Sub-domain | Req. Name | Req. Description |
Governance and Oversight | Management Support | Security through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities shall be actively supported. This includes Senior Leadership review of the security policy at planned intervals (or when significant change occurs) to coordinate and update changes that enable alignment and relevance to business, legal, or other requirements |
Governance and Oversight | Architecture | Reference architectures that addresses the following shall be developed: * Cloud architecture * Development environment * Test environment * Support environment (including remote access, administrative workstations) The reference architectures shall delineate points of demarcation of responsibilities between different groups and identify the security controls in place |
Governance and Oversight | Security Program Audit/Assessment | Audit and assessment plans to validate and track compliance with internal and external requirements at scheduled intervals and required intervals shall be developed. This includes: a. Develop a security assessment plan that describes the scope of the assessment including: i. Security controls and control enhancements under assessment ii. Assessment procedures to be used to determine security control effectiveness iii. Assessment environment, assessment team, and assessment roles and responsibilities b. Assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system c. Produce a security assessment report that documents the results of the assessment d. Provide the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative e. Employ an independent assessor or assessment team to conduct an assessment of the security controls in the information system |
Governance and Oversight | Data Retention | Handle and retain both information within and output from IT systems, in accordance with applicable national and local laws, executive orders, directives, policies, regulations, standards, and operational requirements |
Governance and Oversight | Policies | A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Policies shall include the following: * Encryption * User access * Privileged access * Monitoring * Coordination with law enforcement |
Governance and Oversight | Policy Enforcement | Information security policies shall be enforced by management |
Governance and Oversight | Standards | Standards shall be developed and implemented for: * SDLC * Separation of development, test, and operational environments * Security testing before and after implementations * Secure configuration of systems (hosted, development, administrative) |
Operating Model and Business Alignment | Segregation of Duties | Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets |
Operating Model and Business Alignment | Roles and Responsibilities | Security roles and responsibilities of employees, contractors, and third-party users shall be clearly defined and documented in accordance with the information security policy |
Risk Management | Risk and Mitigation Tracking | Track risks and develop and execute mitigation efforts so that risks are mitigated to an acceptable level (based on established risk criteria) within reasonable timeframes and executive approval |
Risk Management | Non-compliance management | Procedures shall exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis |
Risk Management | Remediation Tracking | Remediate and track progress toward remediation for areas of noncompliance to include: a. Developing a plan of action and milestones for the information system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls, and to reduce or eliminate known vulnerabilities in the system b. Updating existing plan of action and milestones at each quarter, based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities |
Security Culture | Training and Awareness | A training and awareness program focused on cloud product security shall be in place. The program shall include: * Reviewing risks * Reviewing actions each group shall take to treat risks * Training and testing participants in their responsibilities * Requires passing before being allowed to participate in the development and support of cloud products |
Security Culture | Security Policies | Information security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies shall be authorized by business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.
Documented procedures shall be used to facilitate the implementation of the information security policy and associated controls. Documented procedures shall address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and will cover, at a minimum, the following areas: a. Access control b. Security awareness and training c. Audit and accountability d. Security assessment and authorization e. Configuration management f. Contingency planning g. Identification and authentication h. Incident response i. Information system maintenance j. Media protection k. Physical and environmental protection l. Security planning m. Personnel security n. Risk assessment o. System and services acquisition p. System and communications protection q. System and information integrity |