1. Audit & Assurance - A&A
    1. A&A-01 Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards.
      1. Review and update the policies and procedures at least annually.
    2. A&A-02 Conduct independent audit and assurance assessments according to relevant standards at least annually.
    3. A&A-03 Perform independent audit and assurance assessments according to risk-based plans and policies.
    4. A&A-04 Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit.
    5. A&A-05 Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence.
    6. A&A-06 Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders.
  2. Application & Interface Security - AIS
    1. AIS-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities.
      1. Review and update the policies and procedures at least annually.
    2. AIS-02 Establish, document and maintain baseline requirements for securing different applications.
    3. AIS-03 Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.
    4. AIS-04 Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.
    5. AIS-05 Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible.
    6. AIS-06 Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible.
    7. AIS-07 Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.
  3. Business Continuity Management and Operational Resilience - BCR
    1. BCR-01 Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures.
      1. Review and update the policies and procedures at least annually.
    2. BCR-02 Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies and capabilities.
    3. BCR-03 Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.
    4. BCR-04 Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities.
    5. BCR-05 Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs.
      1. Make the documentation available to authorized stakeholders and review periodically.
    6. BCR-06 Exercise and test business continuity and operational resilience plans at least annually or upon significant changes.
    7. BCR-07 Establish communication with stakeholders and participants in the course of business continuity and resilience procedures.
    8. BCR-08 Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.
    9. BCR-09 Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters.
      1. Update the plan at least annually or upon significant changes.
    10. BCR-10 Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities.
    11. BCR-11 Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.
  4. Change Control and Configuration Management - CCC
    1. CCC-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).
      1. Review and update the policies and procedures at least annually.
    2. CCC-02 Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.
    3. CCC-03 Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).
    4. CCC-04 Restrict the unauthorized addition, removal, update, and management of organization assets.
    5. CCC-05 Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.
    6. CCC-06 Establish change management baselines for all relevant authorized changes on organization assets.
    7. CCC-07 Implement detection measures with proactive notification in case of changes deviating from the established baseline.
    8. CCC-08 Implement a procedure for the management of exceptions, including emergencies, in the change and configuration process.
      1. Align the procedure with the requirements of GRC-04: Policy Exception Process.
    9. CCC-09 Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.
  5. Cryptography, Encryption & Key Management - CEK
    1. CEK-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management.
      1. Review and update the policies and procedures at least annually.
    2. CEK-02 Define and implement cryptographic, encryption and key management roles and responsibilities.
    3. CEK-03 Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.
    4. CEK-04 Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.
    5. CEK-05 Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.
    6. CEK-06 Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.
    7. CEK-07 Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.
    8. CEK-08 CSPs must provide the capability for CSCs to manage their own data encryption keys.
    9. CEK-09 Audit encryption and key management systems, policies, and processes with a frequency that is proportional to the risk exposure of the system with audit occurring preferably continuously but at least annually and after any security event(s).
    10. CEK-10 Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.
    11. CEK-11 Manage cryptographic secret and private keys that are provisioned for a unique purpose.
    12. CEK-12 Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.
    13. CEK-13 Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements.
    14. CEK-14 Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements.
    15. CEK-15 Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements.
    16. CEK-16 Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.
    17. CEK-17 Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements.
    18. CEK-18 Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.
    19. CEK-19 Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements.
    20. CEK-20 Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements.
    21. CEK-21 Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements.
  6. Datacenter Security - DCS
    1. DCS-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review and update the policies and procedures at least annually.
    2. DCS-02 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually.
    3. DCS-03 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for maintaining a safe and secure working environment in offices, rooms, and facilities. Review and update the policies and procedures at least annually.
    4. DCS-04 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure transportation of physical media. Review and update the policies and procedures at least annually.
    5. DCS-05 "Classify and document the physical, and logical assets (e.g., applications) based on the organizational business risk".
    6. DCS-06 Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system.
    7. DCS-07 Implement physical security perimeters to safeguard personnel, data, and information systems. Establish physical security perimeters between the administrative and business areas and the data storage and processing facilities areas.
    8. DCS-08 Use equipment identification as a method for connection authentication.
    9. DCS-09 Allow only authorized personnel access to secure areas, with all ingress and egress points restricted, documented, and monitored by physical access control mechanisms. Retain access control records on a periodic basis as deemed appropriate by the organization.
