/Maintain Documentation | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Process or Activity | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 {internal threat} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: potential internal and external threats. 3.4.5 38(c) A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. 3.6.1 62 Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Business Processes | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Create specific test plans to test each system component. CC ID 00661 [For PSPs, the testing framework should also encompass the security measures relevant to (1) payment terminals and devices used for the provision of payment services, (2) payment terminals and devices used for authenticating the payment service users (PSU), and (3) devices and software provided by the PSP to the PSU to generate/receive an authentication code. 3.4.6 47] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a testing program. CC ID 00654 [Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT and security risk assessment process. 3.4.6 42] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 [The information security testing framework should ensure that tests: are carried out by independent testers with sufficient knowledge, skills and expertise in testing information security measures and who are not involved in the development of the information security measures; 3.4.6 43(a)] | Monitoring and measurement | Human Resources Management | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Testing | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Testing | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Testing | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Data and Information Management | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Testing | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Behavior | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Testing | |
| Define the test requirements for each testing program. CC ID 13177 [Financial institutions should ensure that tests of security measures are conducted in the event of changes to infrastructure, processes or procedures and if changes are made because of major operational or security incidents or due to the release of new or significantly changed internet-facing critical applications. 3.4.6 45] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Testing | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Communicate | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Process or Activity | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Process or Activity | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 [{ongoing basis} Financial institutions should perform ongoing and repeated tests of the security measures. For all critical ICT systems (paragraph 17), these tests should be performed at least on an annual basis and, for PSPs, they will be part of the comprehensive assessment of the security risks related to the payment services they provide, in accordance with Article 95(2) of PSD2. Noncritical systems should be tested regularly using a risk-based approach, but at least every 3 years. 3.4.6 44] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Monitoring and measurement | Communicate | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Establish/Maintain Documentation | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Establish Roles | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Testing | |
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Records Management | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Records Management | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [{be commensurate with} The information security testing framework should ensure that tests: include vulnerability scans and penetration tests (including threat-led penetration testing where necessary and appropriate) commensurate to the level of risk identified with the business processes and systems. 3.4.6 43(b)] | Monitoring and measurement | Technical Security | |
| Document and maintain test results. CC ID 17028 | Monitoring and measurement | Testing | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Actionable Reports or Measurements | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Communicate | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Establish Roles | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial institution and should be updated regularly. 3.3.6 26] | Audits and risk management | Establish Roles | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [{independent review} The internal audit function should, following a risk-based approach, have the capacity to independently review and provide objective assurance of the compliance of all ICT and security-related activities and units of a financial institution with the financial institution's policies and procedures and with external requirements, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.3.1 11 ¶ 2 {Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Process or Activity | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
| Audit policies, standards, and procedures. CC ID 12927 [{Payment Service Provider} A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to the management body. The auditors should be independent within or from the financial institution. The frequency and focus of such audits should be commensurate with the relevant ICT and security risks. 3.3.6 25] | Audits and risk management | Audits and Risk Management | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Business Processes | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Establish/Maintain Documentation | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Audits and risk management | Establish Roles | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{be relevant}{supporting activity} Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. 3.3.3 21 The ICT and security risk management framework should include processes in place to: identify and assess the ICT and security risks to which a financial institution is exposed; 3.3.1 13(b) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {internal factor} Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: relevant internal and external factors, including business and ICT administrative functions; 3.4.5 38(a)] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date, including the software provided by financial institutions to their internal and external users, by deploying critical security patches or by implementing compensating controls; 3.4.4 36(a)] | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [{supporting activity} Financial institutions should classify the identified business functions, supporting processes and information assets referred to in paragraphs 15 and 16 in terms of criticality. 3.3.3 17 Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 [The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include project risk in their risk management framework. 3.6.1 66 A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project risk assessment; 3.6.1 63(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 [The ICT and security risk management framework should include processes in place to: identify and assess whether there are any ICT and security risks resulting from any major change in ICT system or ICT services, processes or procedures, and/or after any significant operational or security incident. 3.3.1 13(f) {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {supporting activity}{periodic risk assessment} Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if required. Such risk assessments should also be performed on any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets, and consequently the current risk assessment of financial institutions should be updated. 3.3.3 20] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Audits and risk management | Business Processes | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{payment service user} PSPs should establish and implement processes to enhance PSUs' awareness of the security risks linked to the payment services by providing PSUs with assistance and guidance. 