Controls related to the foundational structure and governance of the information security program.

• Information Security Program - GNRL-01

  Is a formally documented and approved information security program in place?

• Security Awareness Training - GNRL-02

  Is mandatory security awareness training provided to all personnel annually?

• Security Roles & Responsibilities - GNRL-03

  Are security roles and responsibilities defined and formally assigned to personnel?

• Acceptable Use Policy - GNRL-04

  Is an acceptable use policy established and enforced for all systems and data?

• Personnel Background Checks - GNRL-05

  Are background checks or equivalent vetting performed for all personnel with access to sensitive data?

• Physical Access Controls - GNRL-06

  Are physical access controls implemented to secure facilities and areas where systems and data are located?

• Data Classification Scheme - GNRL-07

  Is a data classification scheme defined; documented; and applied to all information assets?

• Compliance Monitoring - GNRL-08

  Are compliance monitoring measures implemented to ensure adherence to internal policies and external regulations?

• Contract Review & Approval - GNRL-09

  Is a formal review and approval process required for contracts involving information technology and data handling?

• Security Performance Metrics - GNRL-10

  Are information security performance metrics and reporting procedures defined and regularly reviewed by management?

• Continuous Improvement Process - GNRL-11

  Is a documented process for continuous improvement of the security program; including remediation of audit findings?

• Change Management Process - GNRL-12

  Is a change management process implemented for all production system changes that includes security review?

• Asset Inventory - GNRL-13

  Is an accurate and up-to-date inventory maintained for all hardware and software assets?

• Remote Access Security - GNRL-14

  Is remote access to internal networks and systems secured using documented protocols and controls?

• Vulnerability Disclosure Program - GNRL-15

  Is a formal vulnerability disclosure or bug reporting program in place for external researchers?

Controls related to the design principles and overall structure of IT systems and security capabilities.

• Security Architecture Definition - ARCH-01

  Is a defined security architecture used to guide the design and implementation of new systems and services?

• Network Segmentation - ARCH-02

  Are network environments logically segmented to separate critical systems and limit unauthorized communication?

• Data Flow Mapping - ARCH-03

  Are data flow maps created and maintained to identify the storage; transmission; and processing of sensitive data?

• Secure SDLC Integration - ARCH-04

  Is security integrated into the system development lifecycle (SDLC) from the initial design phase?

• Cryptographic Standards - ARCH-05

  Are cryptographic standards and protocols defined for protecting data and communications?

• Centralized Logging & Monitoring - ARCH-06

  Are system and application logs centralized; protected; and regularly reviewed for security events?

• High Availability & Redundancy - ARCH-07

  Are measures in place to ensure high availability and redundancy for critical systems and infrastructure?

• Immutable Infrastructure - ARCH-08

  Are infrastructure configurations managed as immutable; utilizing automation to prevent unauthorized or manual changes?

• Secure System Disposal - ARCH-09

  Is a formal process used to securely dispose of systems; media; and data when they are no longer needed?

• Security Testing & Assessment - ARCH-10

  Are security testing (e;g; penetration testing; vulnerability scanning) procedures defined and executed against production systems?

Controls related to securing software applications; APIs; and the development process.

• Secure Coding Practices - APP-01

  Are secure coding practices enforced and required for all application development activities?

• Static Application Security Testing (SAST) - APP-02

  Is static application security testing (SAST) performed on application source code prior to deployment?

• Dynamic Application Security Testing (DAST) - APP-03

  Is dynamic application security testing (DAST) or equivalent runtime analysis performed on web applications?

• Input Validation & Sanitization - APP-04

  Are controls implemented to validate and sanitize all user input to prevent injection attacks and other flaws?

• Cross-Site Scripting (XSS) Prevention - APP-05

  Are measures implemented to prevent Cross-Site Scripting (XSS) in all web applications?

• SQL Injection Prevention - APP-06

  Are controls implemented to prevent SQL Injection and other command injection attacks in the application layer?

• Secure Error Handling - APP-07

  Is a secure mechanism implemented for application error handling to prevent the disclosure of sensitive system information?

• Open-Source Component Management - APP-08

  Is a policy in place governing the use of open-source and third-party software components; including vulnerability monitoring?

• API Security - APP-09

  Are APIs secured using robust authentication; authorization; and rate limiting controls?

• Container Security - APP-10

  Are containers and container images hardened and scanned for vulnerabilities and misconfigurations prior to deployment?

• Serverless Function Security - APP-11

  Are security controls tailored and applied to serverless functions; including strict access controls and execution monitoring?

• Mobile Application Security - APP-12

  Are mobile applications secured through specific testing; code review; and secure storage practices?

Controls for verifying user identity and managing authorized access to resources.

• Principle of Least Privilege - ACC-01

  Is a formal access control policy based on the principle of least privilege defined and enforced?

• Multi-Factor Authentication (MFA) - ACC-02

  Is multi-factor authentication (MFA) required for remote access and for privileged administrative accounts?

• Account Lifecycle Management - ACC-03

  Is a documented process in place for managing the full lifecycle of user accounts; including timely deprovisioning?

• Privilege Review & Restriction - ACC-04

  Are user privileges regularly reviewed and restricted to the minimum required for job function?

• Privileged Access Management (PAM) - ACC-05

  Are privileged accounts and their access strongly controlled and monitored using a dedicated management solution (PAM)?

• Centralized Authentication (SSO) - ACC-06

  Is a centralized authentication and authorization mechanism (e;g; SSO; IAM) used across applications where feasible?

• Access & Authentication Logging - ACC-07

  Is logging and monitoring of all user access and authentication events performed and retained?

Controls for securing the network perimeter; internal network traffic; and data in transit.

• Firewall & Boundary Protection - NET-01

  Is network access controlled and protected by firewalls and other boundary protection devices?

• Intrusion Detection/Prevention (IDPS) - NET-02

  Are Intrusion Detection/Prevention Systems (IDPS) deployed and actively monitored to detect and prevent malicious network activity?

• Wireless Network Security - NET-03

  Are security measures implemented for all wireless networks; including strong encryption and authentication?

• Secure Remote Administration - NET-04

  Is a secure Virtual Private Network (VPN) required for remote administrative access to internal resources?

• Data-in-Transit Encryption - NET-05

  Is encryption (e;g; TLS/SSL) used to protect sensitive data transmitted over public networks?

• DMZ/Public Service Isolation - NET-06

  Are high-risk or publicly accessible services isolated within a DMZ or similar network segment?

• DDoS Protection Strategy - NET-07

  Is a strategy implemented to protect public-facing services from Distributed Denial of Service (DDoS) attacks?

Controls for securing operating systems; applications; and endpoints.

• Security Configuration Baselines - SYS-01

  Are security configuration baselines applied to all operating systems; applications; and network devices?

• Patch Management Program - SYS-02

  Is a formal and timely patch management program enforced for operating systems and applications?

• Anti-Malware & EDR - SYS-03

  Is anti-malware and endpoint detection and response (EDR) software deployed and actively managed on all relevant systems?

• System Logging & Audit Trails - SYS-04

  Are system-level logging and audit trails enabled; configured to capture security-relevant events; and reviewed regularly?

• Data-at-Rest Encryption - SYS-05

  Is sensitive data protected by encryption when stored on systems (data-at-rest)?

• Configuration Management Automation - SYS-06

  Is a configuration management system or tool used to maintain and enforce security baselines across the infrastructure?

Controls for detecting; responding to; and recovering from security incidents.

• Incident Response Plan (IRP) - IR-01

  Is a formally documented Incident Response Plan (IRP) in place and communicated to relevant personnel?

• Forensic Investigation Procedure - IR-02

  Is there a defined procedure for conducting forensic investigations that ensures the preservation of evidence and chain of custody?

• Continuous Security Monitoring - IR-03

  Are security events continuously monitored and analyzed using a centralized system (e;g; SIEM)?

• Incident Response Testing - IR-04

  Are incident response capabilities regularly tested via drills; simulations; or tabletop exercises?

• Vulnerability Management Program - IR-05

  Is a proactive vulnerability management program in place that includes scanning; prioritization; and remediation tracking?

• Threat Intelligence Integration - IR-06

  Are threat intelligence feeds or services used to inform and improve security monitoring and incident response processes?

Controls for identifying; assessing; treating; and overseeing information security risks.

• Risk Management Framework - RISK-01

  Is a formal; documented risk management framework used to identify; analyze; and treat information security risks?

• Security Governance Structure - RISK-02

  Is there an established governance structure (e;g; steering committee; executive oversight) for information security?

• Policy Exception Process - RISK-03

  Is a formal process defined for requesting; reviewing; and approving exceptions to security policies?

• Security Audits & Assessments - RISK-04

  Are internal and/or external audits and assessments of the security program conducted on a periodic basis?

• Legal & Regulatory Compliance - RISK-05

  Are processes in place to ensure compliance with relevant legal; statutory; and regulatory requirements?

• M&A Security Due Diligence - RISK-06

  Is security due diligence conducted for all major organizational changes; such as mergers; acquisitions; or divestitures?

Controls for planning and managing the continuation of business functions during and after a disruption.

• Business Impact Analysis (BIA) - BCDR-01

  Is a Business Impact Analysis (BIA) performed to determine critical business processes and their recovery requirements?

• Disaster Recovery Plan (DRP) - BCDR-02

  Is a documented Disaster Recovery Plan (DRP) in place to restore critical IT infrastructure and systems?

• Data Backup & Restore Testing - BCDR-03

  Is a data backup strategy defined; and are backups performed; secured; and regularly tested for restorability?

• BC/DR Plan Testing & Review - BCDR-04

  Are the Business Continuity and Disaster Recovery plans regularly tested; reviewed; and updated?

• Business Continuity Plan (BCP) - BCDR-05

  Is a comprehensive Business Continuity Plan (BCP) in place to maintain essential business functions during an extended disruption?

Controls for protecting personal data and ensuring compliance with privacy regulations.

• Formal Privacy Policy - PRIV-01

  Is a formal privacy policy defined and implemented that addresses the collection; use; and disclosure of personal data?

• Personal Data Inventory & Mapping - PRIV-02

  Is a detailed inventory and mapping of all personal data maintained; including where it is stored and processed?

• Data Protection Impact Assessments (DPIAs) - PRIV-03

  Are Data Protection Impact Assessments (DPIAs) conducted for new projects involving the processing of personal data?

• Data Retention & Secure Disposal - PRIV-04

  Is a data retention and secure disposal policy enforced for all forms of data; including personal information?

• Data Minimization Techniques - PRIV-05

  Are data minimization techniques employed to limit the collection and retention of personal data to what is strictly necessary?

• Secure Data Sharing (Third Parties) - PRIV-06

  Are controls and contractual obligations in place for the secure sharing of personal data with third parties?

• Data Breach Notification Policy - PRIV-07

  Is a data breach notification policy and procedure in place that complies with applicable regulations?

• Privacy-Specific Training - PRIV-08

  Is privacy-specific training provided to employees who handle personal data?

• User Consent Management - PRIV-09

  Is a mechanism implemented for managing and recording user consent where required for data processing activities?

Controls specific to securing cloud computing environments and services.

• Cloud Security Policy & Responsibility - CLOUD-01

  Is a Cloud Security Policy in place that defines responsibilities and controls for cloud service usage?

• Cloud IAM & MFA - CLOUD-02

  Is a formal process used for managing identities; access; and permissions within the cloud environment (IAM)?

• Cloud Security Posture Management (CSPM) - CLOUD-03

  Are cloud service configurations continuously monitored and enforced against security baselines (CSPM)?

• Cloud Data-at-Rest Encryption & Access - CLOUD-04

  Are cloud-hosted data stores (e;g; databases; object storage) encrypted and securely configured?

• Cloud Activity Logging - CLOUD-05

  Are cloud provider logs and activity records (e;g; API calls; resource changes) centralized and monitored for security events?

Controls for managing the security risks associated with third-party service providers.

• Vendor Risk Management (VRM) Program - TPR-01

  Is a formal vendor risk management (VRM) program established for assessing and managing third-party risks?

• Vendor Security Assessment - TPR-02

  Is a security assessment (e;g; HECVAT; SOC 2) performed for all vendors who handle or access sensitive data?

• Contractual Security Requirements - TPR-03

  Are contractual agreements in place that clearly define the third-party's security and data protection responsibilities?

• Vendor Secure Offboarding - TPR-04

  Is a secure offboarding process followed to terminate third-party access and ensure data return/destruction upon contract end?

• Ongoing Vendor Monitoring - TPR-05

  Are key third-party security controls and compliance postures monitored on an ongoing or periodic basis?

Controls for securing the underlying IT infrastructure; including servers and virtualization.

• Infrastructure Security Baseline - INFRA-01

  Is a defined security baseline applied to all core infrastructure components (e;g; servers; databases; middleware)?

• Network Access Control (NAC) - INFRA-02

  Is Network Access Control (NAC) or equivalent technology used to verify the security state of devices connecting to the network?

• Virtualization Security & Segmentation - INFRA-03

  Are security configurations and segmentation applied to virtualization technologies and hypervisors?

• Secure Remote Management Interfaces - INFRA-04

  Are remote management interfaces (e;g; SSH; RDP) secured; monitored; and restricted to necessary personnel and systems?

• Environmental Controls - INFRA-05

  Are environmental controls (e;g; power; cooling; fire suppression) monitored and maintained for physical infrastructure locations?

Controls for ensuring IT resources are accessible to people with disabilities.

• IT Accessibility Policy (WCAG) - ACCESS-01

  Is there a formally documented IT Accessibility Policy that includes adherence to WCAG or similar standards?

• Accessibility Testing Procedures - ACCESS-02

  Are formal procedures in place for testing the accessibility of new and existing IT resources?

• Accessibility in Procurement - ACCESS-03

  Are accessibility requirements included in the procurement process for new IT systems and services?

• Accessibility Reporting & Accommodations - ACCESS-04

  Is a clear and accessible process provided for users to report accessibility issues or request accommodations?

Controls for managing the unique risks related to Artificial Intelligence and Machine Learning systems.

• AI/ML Governance Framework - AI-01

  Is a documented AI/ML governance framework established to manage risks associated with AI development and deployment?

• Bias & Fairness Risk Assessment - AI-02

  Is a risk assessment conducted for each AI/ML model to identify potential biases; fairness issues; and societal impacts?

• Data Provenance & Quality - AI-03

  Is a Data Provenance and Quality Standard established for training data used by AI/ML models?

• Model Explainability (XAI) - AI-04

  Are mechanisms implemented to ensure the explainability and interpretability of AI/ML model decisions where necessary?

• AI/ML Security Testing - AI-05

  Are security testing procedures (e;g; adversarial attacks) conducted to assess the robustness and security of AI/ML models?

Controls only applicable when specific types of regulated data or activities are involved.

• HIPAA Compliance (PHI) - CS-01

  Are controls implemented to comply with specific regulatory requirements; such as HIPAA for protected health information?

• PCI DSS Compliance (CHD) - CS-02

  Are controls implemented to comply with specific regulatory requirements; such as PCI DSS for cardholder data?

• FERPA Compliance (Education Records) - CS-03

  Are controls implemented to comply with specific regulatory requirements; such as FERPA for student educational records?

• GDPR Compliance (EU Data) - CS-04

  Are controls implemented to comply with specific regulatory requirements; such as GDPR for personal data of EU residents?

Additional controls required for high-risk systems; high-value assets; or highly sensitive data environments.

• Data Exfiltration Prevention (DLP) - HR-01

  Are specialized monitoring controls implemented to detect and prevent unauthorized data exfiltration or transfer of sensitive data?

• Zero Trust Architecture (ZTA) - HR-02

  Is a Zero Trust Architecture (ZTA) or similar network/access control model actively being implemented or in use?

• Red Team/Advanced Threat Simulation - HR-03

  Are advanced threat simulations (e;g; Red Team exercises) conducted to test the organization's defense and response capabilities?

• Formal Threat Modeling - HR-04

  Is a formal threat modeling methodology used to identify and mitigate risks to high-value assets and critical processes?

• 24/7 Security Operations Center (SOC) - HR-05

  Is there a dedicated; fully staffed Security Operations Center (SOC) or equivalent 24/7 security monitoring function?