    10. DCS-10 Implement, maintain, and operate datacenter surveillance systems at the external perimeter and at all the ingress and egress points to detect unauthorized ingress and egress attempts.
    11. DCS-11 Train datacenter personnel to respond to unauthorized ingress or egress attempts.
    12. DCS-12 Define, implement and evaluate processes, procedures and technical measures that ensure a risk-based protection of power and telecommunication cables from a threat of interception, interference or damage at all facilities, offices and rooms.
    13. DCS-13 Implement and maintain data center environmental control systems that monitor, maintain and test for continual effectiveness the temperature and humidity conditions within accepted industry standards.
    14. DCS-14 Secure, monitor, maintain, and test utilities services for continual effectiveness at planned intervals.
    15. DCS-15 Keep business-critical equipment away from locations subject to high probability for environmental risk events.
      1. CEK-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually.
      2. CEK-02 Define and implement cryptographic, encryption and key management roles and responsibilities.
      3. CEK-03 Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.
      4. CEK-04 Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.
      5. CEK-05 Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.
      6. CEK-06 Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.
      7. CEK-07 Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.
      8. CEK-08 CSPs must provide the capability for CSCs to manage their own data encryption keys.
      9. CEK-09 Audit encryption and key management systems, policies, and processes with a frequency that is proportional to the risk exposure of the system with audit occurring preferably continuously but at least annually and after any security event(s).
      10. CEK-10 Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.
      11. CEK-11 Manage cryptographic secret and private keys that are provisioned for a unique purpose.
      12. CEK-12 Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.
      13. CEK-13 Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements.
      14. CEK-14 Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements.
      15. CEK-15 Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements.
      16. CEK-16 Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.
      17. CEK-17 Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements.
      18. CEK-18 Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.
      19. CEK-19 Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements.
      20. CEK-20 Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements.
      21. CEK-21 Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements.
  7. Data Security and Privacy Lifecycle Management - DSP
    1. DSP-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.
    2. DSP-02 Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.
    3. DSP-03 Create and maintain a data inventory, at least for any sensitive data and personal data.
    4. DSP-04 Classify data according to its type and sensitivity level.
    5. DSP-05 Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.
    6. DSP-06 Document ownership and stewardship of all relevant documented personal and sensitive data. Perform review at least annually.
    7. DSP-07 Develop systems, products, and business practices based upon a principle of security by design and industry best practices.
    8. DSP-08 Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.
    9. DSP-09 Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature, particularity and severity of the risks upon the processing of personal data, according to any applicable laws, regulations and industry best practices.
    10. DSP-10 Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.
    11. DSP-11 Define and implement, processes, procedures and technical measures to enable data subjects to request access to, modification, or deletion of their personal data, according to any applicable laws and regulations.
    12. DSP-12 Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is processed according to any applicable laws and regulations and for the purposes declared to the data subject.
    13. DSP-13 Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-processing of personal data within the service supply chain, according to any applicable laws and regulations.
    14. DSP-14 Define, implement and evaluate processes, procedures and technical measures to disclose the details of any personal or sensitive data access by sub-processors to the data owner prior to initiation of that processing.
    15. DSP-15 Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments.
    16. DSP-16 Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.
    17. DSP-17 Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.
    18. DSP-18 The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation.
    19. DSP-19 Define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.
  8. Governance, Risk and Compliance - GRC
    1. GRC-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization.
      1. Review and update the policies and procedures at least annually.
    2. GRC-02 Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.
    3. GRC-03 Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.
    4. GRC-04 Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.
    5. GRC-05 Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.
    6. GRC-06 Define and document roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs.
    7. GRC-07 Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization.
    8. GRC-08 Establish and maintain contact with cloud-related special interest groups and other relevant entities in line with business context.
  9. Human Resources - HRS
    1. HRS-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and update the policies and procedures at least annually.
    2. HRS-02 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets.
      1. Review and update the policies and procedures at least annually.
    3. HRS-03 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data.
      1. Review and update the policies and procedures at least annually.
    4. HRS-04 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations.
      1. Review and update the policies and procedures at least annually.
    5. HRS-05 Establish and document procedures for the return of organization-owned assets by terminated employees.
    6. HRS-06 Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment.
    7. HRS-07 Employees sign the employee agreement prior to being granted access to organizational information systems, resources and assets.
