Do your due diligence by verifying assessment responses. This is a defensible step that helps ensure you are getting truthful answers. We recommend that you add a few more requirements every year in order to gradually expand the body of evidence.

You can ask for evidence after the assessment has been submitted OR proactively set the requirements in an assessment template. This is the easier method. Learn how to set assessment requirements here.

The recommended list of administrative requirements is below:

1.1 Risk Management Practices and Integration (1)

2.1 Policies for Information Security (1)

2.3 Security Roles and Responsibilities (1)

2.4 Separation of Duties (2)

3.2 Management Responsibilities (1)

3.3 Information Security Awareness, Education, and Training (1)

3.4 Specialized Information Security Education and Training (1)

3.5 Termination or Change of Employment Responsibilities (1)

4.1 Inventory of Assets (2)

4.5 Cloud Service Security Management (2)

5.1 Access Control Policy (2)

5.2 Account Management (2)

5.4 Secure Log-on Procedures (1)

6.1 Encryption Policy and Control (2)

7.1 Mobile Device Policy (2)

7.3 Documented Operating Procedures (2)

7.5 Controls Against Malware (1)

7.7 Event Logging (2)

7.9 Management of Technical Vulnerabilities (2)

7.10 Information Systems Audit Controls (2)

7.12 Information Transfer Policies and Procedures (1)

7.13 Information Security Requirements Analysis and Specification (2)

7.15 Third-Party Security Risk Management (2)

8.1 Incident Management Roles and Responsibilities (2)

9.1 Planning Information Security Continuity (2)
9.2 Recovery Plan Details (1)

10.3 Independent Review of Information Security (1)

10.4 Compliance with Security Policies and Standards (1)

10.5 Protections Against Financial Fraud (2)

Section 1.1 - Risk Management Practices and Integration

Risk decisions (accept, mitigate, avoid, transfer, etc.) are made by executive management personnel with the authority to do so.

If True, ask for a copy of a policy or process with management sign-off

If False, consider pursuing in remediation

If N/A, ask for a note explaining when [date] the policy/process for risk decision-making will be implemented

The recommended list of administrative requirements is below:

Section 1.1 - Risk Management Practices and Integration

Risk decisions (accept, mitigate, avoid, transfer, etc.) are made by executive management personnel with the authority to do so.

Section 2.1 - Policies for Information Security

The organization has defined a set of information security policies that are formally approved by executive management.

Section 2.3 - Security Roles and Responsibilities

Information security roles and responsibilities are formally defined and documented.

Section 2.4 - Separation of Duties

Care has been taken to ensure that no single person can access, modify and/or use information resources without authorization or detection.

Where separation of duties is not feasible, compensating controls such as activity monitoring, audit trails, and management supervision are in place.

Section 3.2 - Management Responsibilities

Personnel activity is monitored to detect potential cybersecurity events.

Section 3.3 - Information Security Awareness, Education, and Training

Employees, contractors, and third party resources receive security awareness training prior to being granted access to information resources.

Section 3.4 - Specialized Information Security Education and Training

Privileged users have received specialized instruction and training.

Section 3.5 - Termination or Change of Employment Responsibilities

Post-employment processes (account removal, password changes, etc.) are processed and validated immediately for involuntary terminations.

Section 4.1 - Inventory of Assets

Physical devices and systems within the organization are all inventoried.

Software platforms and applications within the organization are inventoried.

Section 4.5 - Cloud Service Security Management

A complete, up to date, and detailed inventory of all cloud services is maintained.

Data transferred to and from the cloud is all encrypted.

Section 5.1 - Access Control Policy

Segregation of access control roles is sufficient (e.g., access request, access authorization, and access administration).

A periodic review of user accounts and access rights is conducted according to a defined process and procedure.

Section 5.2 - Account Management

The use of shared user accounts is prohibited by the organization.

System/service accounts are inventoried and specifically authorized.

Section 5.4 - Secure Log-on Procedures

User authentication is required for access to all internal and confidential information resources.

Section 6.1 - Encryption Policy and Control

Encryption requirements for protecting data at rest are documented.

Encrypted data transfer solutions are provided to users (e.g., encrypted email, SFTP).

Section 7.1 - Mobile Device Policy

The organization requires access controls for mobile devices.

Remote disable, wipe, and account lockout are documented mobile device security requirements.

Section 7.3 - Documented Operating Procedures

Documented operating procedures for the installation and configuration of server systems exist and are followed.

Detailed operating procedures and instructions for backups are documented, reviewed, and kept up to date.

Section 7.5 - Controls Against Malware

Malicious code protection mechanisms (anti-virus, spam guard, adware, spyware, etc.) are in place, are up to date and rely on multiple software solutions, limiting single points of failure.

Section 7.7 - Event Logging

Logging and monitoring settings are applied consistently across all critical/important systems.

Event and security logs are regularly reviewed according to a documented requirement and schedule.

Section 7.9 - Management of Technical Vulnerabilities

Management engages in proactive vulnerability scanning to identify, assess, and address known and unknown technical vulnerabilities. Monitoring activities are performed to detect and prevent actual attacks against known and unknown vulnerabilities.

A patch management system has been implemented which includes risk assessments against new patches.

Section 7.10 - Information Systems Audit Controls

Access control audits (user accounts, rights, privileges, and other access) are performed on a regular basis.

The results of information security audits are shared with senior management.

Section 7.12 - Information Transfer Policies and Procedures

Users are formally trained and made aware of common information transfer mistakes.

Section 7.13 - Information Security Requirements Analysis and Specification

The implementation of new systems includes a method for informing users and operators of their information security duties and responsibilities.

Contracts with suppliers are in place and the contracts adequately address security requirements.

Section 7.15 - Third-Party Security Risk Management

The organization has developed and maintains a current inventory of all vendors, including purpose, scope, and information security risk requirements.

Inherent and residual risks related to vendor and third party relationships are reviewed on a regular and ongoing basis.

Section 8.1 - Incident Management Roles and Responsibilities

Formal incident response and escalation procedures have been adequately developed to document actions that must be taken upon knowledge of an information security event.

Incident response procedures are tested on a periodic basis.

Section 9.1 - Planning Information Security Continuity

The organization has developed a formal business continuity plan (BCP) and/or disaster recovery (DR) process.

Business continuity and/or disaster recovery testing and review schedules have been defined.

Section 9.2 - Recovery Plan Details

The organization's recovery plans are tested on a periodic basis, and they have been tested within the past twelve (12) months.

Section 10.3 - Independent Review of Information Security

Reviews of information security policies, processes, procedures, and practices are periodically performed by an independent reviewer (e.g., internal audit, external audit, or a third party security organization specializing in such reviews).

Section 10.4 - Compliance with Security Policies and Standards

Managers regularly review the level of compliance with information security policies and procedures within their respective areas of responsibility.

Section 10.5 - Protections Against Financial Fraud

Dual control is required for all changes to payment accounts and all payment account setups.

The use of strong authentication is required for all access to financial systems.

Related Articles