3.8 92] | Audits and risk management | Behavior | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The ICT and security risk management framework should include processes in place to: determine the risk appetite for ICT and security risks, in accordance with the risk appetite of the financial institution; 3.3.1 13(a) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 {backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [The ICT and security risk management framework should include processes in place to: define mitigation measures, including controls, to mitigate ICT and security risks; 3.3.1 13(c) Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [The ICT and security risk management framework should include processes in place to: report to the management body on the ICT and security risks and controls; 3.3.1 13(e) {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 [Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22 Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial institution should consider the time required to implement these changes and the time to take appropriate interim mitigating measures to minimise ICT and security risks to stay within the financial institution's ICT and security risk appetite. 3.3.4 22] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [Financial institutions should review the adequacy of the classification of the information assets and relevant documentation, when risk assessment is performed. 3.3.3 19] | Audits and risk management | Business Processes | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Establish/Maintain Documentation | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 | Technical security | Establish/Maintain Documentation | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Establish/Maintain Documentation | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Control access rights to organizational assets. CC ID 00004 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a) Electronic access by applications to data and ICT systems should be limited to a minimum required to provide the relevant service. 3.4.2 32] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 [Access management: access rights should be granted, withdrawn or modified in a timely manner, according to predefined approval workflows that involve the business owner of the information being accessed (information asset owner). In the case of termination of employment, access rights should be promptly withdrawn. 3.4.2 31(e)] | Technical security | Technical Security | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review all user privileges, as necessary. CC ID 06784 [Access recertification: access rights should be periodically reviewed to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required. 3.4.2 31(f)] | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31 Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term 'user' also includes technical users: 3.4.2 31] | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Log Management | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Require proper authentication for user identifiers. CC ID 11785 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g) Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Technical security | Technical Security | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Configuration | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Communicate | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Establish Roles | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Process or Activity | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Technical Security | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Technical Security | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Establish/Maintain Documentation | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Configuration | |
| Implement segregation of duties. CC ID 11843 [{need to know basis} Need to know, least privilege and segregation of duties: financial institutions should manage access rights to information assets and their supporting systems on a 'need-to-know' basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of 'least privilege'), i.e. to prevent unjustified access to a large set of data or to prevent the allocation of combinations of access rights that may be used to circumvent controls (principle of 'segregation of duties'). 3.4.2 31(a)] | Technical security | Technical Security | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Technical Security | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Data and Information Management | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Technical security | Establish/Maintain Documentation | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Establish Roles | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Technical Security | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Configuration | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Configuration | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Configuration | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Technical Security | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Establish/Maintain Documentation | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); 3.4.4 36(c)] | Technical security | Establish/Maintain Documentation | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 | Technical security | Establish/Maintain Documentation | |
| Control all methods of remote access and teleworking. CC ID 00559 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Technical Security | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Process or Activity | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Establish/Maintain Documentation | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Technical Security | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Configuration | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Technical Security | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Configuration | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Technical Security | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used. 3.4.2 31(c)] | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 [Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, information or the process being accessed. This should, at a minimum, include complex passwords or stronger authentication methods (such as two-factor authentication), based on relevant risk. 3.4.2 31(g)] | Technical security | Configuration | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Technical Security | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Technical Security | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Configuration | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings. 3.4.3 35] | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Financial institutions' physical security measures should be defined, documented and implemented to protect their premises, data centres and sensitive areas from unauthorised access and from environmental hazards. 