    8. HRS-08 The organization includes within the employment agreements provisions and/or terms for adherence to established information governance and security policies.
    9. HRS-09 Document and communicate roles and responsibilities of employees, as they relate to information assets and security.
    10. HRS-10 Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details.
    11. HRS-11 Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates.
    12. HRS-12 Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
    13. HRS-13 Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.
  10. Identity & Access Management - IAM
    1. IAM-01 Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management.
      1. Review and update the policies and procedures at least annually.
    2. IAM-02 Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures.
      1. Review and update the policies and procedures at least annually.
    3. IAM-03 Manage, store, and review the information of system identities, and level of access.
    4. IAM-04 Employ the separation of duties principle when implementing information system access.
    5. IAM-05 Employ the least privilege principle when implementing information system access.
    6. IAM-06 Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets.
    7. IAM-07 De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.
    8. IAM-08 Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.
    9. IAM-09 Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.
    10. IAM-10 Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.
    11. IAM-11 Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles.
    12. IAM-12 Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.
    13. IAM-13 Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.
    14. IAM-14 Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access.
      1. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.
    15. IAM-15 Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.
    16. IAM-16 Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.
  11. Interoperability & Portability - IPY
    1. IPY-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for interoperability and portability including requirements for:
      1. a. Communications between application interfaces
      2. b. Information processing interoperability
      3. c. Application development portability
      4. d. Information/Data exchange, usage, portability, integrity, and persistence
      5. Review and update the policies and procedures at least annually."
    2. IPY-02 Provide application interface(s) to CSCs so that they programmatically retrieve their data to enable interoperability and portability.
    3. IPY-03 Implement cryptographically secure and standardized network protocols for the management, import and export of data.
    4. IPY-04 Agreements must include provisions specifying CSCs access to data upon contract termination and will include:
      1. a. Data format
      2. b. Length of time the data will be stored
      3. c. Scope of the data retained and made available to the CSCs
      4. d. Data deletion policy
  12. Infrastructure & Virtualization Security - IVS
    1. IVS-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for infrastructure and virtualization security.
      1. Review and update the policies and procedures at least annually.
    2. IVS-02 Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business.
    3. IVS-03 Monitor, encrypt and restrict communications between environments to only authenticated and authorized connections, as justified by the business.
      1. Review these configurations at least annually, and support them by a documented justification of all allowed services, protocols, ports, and compensating controls.
    4. IVS-04 Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline.
    5. IVS-05 Separate production and non-production environments.
    6. IVS-06 Design, develop, deploy and configure applications and infrastructures such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other tenants.
    7. IVS-07 Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments.
      1. Such channels must include only up-to-date and approved protocols.
    8. IVS-08 Identify and document high-risk environments.
    9. IVS-09 Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.
  13. Logging and Monitoring - LOG
    1. LOG-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring.
      1. Review and update the policies and procedures at least annually.
    2. LOG-02 Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs.
    3. LOG-03 Identify and monitor security-related events within applications and the underlying infrastructure.
      1. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.
    4. LOG-04 Restrict audit logs access to authorized personnel and maintain records that provide unique access accountability.
    5. LOG-05 Monitor security audit logs to detect activity outside of typical or expected patterns.
      1. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.
    6. LOG-06 Use a reliable time source across all relevant information processing systems.
    7. LOG-07 Establish, document and implement which information meta/data system events should be logged.
      1. Review and update the scope at least annually or whenever there is a change in the threat environment.
    8. LOG-08 Generate audit records containing relevant security information.
    9. LOG-09 The information system protects audit records from unauthorized access, modification, and deletion.
    10. LOG-10 Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.
    11. LOG-11 Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.
    12. LOG-12 Monitor and log physical access using an auditable access control system.
    13. LOG-13 Define, implement and evaluate processes, procedures and technical measures for the reporting of anomalies and failures of the monitoring system and provide immediate notification to the accountable party.
