compliance_regime_control (view) Content
- Start Row: 0
- Rows per Page: 50
- Total Rows: 291
- Current Page: 1
- Total Pages: 6
| Asset Management | Approved Technologies | Mechanisms exist to maintain a current list of approved technologies (hardware and software). | Does the organization maintain a current list of approved technologies (hardware and software)? | FII-SCF-AST-0001.4 | A.03.04.08.c | NIST |
| Asset Management | Asset Inventories | Mechanisms exist to perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel. | Does the organization perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel? | FII-SCF-AST-0002 | 164.310(d)(2)(iii) | US HIPAA |
| Asset Management | Asset Inventories | Mechanisms exist to perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel. | Does the organization perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel? | FII-SCF-AST-0002 | A.03.04.10.ODP[01] A.03.04.10.a A.03.04.10.b[01] A.03.04.10.b[02] | NIST |
| Asset Management | Data Action Mapping | Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed. | Does the organization create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed? | FII-SCF-AST-0002.8 | A.03.04.11.a[01] A.03.04.11.a[02] A.03.04.11.a[03] A.03.04.11.b[01] A.03.04.11.b[02] | NIST |
| Asset Management | Re-Imaging Devices After Travel | Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies. | Does the organization re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies? | FII-SCF-AST-0025 | A.03.04.12.b | NIST |
| Asset Management | Removal of Assets | Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities. | Does the organization authorize, control and track technology assets entering and exiting organizational facilities? | FII-SCF-AST-0011 | 164.310(d)(1) 164.310(d)(2) | US HIPAA |
| Asset Management | Return of Assets | Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement. | Does the organization ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement? | FII-SCF-AST-0010 | A.03.09.02.a.03 | NIST |
| Asset Management | Secure Disposal, Destruction or Re-Use of Equipment | Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components. | Does the organization securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components? | FII-SCF-AST-0009 | 164.310(d)(2)(i) 164.310(d)(2)(ii) | US HIPAA |
| Asset Management | Travel-Only Devices | Mechanisms exist to issue personnel travelling overseas with temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies. | Does the organization issue personnel travelling overseas with temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies? | FII-SCF-AST-0024 | A.03.04.12.a | NIST |
| Asset Management | Updates During Installations / Removals | Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades. | Does the organization update asset inventories as part of component installations, removals and asset upgrades? | FII-SCF-AST-0002.1 | 164.310(d)(2)(iii) | US HIPAA |
| Asset Management | Updates During Installations / Removals | Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades. | Does the organization update asset inventories as part of component installations, removals and asset upgrades? | FII-SCF-AST-0002.1 | A.03.04.10.c[01] A.03.04.10.c[02] A.03.04.10.c[03] | NIST |
| Business Continuity & Disaster Recovery | Accessibility | Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster. | Does the organization identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster? | FII-SCF-BCD-0009.2 | 164.310(a)(2)(i) | US HIPAA |
| Business Continuity & Disaster Recovery | Alternate Processing Site | Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site. | Does the organization establish an alternate processing site that provides security measures equivalent to that of the primary site? | FII-SCF-BCD-0009 | 164.310(a)(2)(i) | US HIPAA |
| Business Continuity & Disaster Recovery | Alternate Storage Site | Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information. | Does the organization establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information? | FII-SCF-BCD-0008 | 164.310(a)(2)(i) | US HIPAA |
| Business Continuity & Disaster Recovery | Business Continuity Management System (BCMS) | Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks). | Does the organization facilitate the implementation of contingency planning controls to help ensure resilient assets and services (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks)? | FII-SCF-BCD-0001 | 164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(C) 164.310(b) | US HIPAA |
| Business Continuity & Disaster Recovery | Contingency Plan Testing & Exercises | Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan. | Does the organization conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan? | FII-SCF-BCD-0004 | 164.308(a)(7)(ii)(D) | US HIPAA |
| Business Continuity & Disaster Recovery | Cryptographic Protection | Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information. | Are cryptographic mechanisms utilized to prevent the unauthorized disclosure and/or modification of backup information? | FII-SCF-BCD-0011.4 | A.03.08.09.a A.03.08.09.b | NIST |
| Business Continuity & Disaster Recovery | Data Backups | Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). | Does the organization create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)? | FII-SCF-BCD-0011 | 164.308(a)(7)(ii)(A) 164.310(d)(2)(iv) | US HIPAA |
| Business Continuity & Disaster Recovery | Identify Critical Assets | Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions. | Does the organization identify and document the critical systems, applications and services that support essential missions and business functions? | FII-SCF-BCD-0002 | 164.308(a)(7)(ii)(E) | US HIPAA |