3.4.3 33] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Physical and Environmental Protection | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Configuration | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Configuration | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Communicate | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Establish/Maintain Documentation | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Establish/Maintain Documentation | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Log Management | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Log Management | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Log Management | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Log Management | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Log Management | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Log Management | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual's tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 3.4.3 34] | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Process or Activity | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Log Management | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Log Management | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Log Management | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Log Management | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Log Management | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Log Management | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Records Management | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Records Management | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Business Processes | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and environmental protection | Physical and Environmental Protection | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Data and Information Management | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Records Management | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Behavior | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Records Management | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Physical and Environmental Protection | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Configuration | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Business Processes | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Physical and Environmental Protection | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Establish/Maintain Documentation | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Behavior | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Behavior | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Behavior | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Behavior | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Behavior | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Configuration | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Establish/Maintain Documentation | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Technical Security | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Configuration | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Technical Security | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Physical and Environmental Protection | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Business Processes | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Establish/Maintain Documentation | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Establish Roles | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Records Management | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Physical and Environmental Protection | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Physical and Environmental Protection | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Establish/Maintain Documentation | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Physical and Environmental Protection | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Process or Activity | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Physical and Environmental Protection | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Physical and Environmental Protection | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Establish/Maintain Documentation | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Physical and Environmental Protection | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Physical and Environmental Protection | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Physical and Environmental Protection | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Physical and Environmental Protection | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Configuration | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Physical and Environmental Protection | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Physical and Environmental Protection | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Physical and Environmental Protection | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Physical and Environmental Protection | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Physical and Environmental Protection | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Financial institutions should establish a sound business continuity management (BCM) process to maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption in line with Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance (EBA/GL/2017/11). 3.7 77] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Systems Continuity | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Communicate | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Systems Continuity | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Systems Continuity | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [Financial institutions should ensure that their ICT systems and ICT services are designed and aligned with their BIA, for example with redundancy of certain critical components to prevent disruptions caused by events impacting those components. 3.7.1 79] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 {Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88 BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be considered, where relevant, as a basis for updating the BCPs. 3.7.4 88] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [{Business Impact Analysis}{establish and document}{adverse impact}{internal stakeholder} Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT services. The plans should support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. Financial institutions should coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans. 3.7.2 80] | Operational and Systems Continuity | Human Resources Management | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial institution should describe how the continuity of ICT systems and services, as well as the financial institution's information security, are ensured. 3.7.2 82] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be updated in line with lessons learned from incidents, tests, new risks identified and threats, and changed recovery objectives and priorities. 3.7.3 84(c) {business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b) {Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{off-site storage}{secure storage} Financial institutions should ensure that data and ICT system backups are stored securely and are sufficiently remote from the primary site so they are not exposed to the same risks. 3.5 58] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83] | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: 3.7.3 84 {response and recovery plan}{be infeasible} The plans should also consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics or unforeseen circumstances. 3.7.3 85 {put in place} Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a system or process must be restored after an incident) and a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident). In cases of severe business disruption that trigger specific business continuity plans, financial institutions should prioritise business continuity actions using risk-based approach, which can be based on the risk assessments carried out under Section 3.3.3. For PSPs this may include, for example, facilitating the further processing of critical transactions while remediation efforts continue. 3.7.2 81 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a) The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{Business Impact Analysis} Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions' critical ICT systems and ICT services. The response and recovery plans should aim to meet the recovery objectives of financial institutions' operations. 