1. Leadership and high level objectives
    1. Analyze organizational objectives, functions, and activities.
    2. Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
    3. Define the Information Assurance strategic roles and responsibilities.
    4. Establish and maintain a strategic plan.
    5. Establish and maintain a Governance, Risk, and Compliance awareness and training program.
    6. Establish and maintain communication protocols.
    7. Establish and maintain an internal reporting program.
    8. Establish and maintain an external reporting program.
  2. Audits and risk management
    1. Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
    2. Establish and maintain an audit program.
    3. Establish and maintain a risk management program.
    4. Publish a Report on Compliance for the organization's external requirements.
  3. Monitoring and measurement
    1. Establish and maintain Security Control System monitoring and reporting procedures.
    2. Implement Security Control System monitoring and reporting procedures.
    3. Establish, implement, and maintain logging and monitoring operations.
    4. Establish and maintain a risk monitoring program.
    5. Establish, implement, and maintain a testing program.
    6. Monitor the usage and capacity of critical Information Technology assets.
    7. Establish and maintain a service management monitoring and metrics program.
    8. Establish and maintain a compliance monitoring policy.
    9. Monitor the performance of the governance, risk, and compliance capability.
    10. Monitor the organizational culture.
    11. Include monitoring in the corrective action plan.
    12. Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
    13. Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis.
    14. Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis.
    15. Provide intelligence support to the organization, as necessary.
  4. Technical Security
    1. Establish and maintain an access classification scheme.
    2. Establish and maintain a digital identity management program.
    3. Establish and maintain an access control program.
    4. Identify and control all network access controls.
    5. Enforce information flow control.
    6. Secure access to each system component operating system.
    7. Control all methods of remote access and teleworking.
    8. Manage the use of encryption controls and cryptographic controls.
    9. Establish, implement, and maintain a malicious code protection program.
    10. Establish and maintain an application security policy.
    11. Establish and maintain a virtual environment and shared resources security program
  5. Physical and environmental protection
    1. Establish and maintain a physical security program.
    2. Establish and maintain an environmental control program.
  6. Operational and Systems Continuity
    1. Establish and maintain a business continuity program.
    2. Prepare the alternate facility for an emergency offsite relocation.
    3. Establish and maintain a continuity test plan.
    4. Test the continuity plan, as necessary.
    5. Implement the continuity plan, as necessary.
  7. Human Resources management
    1. Establish and maintain high level operational roles and responsibilities.
    2. Define and assign workforce roles and responsibilities.
    3. Analyze workforce management.
    4. Establish and maintain a personnel management program.
    5. Establish and maintain the staff structure in line with the strategic plan.
    6. Establish job categorization criteria, job recruitment criteria, and promotion criteria.
    7. Train all personnel and third parties, as necessary.
    8. Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment.
    9. Establish, implement, and maintain performance reviews, as necessary.
    10. Establish and maintain an ethics program.
  8. Operational management
    1. Establish and implement a capacity management plan.
    2. Manage cloud services.
    3. Establish, implement, and maintain a Governance, Risk, and Compliance framework.
    4. Establish and maintain a Service Management System, as necessary.
    5. Establish and maintain a network management program.
    6. Establish and maintain an Asset Management program.
    7. Establish and maintain a customer service program.
    8. Establish and maintain an Incident Response program.
    9. Establish and maintain a performance management standard.
    10. Establish and maintain a collection management program.
    11. Provide language analysis support, as necessary.
    12. Establish and maintain a Service Level Agreement framework.
    13. Establish, implement, and maintain a cost management program.
    14. Establish and maintain a change control program.
    15. Document the organization's local environments.
    16. Manage the creation of products and services, as necessary.
    17. Establish and maintain a service catalog.
    18. Conduct official proceedings, as necessary.
  9. System hardening through configuration management
    1. Establish and maintain a Configuration Management program.
    2. Identify and document the system's Configurable Items.
    3. Establish and maintain a system hardening standard.
    4. Establish and maintain system hardening procedures.
  10. Records management
    1. Establish and implement a translation management program.
    2. Establish and implement an information management program.
    3. Establish, implement, and maintain records management policies.
    4. Establish, implement, and maintain records management procedures.
  11. Systems design, build, and implementation
    1. Establish and maintain a System Development Life Cycle program.
    2. Initiate the System Development Life Cycle planning phase.
    3. Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
    4. Initiate the System Development Life Cycle implementation phase.
    5. Establish and maintain end user support communications.
  12. Acquisition or sale of facilities, technology, and services
    1. Establish and maintain a product upgrade program.
    2. Plan for acquiring facilities, technology, or services.
    3. Acquire products or services.
    4. Establish, implement, and maintain facilities, assets, and services acceptance procedures
  13. Privacy protection for information and data
    1. Establish and maintain a privacy framework that protects restricted data.
      1. Establish, implement, and maintain a personal data transparency program.
        1. Establish and maintain privacy notices, as necessary.
        2. Establish, implement, and maintain adequate openness procedures.
        3. Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
      2. Establish, implement, and maintain a privacy policy.
        1. Document privacy policies in clearly written and easily understood language.
        2. Notify interested personnel and affected parties when changes are made to the privacy policy.
        3. Disseminate and communicate the privacy policy, as necessary.
      3. Establish, implement, and maintain personal data choice and consent program.
        1. Establish and maintain disclosure authorization forms for authorization of consent to use personal data.
      4. Establish, implement, and maintain a personal data accountability program.
        1. Assign ownership of the privacy program to the appropriate organizational role.
        2. Establish and maintain Binding Corporate Rules for the international transfers of personal data.
      5. Establish and maintain a personal data use limitation program.
        1. Establish, implement, and maintain a personal data use purpose specification.
        2. Establish and maintain personal data access procedures.
        3. Establish, implement, and maintain personal data use limitation procedures.
        4. Establish and maintain personal data disclosure procedures.
      6. Establish and maintain a personal data collection program.
        1. Establish and maintain personal data collection limitation boundaries.
      7. Establish and maintain a data handling program.
        1. Establish, implement, and maintain data handling policies.
        2. Establish and maintain data handling procedures.
      8. Establish, implement, and maintain a privacy impact assessment.
        1. Establish and maintain a privacy framework that protects restricted data.
      9. Review compliance with the organization's privacy objectives.
        1. Establish and maintain a privacy framework that protects restricted data.
      10. Develop remedies and sanctions for privacy policy violations.
        1. Investigate privacy rights violation complaints.
  14. Harmonization Methods and Manual of Style
    1. Establish, implement, and maintain terminological resources.
  15. Third Party and supply chain oversight
    1. Establish and maintain a supply chain management program.
    2. Establish, implement, and maintain supply chain due diligence standards.
    3. Conduct all parts of the supply chain due diligence process.
    4. Establish and maintain a supply chain due diligence report.
    5. Establish and maintain third party reporting requirements.
    6. Assess the effectiveness of third party services provided to the organization.
    7. Establish and maintain outsourcing contracts.
    8. Establish and maintain a chain of custody or traceability system over the entire supply chain.
    9. Establish and maintain third party security forces to protect the supply chain, as necessary.
    10. Establish and maintain information security controls for the supply chain.