| Business Continuity & Disaster Recovery | Simulated Events | Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. | Does the organization incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations? | FII-SCF-BCD-0003.1 | 164.308(a)(7)(ii)(D) | US HIPAA |
| Change Management | Change Management Program | Mechanisms exist to facilitate the implementation of a change management program. | Does the organization facilitate the implementation of a change management program? | FII-SCF-CHG-0001 | A.03.04.03.d[01] A.03.04.03.d[02] | NIST |
| Change Management | Configuration Change Control | Mechanisms exist to govern the technical configuration change control processes. | Does the organization govern the technical configuration change control processes? | FII-SCF-CHG-0002 | A.03.04.03.a A.03.04.03.c[01] | NIST |
| Change Management | Control Functionality Verification | Mechanisms exist to verify the functionality of cybersecurity and/or data privacy controls following implemented changes to ensure applicable controls operate as designed. | Does the organization verify the functionality of cybersecurity and/or data privacy controls following implemented changes to ensure applicable controls operate as designed? | FII-SCF-CHG-0006 | A.03.04.04.b | NIST |
| Change Management | Permissions To Implement Changes | Mechanisms exist to limit operational privileges for implementing changes. | Does the organization limit operational privileges for implementing changes? | FII-SCF-CHG-0004.4 | A.03.04.05[06] | NIST |
| Change Management | Prohibition Of Changes | Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received. | Does the organization prohibit unauthorized changes, unless organization-approved change requests are received? | FII-SCF-CHG-0002.1 | A.03.04.03.b[02] A.03.04.05[05] | NIST |
| Change Management | Security Impact Analysis for Changes | Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change. | Does the organization analyze proposed changes for potential security impacts, prior to the implementation of the change? | FII-SCF-CHG-0003 | A.03.04.03.b[01] A.03.04.04.a | NIST |
| Change Management | Stakeholder Notification of Changes | Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes. | Does the organization ensure stakeholders are made aware of and understand the impact of proposed changes? | FII-SCF-CHG-0005 | A.03.04.11.b[01] A.03.04.11.b[02] | NIST |
| Change Management | Test, Validate & Document Changes | Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment. | Does the organization appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment? | FII-SCF-CHG-0002.2 | A.03.04.03.c[02] | NIST |
| Compliance | Cybersecurity & Data Protection Assessments | Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements. | Does the organization ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements? | FII-SCF-CPL-0003 | 164.308(a)(8) | US HIPAA |
| Compliance | Cybersecurity & Data Protection Assessments | Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements. | Does the organization ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements? | FII-SCF-CPL-0003 | A.03.12.01 | NIST |
| Compliance | Cybersecurity & Data Protection Controls Oversight | Mechanisms exist to provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership. | Does the organization provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership? | FII-SCF-CPL-0002 | 164.308(a)(8) | US HIPAA |
| Compliance | Cybersecurity & Data Protection Controls Oversight | Mechanisms exist to provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership. | Does the organization provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership? | FII-SCF-CPL-0002 | A.03.12.03[01] A.03.12.03[03] A.03.12.03[04] | NIST |
| Compliance | Functional Review Of Cybersecurity & Data Protection Controls | Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity & data protection policies and standards. | Does the organization regularly review technology assets for adherence to the organization’s cybersecurity & data protection policies and standards? | FII-SCF-CPL-0003.2 | A.03.12.03[02] | NIST |
| Compliance | Internal Audit Function | Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes. | Does the organization implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes? | FII-SCF-CPL-0002.1 | A.03.12.01.ODP[01] | NIST |
| Compliance | Statutory, Regulatory & Contractual Compliance | Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls. | Does the organization facilitate the identification and implementation of relevant statutory, regulatory and contractual controls? | FII-SCF-CPL-0001 | 164.302 164.318 164.318(a) 164.318(a)(1) 164.318(a)(2) 164.318(b) 164.318(c) 164.534 164.534(a) 164.534(b) 164.534(c) | US HIPAA |
| Configuration Management | Approved Configuration Deviations | Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations. | Does the organization document, assess risk and approve or deny deviations to standardized configurations? | FII-SCF-CFG-0002.7 | A.03.04.02.b[01] A.03.04.02.b[02] | NIST |
| Configuration Management | Automated Central Management & Verification | Automated mechanisms exist to govern and report on baseline configurations of systems through Continuous Diagnostics and Mitigation (CDM), or similar technologies. | Does the organization use automated mechanisms to govern and report on baseline configurations of systems through Continuous Diagnostics and Mitigation (CDM), or similar technologies? | FII-SCF-CFG-0002.2 | A.03.04.03.d[01] A.03.04.03.d[02] | NIST |