3.7.3 83 The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Operational and Systems Continuity | Configuration | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Operational and Systems Continuity | Configuration | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Configuration | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Implement redundancy in life-safety systems. CC ID 02228 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The response and recovery plans should consider both short-term and long-term recovery options. The plans should: focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, and to ensure execution of pending payment transactions; 3.7.3 84(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Systems Continuity | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Data and Information Management | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Systems Continuity | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{backup procedure}{be in line with}{periodic testing} Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT systems and evaluated according to the performed risk assessment. Testing of the backup and restoration procedures should be undertaken on a periodic basis. 3.5 57] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Communicate | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Configuration | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Data and Information Management | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Data and Information Management | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Process or Activity | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Systems Continuity | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Configuration | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{internal stakeholder}{timely manner} In the event of a disruption or emergency, and during the implementation of the BCPs, financial institutions should ensure that they have effective crisis communication measures in place so that all relevant internal and external stakeholders, including the competent authorities when required by national regulations, and also relevant providers (outsourcing providers, group entities, or third party providers) are informed in a timely and appropriate manner. 3.7.5 91] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Systems Continuity | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Log Management | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Communicate | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{periodic testing} Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least annually, in accordance with paragraph 89. 3.7.4 87] | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: include procedures to verify the ability of their staff and contractors, ICT systems and ICT services to respond adequately to the scenarios defined in paragraph 89(a). 3.7.4 89(c)] | Operational and Systems Continuity | Testing | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Testing | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and 3.7.4 89(b)] | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. 3.7.4 90] | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Operational and Systems Continuity | Testing | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Communicate | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Human Resources management | Human Resources Management | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources management | Human Resources Management | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2 {establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processes. 3.3.1 12] | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 [A financial institution should implement a programme and/or a project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. 3.6.1 61] | Human Resources management | Establish Roles | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Establish Roles | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Establish Roles | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [{supporting activity} To define the criticality of these identified business functions, supporting processes and information assets, financial institutions should, at a minimum, consider the confidentiality, integrity and availability requirements. There should be clearly assigned accountability and responsibility for the information assets. 3.3.3 18] | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Behavior | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
| Retrain all personnel, as necessary. CC ID 01362 [{be consistent with} Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks. Financial institutions should ensure that the training programme provides training for all staff members and contractors at least annually. 3.4.7 49] | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 [{information security and awareness training} Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security training and awareness (Section 3.4.7). 3.4.1 30(g)] | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [{payment service user}{in light of} The assistance and guidance offered to PSUs should be updated in the light of new threats and vulnerabilities, and changes should be communicated to the PSU. 3.8 93] | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the allocated budget is appropriate to fulfil the above. Furthermore, financial institutions should ensure that all staff members, including key function holders, receive appropriate training on ICT and security risks, including on information security, on an annual basis, or more frequently if required (see also Section 3.4.7). 3.2.1 3] | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{payment service user} PSPs should keep PSUs informed about updates in security procedures that affect PSUs regarding the provision of payment services. 3.8 97] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1] | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Correlate business processes and applications. CC ID 16300 | Operational management | Business Processes | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{continuous improvement} Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year, by the management body. 3.3.1 14] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees. 3.2.1 2] | Operational management | Establish Roles | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Establish/Maintain Documentation | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Establish/Maintain Documentation | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: logical security (Section 3.4.2); 3.4.1 30(b)] | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: ICT operations security (Section 3.4.4); 3.4.1 30(d) Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50] | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
| Include physical security in the information security program. CC ID 12382 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: physical security (Section 3.4.3); 3.4.1 30(c)] | Operational management | Establish/Maintain Documentation | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: security monitoring (Section 3.4.5); 3.4.1 30(e)] | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
| Include how the information security department is organized in the information security program. CC ID 12379 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: organisation and governance in accordance with paragraphs 10 and 11; 3.4.1 30(a)] | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 [{be accountable}{be responsible}{have no responsibility} Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and objectivity of this control function by appropriately segregating it from ICT operations processes. This control function should be directly accountable to the management body and responsible for monitoring and controlling adherence to the ICT and security risk management framework. It should ensure that ICT and security risks are identified, measured, assessed, managed, monitored and reported. Financial institutions should ensure that this control function is not responsible for any internal audit. 3.3.1 11 ¶ 1 Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: 3.4.1 30 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: 3.4.4 36 {external requirement} Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution's risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements. 3.3.1 10] | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [Based on the information security policy, financial institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include: information security reviews, assessment and testing (Section 3.4.6); 3.4.1 30(f)] | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Business Processes | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 [The ICT strategy should be aligned with financial institutions' overall business strategy and should define: clear information security objectives, focusing on ICT systems and ICT services, staff and processes. 