Protect
Develop and implement appropriate data processing safeguards.
Governance Policies
An information technology baseline configuration is created and maintained incorporating security principles (e.g., concept of least functionality).
Does the technological environment have a security baseline?
Configuration change control processes are established and implemented.
Does the organization have configuration integrity control solutions?
Information backups are performed, maintained, and tested.
Does the organization have a backup process implemented?
Policies and regulations regarding the physical operating environment for organizational assets are met.
Does the organization have policies and processes to authorize physical access to organizational employees?
Protection processes are improved.
Does the organization have adequate protection technologies?
Protection processes are improved.
Are protection technologies implemented according to best practices?
The effectiveness of protection technologies is shared.
Are performance indicators for technological protection solutions generated? Who monitors these indicators?
Response plans (incident response and business continuity) and recovery plans (incident recovery and disaster recovery) are established, implemented, and managed.
Does the organization have a BCP and DRP process to ensure operational resilience?
Response plans (incident response and business continuity) and recovery plans (incident recovery and disaster recovery) are established, implemented, and managed.
Does the organization have an incident response plan?
Response and recovery plans are tested.
Are existing plans tested (Business Continuity Plan, Disaster Recovery Plan, and IS and Privacy Incident Response Plan)?
Privacy procedures are included in human resources practices (e.g., provisioning, personnel screening).
Are privacy principles implemented during the employee hiring process?
Privacy procedures are included in human resources practices (e.g., provisioning, personnel screening).
Are privacy principles implemented during the period the employee is hired?
Privacy procedures are included in human resources practices (e.g., provisioning, personnel screening).
Are privacy principles implemented during the employee termination process?
A vulnerability management plan is developed and implemented.
Does the organization have a vulnerability management process?
A vulnerability management plan is developed and implemented.
Is there a process to remediate identified vulnerabilities?
Identity Management, Authentication, and Access Control
Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices.
Is there an access management process?
Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices.
Does it cover all systems that hold personal data?
Physical access to data and devices is managed.
Is there a process for physical access control to Data Centers?
Remote access is managed.
Is remote VPN access managed? How is it authenticated? Do terminated employees lose their access?
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
Are information system access profiles built aligned with employee roles? Is the principle of least privilege implemented?
Network integrity is protected (e.g., network segregation, network segmentation).
Is there network segmentation to protect systems holding personal data? How is the system architecture?
Individuals and devices are reviewed and bound to credentials and authenticated according to transaction risk (e.g., security and privacy risks to individuals and other organizational risks).
Is there an access review process implemented?
Data Security
Data at rest is protected.
Do network directories have access control implemented?
Data in transit is protected.
Do information systems have encryption for internet communication (SSL)?
Data in transit is protected.
Do information systems have encryption for internal communication?
Systems/products/services and associated data are formally managed during removal, transfer, and disposition.
Is there a process for removing/reviewing access profiles upon transfer?
Systems/products/services and associated data are formally managed during removal, transfer, and disposition.
Is the profile deletion process implemented in all information systems?
Adequate capacity to ensure availability.
Does the organization have a process for generating and monitoring availability indicators for technological environments?
Data leak protections are implemented.
Does the organization have DLP solutions implemented?
Integrity verification mechanisms are used to verify software, firmware, and information integrity.
Does the organization have software integrity control solutions implemented?
Development and test environment(s) are separated from the production environment.
Are development and test environments separated?
Development and test environment(s) are separated from the production environment.
Are data used in development (DEV) and test (QA) environments fictitious data?
Integrity verification mechanisms are used to verify hardware integrity.
Does the organization have hardware integrity control solutions?
Maintenance
Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.
Does the organization have a formally implemented change process?
Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
Does the organization have a process for remote maintenance approvals?
Protective Technology
Removable media is protected and its use restricted according to policy.
Does the organization have a defined policy for removable media?
Removable media is protected and its use restricted according to policy.
How are exceptions handled?
The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
Are protection technologies configured to release only the minimum necessary for the environment to function?
Communications and control networks are protected.
Does the technological environment have firewall, IPS solutions implemented for information protection?
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
Are technological environments implemented in a fault-resilient architecture?