| Configuration Management | Baseline Tailoring | Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: ▪ Mission / business functions; ▪ Operational environment; ▪ Specific threats or vulnerabilities; or ▪ Other conditions or situations that could affect mission / business success. | Does the organization allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: ▪ Mission / business functions; ▪ Operational environment; ▪ Specific threats or vulnerabilities; or ▪ Other conditions or situations that could affect mission / business success? | FII-SCF-CFG-0002.9 | A.03.03.02.b | NIST |
| Configuration Management | Configuration Management Program | Mechanisms exist to facilitate the implementation of configuration management controls. | Does the organization facilitate the implementation of configuration management controls? | FII-SCF-CFG-0001 | A.03.04.03.a | NIST |
| Configuration Management | Configure Systems, Components or Services for High-Risk Areas | Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations. | Does the organization configure systems utilized in high-risk areas with more restrictive baseline configurations? | FII-SCF-CFG-0002.5 | A.03.04.12.ODP[01] A.03.04.12.ODP[02] | NIST |
| Configuration Management | Explicitly Allow / Deny Applications | Mechanisms exist to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems. | Does the organization explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems? | FII-SCF-CFG-0003.3 | A.03.04.08.ODP[01] A.03.04.08.a A.03.04.08.b A.03.13.13.b[03] | NIST |
| Configuration Management | Least Functionality | Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services. | Does the organization configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services? | FII-SCF-CFG-0003 | A.03.04.02.ODP[01] A.03.04.06.d | NIST |
| Configuration Management | Periodic Review | Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services. | Does the organization periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services? | FII-SCF-CFG-0003.1 | A.03.04.06.ODP[06] | NIST |
| Configuration Management | Reviews & Updates | Mechanisms exist to review and update baseline configurations: ▪ At least annually; ▪ When required due to so; or ▪ As part of system component installations and upgrades. | Does the organization review and update baseline configurations: ▪ At least annually; ▪ When required due to so; or ▪ As part of system component installations and upgrades? | FII-SCF-CFG-0002.1 | A.03.04.01.ODP[01] A.03.04.01.b[01] A.03.04.01.b[02] A.03.04.01.b[03] A.03.04.01.b[04] A.03.04.06.c | NIST |
| Configuration Management | Sensitive / Regulated Data Access Enforcement | Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data. | Does the organization configure systems, applications and processes to restrict access to sensitive/regulated data? | FII-SCF-CFG-0008 | A.03.01.02[01] | NIST |
| Configuration Management | System Hardening Through Baseline Configurations | Mechanisms exist to develop, document and maintain secure baseline configurations for technology platforms that are consistent with industry-accepted system hardening standards. | Does the organization develop, document and maintain secure baseline configurations for technology platforms that are consistent with industry-accepted system hardening standards? | FII-SCF-CFG-0002 | A.03.01.03[01] A.03.01.16.a[03] A.03.01.16.c A.03.01.18.a[02] A.03.03.08.a[02] A.03.04.01.a[01] A.03.04.01.a[02] A.03.04.02.a[01] A.03.04.02.a[02] A.03.04.06.ODP[01] A.03.04.06.ODP[02] A.03.04.06.ODP[03] A.03.04.06.ODP[04] A.03.04.06.ODP[05] A.03.04.06.b[01] A.03.04.06.b[02] A.03.04.06.b[03] A.03.04.06.b[04] A.03.04.06.b[05] A.03.05.04[01] A.03.05.04[02] A.03.05.07.c A.03.05.07.d A.03.05.07.e A.03.05.07.f A.03.07.05.b[02] | NIST |
| Continuous Monitoring | Access by Subset of Privileged Users | Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need. | Does the organization restrict access to the management of event logs to privileged users with a specific business need? | FII-SCF-MON-0008.2 | A.03.03.08.b | NIST |
| Continuous Monitoring | Anomalous Behavior | Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities. | Does the organization detect and respond to anomalous behavior that could indicate account compromise or other malicious activities? | FII-SCF-MON-0016 | A.03.14.06.b | NIST |
| Continuous Monitoring | Automated Alerts | Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications. | Does the organization automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications? | FII-SCF-MON-0001.12 | A.03.03.05.b | NIST |
| Continuous Monitoring | Centralized Collection of Security Event Logs | Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs. | Does the organization utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs? | FII-SCF-MON-0002 | A.03.03.05.ODP[01] A.03.03.05.a A.03.03.05.c[01] | NIST |
Error We are sorry, but an error occurred while generating this page. You should contact the site's administrator.
Error in query number 6:
Parsing failed: SQLPage couldn't understand the SQL file. Please check for syntax errors:
SELECT 'text' AS component,
(SELECT CASE WHEN $current_page > 1 THEN '[Previous](?limit=' || $limit || '&offset=' || ($offset - $limit) || ')' ELSE ' END) || ' ' ||
⬆️
'(Page ' || $current_page || ' of ' || $total_pages || ') ' ||
Backtrace
sql parser error: Expected: ), found: $current_page at Line: 42, Column: 35"console/content/view/compliance_regime_control.auto.sql" contains a syntax error preventing SQLPage from parsing and preparing its SQL statements.You can hide error messages like this one from your users by setting the 'environment' configuration option to 'production'.