  14. Security Incident Management, E-Discovery, & Cloud Forensics - SEF
    1. SEF-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics.
      1. Review and update the policies and procedures at least annually.
    2. SEF-02 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the timely management of security incidents.
      1. Review and update the policies and procedures at least annually.
    3. SEF-03 Establish, document, approve, communicate, apply, evaluate and maintain a security incident response plan, which includes but is not limited to: relevant internal departments, impacted CSCs, and other business critical relationships (such as supply-chain) that may be impacted.
    4. SEF-04 Test and update as necessary incident response plans at planned intervals or upon significant organizational or environmental changes for effectiveness.
    5. SEF-05 Establish and monitor information security incident metrics.
    6. SEF-06 Define, implement and evaluate processes, procedures and technical measures supporting business processes to triage security-related events.
    7. SEF-07 Define and implement, processes, procedures and technical measures for security breach notifications.
      1. Report security breaches and assumed security breaches including any relevant supply chain breaches, as per applicable SLAs, laws and regulations.
    8. SEF-08 Maintain points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities.
  15. Supply Chain Management, Transparency, and Accountability - STA
    1. STA-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization.
      1. Review and update the policies and procedures at least annually.
    2. STA-02 Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.
    3. STA-03 Provide SSRM Guidance to the CSC detailing information about the SSRM applicability throughout the supply chain.
    4. STA-04 Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.
    5. STA-05 Review and validate SSRM documentation for all cloud services offerings the organization uses.
    6. STA-06 Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.
    7. STA-07 Develop and maintain an inventory of all supply chain relationships.
    8. STA-08 CSPs periodically review risk factors associated with all organizations within their supply chain.
    9. STA-09 Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms:
      1. • Scope, characteristics and location of business relationship and services offered
      2. • Information security requirements (including SSRM)
      3. • Change management process
      4. • Logging and monitoring capability
      5. • Incident management and communication procedures
      6. • Right to audit and third party assessment
      7. • Service termination
      8. • Interoperability and portability requirements
      9. • Data privacy
    10. STA-10 Review supply chain agreements between CSPs and CSCs at least annually.
    11. STA-11 Define and implement a process for conducting internal assessments to confirm conformance and effectiveness of standards, policies, procedures, and service level agreement activities at least annually.
    12. STA-12 Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.
    13. STA-13 Periodically review the organization's supply chain partners' IT governance policies and procedures.
    14. STA-14 Define and implement a process for conducting security assessments periodically for all organizations within the supply chain.
  16. Threat & Vulnerability Management - TVM
    1. TVM-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities, in order to protect systems against vulnerability exploitation.
      1. Review and update the policies and procedures at least annually.
    2. TVM-02 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets.
      1. Review and update the policies and procedures at least annually.
    3. TVM-03 Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.
    4. TVM-04 Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.
    5. TVM-05 Define, implement and evaluate processes, procedures and technical measures to identify updates for applications which use third party or open source libraries according to the organization's vulnerability management policy.
    6. TVM-06 Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties.
    7. TVM-07 Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.
    8. TVM-08 Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.
    9. TVM-09 Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification.
    10. TVM-10 Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.
  17. Universal Endpoint Management - UEM
    1. UEM-01 Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all endpoints.
      1. Review and update the policies and procedures at least annually.
    2. UEM-02 Define, document, apply and evaluate a list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data.
    3. UEM-03 Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.
    4. UEM-04 Maintain an inventory of all endpoints used to store and access company data.
    5. UEM-05 Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.
    6. UEM-06 Configure all relevant interactive-use endpoints to require an automatic lock screen.
    7. UEM-07 Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes.
    8. UEM-08 Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.
    9. UEM-09 Configure managed endpoints with anti-malware detection and prevention technology and services.
    10. UEM-10 Configure managed endpoints with properly configured software firewalls.
    11. UEM-11 Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in accordance with a risk assessment.
    12. UEM-12 Enable remote geo-location capabilities for all managed mobile endpoints.
    13. UEM-13 Define, implement and evaluate processes, procedures and technical measures to enable the deletion of company data remotely on managed endpoint devices.
    14. UEM-14 Define, implement and evaluate processes, procedures and technical and/or contractual measures to maintain proper security of third-party endpoints with access to organizational assets.