3.2.2 5(c) Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified in the security policy document to be adopted in accordance with Article 5(1)(j) of Directive (EU) 2015/2366. The information security policy should be in line with the financial institution's information security objectives and based on the relevant results of the risk assessment process. The policy should be approved by the management body. 3.4.1 28] | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{establish} The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. 3.2.1 4] | Operational management | Human Resources Management | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Operational management | Communicate | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{internal organization} All financial institutions should comply with the provisions set out in these guidelines in such a way that is proportionate to, and takes account of, the financial institutions' size, their internal organisation, and the nature, scope, complexity and riskiness of the services and products that the financial institutions provide or intend to provide. 3.1 1] | Operational management | Establish/Maintain Documentation | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Business Processes | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [{internal data} As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies, in accordance with Section 3.3.3. 3.7.1 78] | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
| Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
| Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: ensuring that mechanisms are in place to verify the integrity of software, firmware and data; 3.4.4 36(e)] | Operational management | Establish/Maintain Documentation | |
| Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial institutions should define and implement measures to mitigate identified ICT and security risks and to protect information assets in accordance with their classification. 3.3.4 23 Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network; 3.4.4 36(d)] | Operational management | Establish Roles | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how financial institutions operate, monitor and control their ICT systems and services, including the documenting of critical ICT operations and should enable financial institutions to maintain up-to-date ICT asset inventory. 3.5 50 The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attacks. 3.5 54 Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Data and Information Management | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Data and Information Management | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{internal system] In addition, financial institutions should identify, establish and maintain updated mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, staff, contractors, third parties and dependencies on other internal and external systems and processes, to be able to, at least, manage the information assets that support their critical business functions and processes. 3.3.2 16] | Operational management | Establish/Maintain Documentation | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Configuration | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Operational management | Business Processes | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Establish/Maintain Documentation | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Communicate | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Behavior | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Process or Activity | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | Operational management | Maintenance | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Communicate | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 [{payment service user} PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. 3.8 98] | Operational management | Establish/Maintain Documentation | |
| Assign roles and responsibilities in the customer service program. CC ID 13911 | Operational management | Human Resources Management | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the roles and responsibilities for different incident scenarios (e.g. errors, malfunctioning, cyber-attacks); 3.5.1 60(b)] | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: 3.5.1 60(d)] | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{operational incident} Financial institutions should establish and implement an incident and problem management process to monitor and log operational and security ICT incidents and to enable financial institutions to continue or resume, in a timely manner, critical business functions and processes when disruptions occur. Financial institutions should determine appropriate criteria and thresholds for classifying events as operational or security incidents, as set out in the 'Definitions' section of these guidelines, as well as early warning indicators that should serve as alerts to enable early detection of these incidents. Such criteria and thresholds, for PSPs, are without prejudice to the classification of major incidents in accordance with Article 96 of PSD2 and the Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10). 3.5.1 59] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: the procedures to identify, track, log, categorise and classify incidents according to a priority, based on business criticality; 3.5.1 60(a) Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 [{ICT}{mitigation} The ICT and security risk management framework should include processes in place to: monitor the effectiveness of these measures as well as the number of reported incidents, including for PSPs the incidents reported in accordance with Article 96 of PSD2 affecting the ICT-related activities, and take action to correct the measures where necessary; 3.3.1 13(d)] | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [incidents with a potentially high adverse impact on critical ICT systems and ICT services are reported to the relevant senior management and ICT senior management; 3.5.1 60(d)(i)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
| Establish, implement, and maintain a customer service business function. CC ID 00847 | Operational management | Business Processes | |
| Permit authorized individuals to accompany consumers at the organization's place of business. CC ID 16959 | Operational management | Business Processes | |
| Document the resolution of issues reported to customer service. CC ID 12918 | Operational management | Establish/Maintain Documentation | |
| Log help desk queries. CC ID 00848 | Operational management | Log Management | |
| Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain help desk query clearance procedures. CC ID 00850 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain help desk query trend analysis procedures. CC ID 00851 | Operational management | Establish/Maintain Documentation | |
| Provide customer security advice, as necessary. CC ID 13674 | Operational management | Communicate | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Communicate | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Communicate | |
| Display customer security advice prominently. CC ID 13667 | Operational management | Establish/Maintain Documentation | |
| Review and update security advice for customers, as necessary. CC ID 06868 | Operational management | Establish/Maintain Documentation | |
