Priority P2 Controls
M1 - STRATEGY AND PLANNING
An information security strategy shall be defined and operating model developed to adhere to the strategy. In addition, information security plans shall be developed for each major service to identify and mitigate the risks corresponding to each service
- M1.2.2 - P2 - SUPPORTING POLICIES FOR INFORMATION SECURITY
- M1.3.1 - P2 - AUTHORIZATION PROCESS FOR INFORMATION SYSTEMS
- M1.3.2 - P2 - CONFIDENTIALITY AGREEMENTS
- M1.3.6 - P2 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS
- M1.3.7 - P2 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS
- M1.4.2 - P2 - INTERNAL AND EXTERNAL COMMUNICATIONS
- M1.4.3 - P2 - DOCUMENTATION
M2 - INFORMATION SECURITY RISK MANAGEMENT
M2 Information Security Risk Management
An information security risk management process shall be implemented to conduct risk assessments, statements of applicability, security testing and evaluations of information security controls on applicable services
M3 - AWARENESS AND TRAINING
An awareness and training program shall be implemented to inform entities of risks associated with their activities and to ensure that entities are adequately trained to carry out their assigned information security responsibilities
- M3.1.1 -P2 - AWARENESS AND TRAINING POLICY
- M3.2.1 - P2 - AWARENESS AND TRAINING PROGRAM
- M3.3.3 - P2 - TRAINING EXECUTION
- M3.4.1 - P2 - AWARENESS CAMPAIGN
M4 - HUMAN RESOURCES SECURITY
Human resources security requirements and security responsibilities shall be addressed prior employment, during employment, and after termination or change of employment
- M4.1.1 - P2 - HUMAN RESOURCES SECURITY POLICY
- M4.2.1 - P2 - SCREENING
- M4.3.1 - P2 - MANAGEMENT RESPONSIBILITIES
- M4.3.2 - P2 - DISCIPLINARY PROCESS
M5 - COMPLIANCE
- M5.2.3 - P2 - PROTECTION OF ORGANIZATIONAL RECORDS
- M5.2.6 - P2 - REGULATION CRYPTOGRAPHIC CONTROLS
- M5.4.1 - P2 - TECHNICAL COMPLIANCE CHECKING
M6 - PERFORMANCE EVALUATION AND IMPROVEMENT
M6 Performance Evaluation And Improvement
T1 - ASSET MANAGEMENT
Assets shall be managed and information shall be classified and labeled to ensure that assets including information receives an appropriate level of information security
- T1.1.1 - P2 - ASSET MANAGEMENT POLICY
- T1.2.1 - P2 - INVENTORY OF ASSETS
- T1.2.2 - P2- OWNERSHIP OF ASSETS
- T1.2.3 - P2 - ACCEPTABLE USE OF ASSETS
- T1.2.4 - P2 - ACCEPTABLE BRING YOUR OWN DEVICE (BYOD) ARRANGEMENTS
- T1.4.2 - P2 - DISPOSAL OF MEDIA
T2 - PHYSICAL AND ENVRONMENTAL SECURITY
T2 - Physical And Environmental Security
- T2.2.1 - P2 - PHYSICAL SECURITY PERIMETER
- T2.2.2 - P2 - PHYSICAL ENTRY CONTROLS
- T2.2.3 - P2 - SECURING OFFICES, ROOMS AND FACILITIES
- T2.3.1 - P2 - EQUIPMENT SITING AND PROTECTION
- T2.3.8 - P2 - UNATTENDED USER EQUIPMENT
T3 - OPERATIONS MANAGEMENT
Operational procedures and responsibilities shall be developed, to ensure an adequate level of information security. In addition, backup, media handling, e-services security and monitoring shall be addressed to ensure protection against malicious code and spyware
- T2.2.3 - P2 - SECURING OFFICES, ROOMS AND FACILITIES
- T3.2.1 - P2 - COMMON SYSTEMS CONFIGURATION GUIDELINES
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T3.2.5 - P2 - SEPARATION OF DEVELOPMENT, TEST AND OPERATIONAL FACILITIES
- T3.6.2 - P2 - AUDIT LOGGING
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
T4 -COMMUNICATIONS
Network security and information sharing shall be addressed to ensure protection of information in transit
- T4.2.1 - P2 - INFORMATION TRANSFER PROCEDURES
- T4.3.1 - P2 - ELETRONIC COMMERCE
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T4.5.4 - P2 - SECURITY OF WIRELESS NETWORKS
T5 - ACCESS CONTROL
Access control processes shall be developed to control access to information, to manage user access, control access to both internal and external network services, control access to operating systems, control access to applications and to apply appropriate protection when using mobile computing and teleworking services
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.4.1 - P2 - POLICY ON USE OF NETWORK SERVICES
- T5.4.7 - P2 - WIRELESS ACCESS
- T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
T6 - THIRD PARTY SECURITY
- T6.2.1 - P2 - SERVICE DELIVERY
- T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES
- T6.2.3 - P2 - MANAGING CHANGES TO THIRD PARTY SERVICES
- T6.3.1 - P2 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS
- T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS
T7 - INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
T7 Information System Acquisition, Development & Maintenance
An information systems acquisition, development and maintenance process shall be implemented to prevent unauthorized modification or misuse of information in applications, to ensure that a cryptographic control policy is in place, to maintain security in development and support processes and to manage technical vulnerabilities
- T7.3.1 - P2 - INPUT DATA VALIDATION
- T7.3.2 - P2 - CONTROL OF INTERNAL PROCESSING
- T7.3.3 - P2 - MESSAGE INTEGRITY
- T7.3.4 - P2 - OUTPUT DATA VALIDATION
- T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
- T7.4.2 - P2 - KEY MANAGEMENT
- T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
- T7.6.4 - P2 - INFORMATION LEAKAGE