| Compare customer security advice with industry peers. CC ID 06869 | Operational management | Business Processes | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Establish/Maintain Documentation | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Establish/Maintain Documentation | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Establish/Maintain Documentation | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Establish/Maintain Documentation | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Establish/Maintain Documentation | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Establish/Maintain Documentation | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Establish/Maintain Documentation | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Establish/Maintain Documentation | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Establish/Maintain Documentation | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Establish/Maintain Documentation | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{follow-up action}{operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: 3.5.1 60 {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c) {operational incident} To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organisation and should consider key lessons learned from these analyses and update the security measures accordingly; 3.5.1 60(c)] | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Communicate | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: 3.4.5 38] | Operational management | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 [To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the root causes are identified and eliminated to prevent the occurrence of repeated incidents. The incident and problem management process should establish: specific external communication plans for critical business functions and processes in order to: 3.5.1 60(f)] | Operational management | Establish/Maintain Documentation | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [{business unit}{be readily accessible} The response and recovery plans should consider both short-term and long-term recovery options. The plans should: be documented and made available to the business and support units and readily accessible in the event of an emergency; 3.7.3 84(b)] | Operational management | Establish/Maintain Documentation | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Operational management | Establish/Maintain Documentation | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [A financial institution should ensure that measures are in place to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. 3.6.2 69 {development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Operational management | Maintenance | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 | Operational management | Business Processes | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 | Operational management | Data and Information Management | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. changes that must be introduced as soon as possible) following procedures that provide adequate safeguards. 3.6.3 75] | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Operational management | Testing | |
| Implement changes according to the change control program. CC ID 11776 [Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial institutions' formal change management process, which should ensure that changes are properly planned, tested, documented, authorised and deployed. 3.4.4 37 A financial institution should establish and implement an ICT project management policy that includes as a minimum: change management requirements. 3.6.1 63(f) Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change management process. 3.6.3 76] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that they are aware of security risks. Financial institutions should implement detective measures, for instance to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware and should check for corresponding new security updates. 3.4.5 39] | Operational management | Process or Activity | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: implementation of secure configuration baselines of all network components; 3.4.4 36(b) Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a proper configuration and change management process. 3.5 53] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Use the latest approved version of all assets. CC ID 00897 [{be out-of-date} Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developers and whether all relevant patches and upgrades are applied based on documented processes. The risks stemming from outdated or unsupported ICT assets should be assessed and mitigated. 3.5 55] | System hardening through configuration management | Technical Security | |
| Install the most current Windows Service Pack. CC ID 01695 | System hardening through configuration management | Configuration | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 | System hardening through configuration management | Configuration | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Communicate | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Remove unnecessary default accounts. CC ID 01539 | System hardening through configuration management | Configuration | |
| Disable all unnecessary user identifiers. CC ID 02185 [{generic user account} User accountability: financial institutions should limit, as much as possible, the use of generic and shared user accounts and ensure that users can be identified for the actions performed in the ICT systems. 3.4.2 31(b)] | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records management | Records Management | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 [Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services. 3.4.2 31(d)] | Records management | Records Management | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{data-in-transit} Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: encryption of data at rest and in transit (in accordance with the data classification). 3.4.4 36(f)] | Records management | Technical Security | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. 3.6.2 67] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Human Resources Management | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define and document organizational structures for the System Development Life Cycle program. CC ID 12549 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system development authorities in the System Development Life Cycle documentation. CC ID 12564 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system design authorities in the System Development Life Cycle documentation. CC ID 12572 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define and document organizational structures for system and network monitoring. CC ID 12554 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define and document organizational structures for systems operations. CC ID 12553 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a full set of system procedures. CC ID 01074 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user-machine interaction specification. CC ID 01076 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a processing requirements definition document. CC ID 01077 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain an output requirements definition document. CC ID 01078 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a database management standard. CC ID 01079 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Compile databases to protect their structural intellectual property. CC ID 07044 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [A financial institution should ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements (including information security requirements) are clearly defined and approved by the relevant business management. 3.6.2 68] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document legal requirements and how they influence system design requirements. CC ID 11793 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Identify and document system design constraints. CC ID 06923 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Identify and document system development constraints. CC ID 11698 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Identify and document the system boundaries of the system design project. CC ID 06924 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include performance criteria in the system requirements specification. CC ID 11540 | Systems design, build, and implementation | Technical Security | |
| Include accommodating increases in capacity in the system requirements specification. CC ID 11562 | Systems design, build, and implementation | Technical Security | |
| Include product upgrade methodologies in the system requirements specification. CC ID 11563 | Systems design, build, and implementation | Technical Security | |
| Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 | Systems design, build, and implementation | Technical Security | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Analyze anti-counterfeit measures for their longevity. CC ID 11553 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management standards. CC ID 00992 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: 3.6.1 63] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include objectives in the project management standard. CC ID 17202 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include time requirements in the project management standard. CC ID 17199 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d) A financial institution should establish and implement an ICT project management policy that includes as a minimum: a project plan, timeframe and steps; 3.6.1 63(d)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the system architecture in the system design specification. CC ID 12287 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [{development environment}{testing environment} A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing and other non-production environments. A financial institution should ensure the integrity and confidentiality of production data in non-production environments. Access to production data is restricted to authorised users. 3.6.2 72] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Develop new products based on secure coding techniques. CC ID 11733 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Technical Security | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Technical Security | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Technical Security | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Process or Activity | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Process or Activity | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Technical Security | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Technical Security | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [A financial institution should establish and implement an ICT project management policy that includes as a minimum: roles and responsibilities; 3.6.1 63(b)] | Systems design, build, and implementation | Establish Roles | |
| Assign the role of information security management as a part of developing systems. CC ID 06823 | Systems design, build, and implementation | Establish Roles | |
| Evaluate system development projects for compliance with the system requirements specifications. CC ID 06903 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Evaluate each system development project to verify it remains feasible. CC ID 06904 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Cancel or suspend system development projects if the benefits do not outweigh the disadvantages. CC ID 06905 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Configure the test environment similar to the production environment. CC ID 06837 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Configuration | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Communicate | |
| Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Return test payment cards after their use. CC ID 06398 | Systems design, build, and implementation | Behavior | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect test data in the development environment. CC ID 12014 | Systems design, build, and implementation | Technical Security | |
| Control the test data used in the development environment. CC ID 12013 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Select the test data carefully. CC ID 12011 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Test security functionality during the development process. CC ID 12015 | Systems design, build, and implementation | Testing | |
| Include system performance in the scope of system testing. CC ID 12624 | Systems design, build, and implementation | Process or Activity | |
| Include security controls in the scope of system testing. CC ID 12623 [Financial institutions should test ICT systems, ICT services and information security measures to identify potential security weaknesses, violations and incidents. 3.6.2 71] | Systems design, build, and implementation | Process or Activity | |
| Include business logic in the scope of system testing. CC ID 12622 | Systems design, build, and implementation | Process or Activity | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Establish Roles | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Communicate | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 | Systems design, build, and implementation | Human Resources Management | |
| Integrate additional security controls for newly implemented systems into interconnected systems, as necessary. CC ID 06272 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test environments that adequately reflect the production environment. 3.6.2 70] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the acceptance status for all products passing the System Development Life Cycle implementation phase. CC ID 06211 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Control products that do not conform to the system acceptance criteria. CC ID 06212 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include documentation for all systems in the user documentation. CC ID 12285 [Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency on subject matter experts. The documentation of the ICT system should contain, where applicable, at least user documentation, technical system documentation and operating procedures. 3.6.2 73] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Where, in accordance with Article 68(1) of Directive (EU) 2015/2366, a PSP has agreed with the payer spending limits for payment transactions executed through specific payment instruments, the PSP should provide the payer with the option to adjust these limits up to the maximum agreed limit. 3.8 95 {payment service user} Where product functionality permits, PSPs should allow PSUs to disable specific payment functionalities related to the payment services offered by the PSP to the PSU. 3.8 94] | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Configuration | |
| Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes. 3.6.2 74] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions' information security. The policy should ensure the confidentiality, integrity and availability of a financial institution's critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution. 3.4.1 29] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include contingency plans in the third party management plan. CC ID 10030 [Furthermore, as part of the response and recovery plans, a financial institution should consider and implement continuity measures to mitigate failures of third party providers, which are of key importance for a financial institution's ICT service continuity (in line with the provisions of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) regarding business continuity plans). 3.7.3 86] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Systems Continuity | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{operational incident}{security incident} To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: operational and security incident handling procedures including escalation and reporting. 3.2.3 8(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a) To ensure continuity of ICT services and ICT systems, financial institutions should ensure that contracts and service level agreements (both for normal circumstances as well as in the event of service disruption — see also Section 3.7.2) with providers (outsourcing providers, group entities, or third party providers) include the following: appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes, and the location of data centres; 3.2.3 8(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |