Information Security Policy and Standards

These standards establish necessary levels of implementation to support the information security policies within Mister (MCW). This standards documents, as well as the policy and all related procedures, identified roles and responsibilities, points of contact, personnel, departments, contact information, storage locations, organizational structures, and flowcharts must be reviewed annually.

The current approved version of the standards must be kept in a central storage location, accessible by all Mister (MCW) users identified in the Roles and Responsibilities section of the NIST Policy document. All previous versions must be archived once an updated version is approved, and all Mister (MCW) users must be notified of the new changes. Training may be required for users as necessary after the new version has been approved.

Document Properties

Document Owner:

Director of Information Security (ISO)

Document Approver:

Chief Technology Officer

Effective Date:

Next Review Date:

Revision History

Version

Date

Author

Description

0.1

01/28/2025

Kurt Myers

Initial Document Draft to replace existing policies

0.2

0.3

Back to Top

OVERVIEW

These standards serve as guidance to implement the NIST framework across Mister (MCW). Adoption of the NIST CSF framework utilizes controls published by the NIST, which are subject to the terms and conditions agreed upon by Mister (MCW) with the NIST.

Purpose

The purpose of this document is to establish the implementation standards necessary to support Mister (MCW)’s Information Security Policy, which will facilitate the establishment of appropriate security best practice implementation across Mister (MCW).

Scope

These standards apply to Mister (MCW)’s employees, contractors, temporary staff, and other users, including all personnel associated with third parties who physically or logically access any of Mister (MCW)’s information, systems, or facilities for any in-scope CDE or non-CDE environments.

A system is any networking equipment, hardware, server, database, or application in the business environment.

A facility is any physical location that houses, stores, or processes organizational data and business processes.

Management Commitment

These standards have been reviewed and found to be acceptable and beneficial to Mister (MCW)’s mission. Senior management and managers from associated departments within Mister (MCW) are committed to supporting and improving all aspects of Mister (MCW)’s information security efforts. Mister (MCW) has established managers responsible for overseeing the personnel identified in the roles and responsibilities of the Information Security Policy to maintain and improve Mister (MCW)’s information security management program.

Implementation Process

Requirements, laws, processes, policies, team organization strategies, and technology surrounding the content of these standards are expected to evolve. The Information Security Steering Committee is responsible for all revisions, updates, research, and implementation of these standards. Collaboration of the Information Security Steering Committee guides the process involved in maintaining and updating policies, standards, and procedures to further the efforts of upholding confidentiality, integrity, and availability of organizational information.

Back to Top

SECTION 00 - INFORMATION SECUIRTY MANAGEMENT PROGRAM

The following standards are necessary to support the information security management program policy statements. These standards serve as guidance to implement the NIST framework.

00.01 Information Security Management Program Standards

00.01a Information Security Management Program

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

An Information Security Management Program (ISMP) is documented and addresses the overall security program of Mister (MCW). Management support for the ISMP is demonstrated through signed acceptance or approval by management.
The ISMP considers all the NIST Control Objectives and documents any excluded control domains and the reasons for their exclusion. The ISMP is updated at least annually or when there are significant changes in the environment.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) formally establishes, implements, operates, monitors, reviews, maintains, and improves the ISMP.
The ISMP is formally documented, and records are protected, controlled, and retained according to federal, state, and organizational requirements.
The ISMP incorporates a Plan, Do, Check, Act (PDCA) cycle for continuous improvement in the ISMP, particularly as information is obtained that could improve the ISMP or indicates any shortcomings of the ISMP.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Management provides evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMP.
Mister (MCW) determines and provides the resources needed to establish, implement, operate, monitor, review, maintain, and improve the ISMP.
Mister (MCW) ensures that all personnel who are assigned responsibilities defined in the ISMP are competent to perform the required tasks. Mister (MCW) also ensures that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMP objectives.
Mister (MCW) conducts internal ISMP audits at planned intervals to determine the continuing suitability, adequacy, and effectiveness of the program.
Management reviews Mister (MCW)’s ISMP at planned intervals (at least once a year) to ensure its continuing suitability, adequacy, and effectiveness. This review includes assessing opportunities for improvement and the need for changes to the ISMP, including the information security policy and information security objectives. The results of the reviews are clearly documented, and records maintained.
Mister (MCW) continually improves the effectiveness of the ISMP using the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions, and management review.

Back to Top

SECTION 01 – ACCESS CONTROL

The following standards are necessary to support the access control policy statements. These standards serve as guidance to implement the NIST framework.

01.01 Business Requirements for Access Control

01.02 Authorized Access to Information Systems Standards

01.02a User Registration Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) must maintain a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive (e.g., personally-identifiable information [PII]).
User registration and de-registration formally addresses establishing, activating, modifying, reviewing, disabling, and removing accounts. At a minimum, Mister (MCW) addresses how access requests to information systems are submitted, how access to the information systems is granted, how requests to access sensitive are submitted, how access to sensitive is granted, how authorization and/or supervisory approvals are verified, and how a workforce members’ level of access to sensitive is verified.
Account types are identified (individual, shared/group, system, application, guest/anonymous, emergency, and temporary) and conditions for group and role membership established.
Access to the information systems is granted based on a valid need-to-know/need-to-share, which is determined by assigned official duties and intended system usage. Such usage/access is granular enough to support an individual's consent that has been captured by Mister (MCW) and limits access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function, or to provide separation/segregation between business units (e.g., within a hybrid entity).
Access granted satisfies all personnel security criteria. Proper identification is required for requests to establish information system accounts and approval of all such requests.
Guest/anonymous, shared/group, emergency, and temporary accounts are specifically authorized, and use is monitored. Unnecessary accounts are removed, disabled, or otherwise secured.
Account managers are notified when users are terminated or transferred, their information system usage or need-to-know/need-to-share changes, or when accounts (including shared/group, emergency, and temporary accounts) are no longer required.
Shared/group account credentials are modified when users are removed from the group.
The access control procedure for user registration and de-registration:
- Communicates password procedures and policies to all users who have system access;
- Checks that the user has authorization from the system owner for the use of the information system or service;
- Separates approval for access rights from management.
- Checks that the level of access granted is appropriate to the business purpose and is consistent with organizational security policy (e.g., it is consistent with sensitivity and risks associated with the information and/or information system, it does not compromise segregation of duties);
- Gives users a written statement of their access rights;
- Requires users to sign statements indicating that they understand the conditions of access;
- Ensures service providers do not provide access until authorization procedures have been completed;
- Ensures default accounts are removed and/or renamed;
- Maintains a formal record of all persons registered to use the service;
- Removes or blocks critical access rights of users who have changed roles or jobs or left Mister (MCW);
- Immediately and removes or blocks non-critical access within 24 hours; and
- Automatically removes or disables accounts that have been inactive for a period of 60 days or more.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) requires that the registration process to receive hardware administrative tokens and credentials used for two-factor authentication be verified in person before a designated registration authority with authorization by a designated organizational official (e.g., HR, a supervisor or other individual defined in an applicable security plan).
Mister (MCW) does not use group, shared or generic accounts and passwords.

01.02b Privilege Management Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The allocation of privileges for all systems and system components is controlled through a formal authorization process.
The access privileges associated with each system product (e.g., operating system, database management system, and each application) and the users to which they need to be allocated are identified.
Privileges are allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (i.e., the minimum requirement for their functional role, e.g., user or administrator, only when needed).
At a minimum, Mister (MCW) explicitly authorizes access to the following list of security functions (deployed in hardware, software, and firmware) and security-relevant information:
- Setting or modifying audit logs and auditing behavior;
- Setting or modifying boundary protection system rules;
- Configuring or modifying access authorizations (i.e., permissions, privileges);
- Setting or modifying authentication parameters; and
- Setting or modifying system configurations and parameters.
An authorization process and a record of all privileges allocated are maintained.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Role-based access control is implemented, and each user can be mapped to one or more roles and each role to one or more system functions.
The development and use of system routines are promoted to avoid the need to grant privileges to users. The development and use of programs that avoid the need to run with elevated privileges are promoted.
Elevated privileges are assigned to a different user ID from those used for normal business use.
All users access privileged services in a single role (users registered with more than one role designate a single role during each system access session). The use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) is minimized.
Access to privileged functions (e.g., system-level software, administrator tools, scripts, utilities) deployed in hardware, software, and firmware is restricted. Security relevant information is restricted to explicitly authorized individuals.
Mister (MCW) facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to business partners match the access restrictions on information for specific circumstances in which user discretion is allowed. Mister (MCW) also employs manual processes or automated mechanisms to assist users in making information sharing or collaboration decisions.
The access control system for the system components storing, processing, or transmitting sensitive is set with a default, deny-all setting.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Mister (MCW) limits authorization to privileged accounts on information systems to a pre-defined subset of users and tracks and monitors privileged role assignments for anomalous behavior.
Mister (MCW) audits the execution of privileged functions on information systems and ensures that information systems prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards (e.g., intrusion detection system [IDS], intrusion prevention system [IPS], or malicious code protection mechanisms).
All file system access not explicitly required for system, application, and administrator functionality is disabled.
Access to all administrative consoles for systems hosting virtualized systems is restricted to personnel based upon the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, Internet protocol (IP) address filtering, firewalls, and Transport Layer Security [TLS] encapsulated communications to the administrative consoles).
Contractors are provided with minimal system and physical access and agree to and support Mister (MCW)’s security requirements. The contractor selection process assesses the contractor's ability to adhere to and support Mister (MCW)’s security policy and procedures.
Mister (MCW) ensures that only authorized users are permitted to access those files, directories, drives, workstations, servers, network shares, ports, protocols, and services that are expressly required for the performance of the users' job duties.

01.02c User Password Management Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The following controls are implemented to maintain the security of passwords:
- Passwords are prohibited from being displayed when entered;
- Passwords are changed whenever there is any indication of possible system or password compromise; and
- User identity is verified before performing password resets.
The allocation of passwords is controlled through a formal management process, which includes:
- The use of third-parties or unprotected (clear text) electronic mail messages is avoided;
- Users acknowledge receipt of passwords;
- Default vendor passwords are altered following installation of systems or software;
- Temporary passwords are changed at the first log-on;
- Temporary passwords are given to users in a secure manner;
- A list of commonly used, expected, or compromised passwords is maintained, and the list is updated at least every 180 days and when organizational passwords are suspected to have been compromised directly or indirectly;
- Verification that, when users create or update passwords, the passwords are not found on Mister (MCW)-defined list of commonly used, expected, or compromised passwords;
- Only cryptographic Controlled-protected passwords are transmitted;
- Passwords are stored using an approved hash algorithm and salt, preferably using a keyed hash;
- Immediate selection of a new password is required upon account recovery;
- User-selection of long passwords and passphrases, including spaces and all printable characters, is allowed; and
- Automated tools to assist the user in selecting strong passwords and authenticators are employed.
Alternatively, passwords or phrases must have a strength (entropy) at least equivalent to the parameters specified above.
Password policies applicable to mobile devices are documented and enforced through technical controls on all company devices or devices approved for bring-your-own-device (BYOD) usage and prohibit the changing of password or PIN lengths and authentication requirements.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The following controls are implemented to maintain the security of passwords:
- Passwords are protected from unauthorized disclosure and modification when stored and transmitted;
- Passwords are not included in any automated log-on process (e.g., stored in a macro or function key);
- All passwords are encrypted during transmission and storage on all system components;
- Users sign a statement to keep personal passwords confidential and to keep group passwords solely within the members of the group; and
- Temporary passwords are unique to an individual and are not guessable.

01.02d Review of User Access Right Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The following procedures are carried out to ensure the regular review of access rights by management:
- User's access rights are reviewed after any changes, such as promotion, demotion, or termination of employment, or other arrangement with a workforce member ends; and
- User's access rights are reviewed and re-allocated when moving from one employment or workforce member arrangement to another within the same organization.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) maintains a documented list of authorized users of information assets. In addition:
- All types of accounts are reviewed at least every 90 days;
- Critical system accounts are reviewed at least every 60 days;
- User's access rights are reviewed at least every 90 days;
- Changes to access authorizations are reviewed at least every 90 days; and
- Authorizations for special privileged access rights are reviewed at least every 60 days.

01.03 User Responsibility Standards

01.03a Clear Desk and Clear Screen Policy Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

A clear desk policy for papers and removable storage media and a clear screen policy for information assets are developed, adopted, and communicated to all users. The clear desk and clear screen policies consider the information classifications, legal and contractual requirements, and the corresponding risks and cultural aspects of Mister (MCW).
The following practices are established:
- Covered or critical business information (e.g., on paper or on electronic storage media) is locked away (ideally in a safe or cabinet or other forms of security furniture) when not required, especially when the office is vacated;
- Computers and terminals are left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token, or similar user authentication mechanism that conceals information previously visible on the display when unattended and are protected by key locks, passwords, or other controls when not in use;
- Incoming and outgoing mail points and unattended facsimile machines are protected;
- Unauthorized use of photocopiers and other reproduction technology (e.g., scanners, digital cameras) is prevented;
- Documents containing confidential or regulated information are removed from printers, copiers, and facsimile machines immediately; and
- When transporting documents with sensitive within facilities and through inter-office mail, information is not visible through envelope windows, and envelopes are marked according to the information's classification level (e.g., Confidential).

01.04 Network Access Control Standards

01.04a User Authentication for External Connection Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Authentication of remote users is implemented using a password or passphrase and at least one of the following methods:
- Biometric techniques
- Hardware tokens
- Software tokens
- A challenge and response protocol
- Certificate agents
Mister (MCW) protects wireless access to systems containing sensitive information by authenticating users and devices.
Remote access to business information across public networks only takes place after successful identification and authentication.
Remote access by vendors and business partners (e.g., maintenance, reports, or other data access) is disabled unless specifically authorized by management.
- If remote maintenance is performed, Mister (MCW) closely monitors and controls any activities, with immediate deactivation after use. Remote access to business partner accounts is also immediately deactivated after use.
Radius or Kerberos are used to enable user privileges and/or resources to access Mister (MCW)’s network.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Authentication of remote users is implemented via virtual private network (VPN) solutions that support a cryptographic based technique, hardware tokens, or a challenge and response protocol.
Dedicated private lines may also be used to provide assurance of the source of connections.
All remote access is controlled through a limited number of managed access control points.
Periodic monitoring is implemented to ensure that installed equipment does not include unanticipated dial-up capabilities. Callback capability is required with re-authentication to verify connections from authorized locations.
For application systems and turnkey systems that require the vendor to log-on, the vendor is assigned a User ID and password and must enter the network through the standard authentication process. Access to such systems is authorized and logged. User IDs assigned to vendors are reviewed in accordance with Mister (MCW)’s access control policy, at a minimum annually.
Node authentication, including cryptographic techniques (e.g., machine certificates), are required for authenticating groups of remote users where they are connected to a secure, shared computer facility. This is part of several VPN-based solutions.
Mister (MCW) requires all remote login access (including VPN, and other forms of access that allow login to internal systems, e.g., from an alternate work location or to sensitive information via a web portal) to use two-factor authentication.

01.04b Remote Diagnostic and Configuration Port Protection Standards

Level One Implementation Standard:

Following are the requirements of the Level One implementation standard:

Access to network equipment is physically protected (e.g., a router must be stored in a room that is only accessible by authorized employees or contractors).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Controls for the access to diagnostic and configuration ports include the use of a key lock. Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled, or removed.
Supporting procedures to control physical access to the port are implemented, including ensuring that diagnostic and configuration ports are only accessible by arrangement between the manager of the computer service and the hardware and software support personnel requiring access.

01.04c Segregation in Network Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Security gateways (e.g., a firewall) are used between the internal network, external networks (Internet and third-party networks), and any demilitarized zone (DMZ).
An internal network perimeter is implemented by installing a secure gateway (e.g., a firewall) between two interconnected networks to control access and information flow between the two domains. This gateway is capable of enforcing security policies, is configured to filter traffic between these domains, and blocks unauthorized access in accordance with Mister (MCW)’s access control policy.
Wireless networks are segregated from internal and private networks.
Mister (MCW) requires a firewall between any wireless network and the sensitive system's environment.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The criteria for segregation of networks into domains is based on the access control policy and access requirements and takes account of the relative cost and performance impact of incorporating suitable network routing or gateway technology. In addition, segregation of networks is based on the value and classification of information stored or processed in the network, levels of trust, or lines of business, to reduce the total impact of a service disruption.
Networks are divided into separate logical network domains (e.g., an Mister’s internal network domains and external network domains), each protected by a defined security perimeter. A graduated set of controls is applied in different logical network domains to further segregate the network security environments (e.g., publicly accessible systems; internal networks; critical assets; and key information security tools, mechanisms, and support components associated with system and security administration).
Segregations of separate logical domains is achieved by restricting network access using VPNs for user groups within Mister (MCW). Networks are also segregated using network device functionality (e.g., IP switching).
A baseline of network operations and expected data flows for users and systems is established and managed. Separate domains are then implanted by controlling the network data flows using routing and switching capabilities, including access control lists, according to applicable flow control policies.
The domains are defined based on a risk assessment and the different security requirements within each of the domains.
Mister (MCW) implements subnetworks for publicly-accessible system components that are logically separated from internal organizational networks. To ensure proper separation, Mister (MCW) verifies any server that is visible from the Internet or an untrusted network and, if it is not required for business purposes, moves it to an internal VLAN and gives it a private address.
Mister (MCW) uses a network segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers.
Mister (MCW) manages the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

01.04d Network Connection Control Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

At managed interfaces, network traffic is denied by default and allowed by exception (i.e., deny all, permit by exception).
Mister (MCW) restricts the ability of users to connect to the internal network in accordance with the access control policy and the requirements of the business applications.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The connection capability of users is restricted through network gateways (e.g., a firewall) that filter traffic by means of pre-defined tables or rules.
Restrictions are applied to:
- Messaging (e.g., electronic mail);
- File transfer (e.g., peer-to-peer, File Transfer Protocol (FTP));
- Interactive access (e.g., where a user provides input to the system); and
- Common Windows applications.
Mister (MCW) reviews exceptions to the traffic flow policy within every 365 days or implementation of major new systems.
Linking of network access rights to certain times of day or dates is implemented.
Mister (MCW) limits the number of external network connections to the information system (e.g., prohibiting desktop modems) to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
Mister (MCW):
- Implements a managed interface for each external telecommunication service, i.e., transmissions of data to or from other entities external to the secure site, including to other secure sites using networks or any other communications resources outside of the physical control of the secure site to transmit information;
- Establishes a traffic flow policy for each managed interface;
- Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted;
- Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
- Reviews exceptions to the traffic flow policy within every 365 days; and
- Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.
Remote devices that have established a non-remote connection are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

01.04e Network Routing Control Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Security gateways (e.g., firewalls) are used between internal and external networks (Internet and third-party networks).
Mister (MCW) implements routing controls at the network perimeter.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Security gateways (e.g., firewalls) are used to validate source and destination addresses at internal and external network control points. Mister (MCW) designs and implements network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server.
- The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying a whitelist of allowed sites that can be accessed through the proxy while blocking all other sites. Mister (MCW) forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.
The requirements for network routing control are based on the access control policy. Routing controls are also based on positive source and destination address checking mechanisms.
Internal directory services and internal IP addresses are protected and hidden from any external access.

01.05 Operating System Access Control Standards

01.05a User Identification and Authentication Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard

Before allowing access to system components or data, Mister (MCW) requires verifiable unique IDs for all types of users, including but not limited to:
- Technical support personnel
- Operators
- Network administrators
- System programmers
- Database administrators
The following are required for each category of User ID:
- Regular User IDs:
  - User IDs are used to trace activities to the responsible individual; and
  - Regular user activities are not performed from privileged accounts.
- Shared user/group IDs:
  - In exceptional circumstances, where there is a clear business benefit, the use of a shared user ID for a group of users or a specific job can be used;
  - Approval by management is documented for such cases; and
  - Additional controls are required to maintain accountability.
- Generic IDs:
  - Generic IDs for use by an individual are only allowed either where the functions accessible or actions carried out by the ID do not need to be traced (e.g., read-only access).
Mister (MCW) ensures that redundant user IDs are not issued to other users.
Non-organizational users (all information system users other than organizational users, such as clients, customers, or contractors), or processes acting on behalf of non-organizational users, determined to need access to information residing on Mister (MCW)’s information systems or contributing information (e.g., PII, and PCI]) to Mister (MCW), are uniquely identified and authenticated in accordance with the requirements outlined above and NIST CSF control 01.d.
Users are uniquely identified and authenticated for both local and remote accesses to information systems using a username and password (see 01.d) at a minimum or preferably a username and password supplemented or replaced by risk-based (non-static) and/or strong authentication methods. Access to PCI data and any other data deemed extremely sensitive (e.g., by statute) is considered privileged and requires multifactor authentication. The requirement for risk-based, strong, and multifactor authentication methods is determined by Mister (MCW)’s risk assessment and its application commensurate with the type of data, level of sensitivity of the information, and user type.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Appropriate authentication methods, including strong authentication methods in addition to passwords, are used for communicating through an external, non-organization-controlled network (e.g., the Internet).
Help desk support requires user identification for any transaction that has information security implications.
During the registration process to provide new or replacement hardware tokens, in person verification is required in front of a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).
The information system, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline.
When Public Key Infrastructure (PKI) based authentication is used, the information system:
- Validates certificates by constructing a certification path with status information to an accepted trust anchor;
- Validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;
- Enforces authorized access to the corresponding private key;
- Maps the authenticated identity to the account of the individual or group; and
- Implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network.
The information system uses replay-resistant authentication mechanisms such as nonce, one-time passwords, or timestamps (e.g., Kerberos, TLS, etc.) for network access to privileged accounts.
Mister (MCW) requires that access for all accounts, including those for network and security devices, is to be obtained through a centralized point of authentication, for example Active Directory or Lightweight Directory Access Protocol (LDAP).

01.05b Session Time-out Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

A time-out system that conceals information previously visible on the display with a publicly viewable image (e.g., a screen saver) pauses the session screen after 10 minutes of inactivity and closes network sessions after 15 minutes of inactivity. The system requires the user to reestablish access using appropriate identification and authentication procedures.
A limited form of time-out system can be provided for legacy systems that cannot be modified to accommodate this requirement, which clears the screen and prevents unauthorized access through re-authentication requirements to continue the active session but does not close the application or network sessions.

01.06 Application and Information Access Control Standards

01.06a Information Access Restriction Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Restrictions to access are based on individual business application requirements and in accordance with the access control policy.
Access rights to applications and application functions should be restricted in accordance with the access control policy.
Associated identification and authentication controls are developed, disseminated, and periodically reviewed and updated, including:
- Specific user actions that can be performed on the information system without identification or authentication are identified and supporting rationale documented.
- Actions to be performed without identification and authentication are permitted only to the extent necessary to accomplish mission objectives.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The following guidelines are implemented to support access restriction requirements:
- Access rights to other applications are controlled according to applicable access control policies.
- Outputs from application systems handling sensitive contain only the information relevant to the use of the output and are sent only to authorized terminals and locations.
- Periodic reviews of such outputs are performed to ensure that redundant information is removed.
When encryption of stored information is employed as an access enforcement mechanism, it is encrypted using validated cryptographic algorithms (see 06.d).
Data stored in the information system is protected with system access controls, including file system, network share, claims, application, and/or database specific access control lists, and is encrypted when residing in non-secure areas.
Specific user actions that can be performed on the information system without identification or authentication are identified and supporting rationale documented. Actions performed without identification and authentication are permitted only to the extent necessary to accomplish mission objectives.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

For individuals accessing sensitive information (e.g., sensitive, cardholder data) from a remote location, Mister (MCW) prohibits the copy, move, print (and print screen,) and storage of this information onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
Mister (MCW) restricts the use of database management utilities to only authorized database administrators. Users are prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls are implemented to restrict database access.

01.06b Sensitive System Isolation Standards

Level One Implementation Standards

The following is the Level One Implementation Standard:

The sensitivity of an application system is explicitly identified and documented by the application owner.

Level Two Implementation Standards

In addition to the requirements of the above Level One standard, Level Two implementation standards require the following:

The sensitive application system runs on a dedicated computer or only shares resources with trusted application systems. Isolation is achieved using physical or logical methods. When a sensitive application is to run in a shared environment, the application systems with which it will share resources and the corresponding risks are identified and accepted by the owner of the sensitive application.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Users of shared system resources cannot intentionally or unintentionally access information remnants, including encrypted representations of information, produced by the actions of a prior user or system process acting on behalf of a prior user.
System resources shared between two or more users are released back to the information system and are protected from accidental or purposeful disclosure.
Only one primary function per server is implemented to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and domain name system (DNS) are implemented on separate servers.) If virtualization technologies are used, Mister (MCW) verifies that one component or primary function is implemented per virtual system device.
The information system maintains a separate execution domain for each executing process.

01.07 Mobile Computing and Teleworking Standards

01.07a Mobile Computing and Communication Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) uses full-disk encryption to protect the confidentiality of information on laptops and other mobile devices that support full-disk encryption. Encryption is required for all other mobile computing devices in accordance with Mister (MCW)’s data protection policy (see 06.d) and enforced through technical controls. If it is determined that encryption is not reasonable and appropriate, Mister (MCW) documents its rationale and acceptance of the risk.
A mobile computing policy is developed and includes Mister (MCW)’s definition of mobile devices, acceptable usage, and the requirements for physical protection, access controls, encryption techniques, back-ups, and virus protection. This policy also includes rules and advice on connecting mobile devices to networks and guidance on the use of these devices in public places.
Protection is in place when using mobile computing devices in public places, meeting rooms and other unprotected areas outside of Mister (MCW)’s premises to avoid the unauthorized access to or disclosure of the information stored and processed by these devices (e.g., using cryptographic techniques). Users of mobile computing devices in public places are to take care to avoid the risk of overlooking by unauthorized persons.
Mister (MCW) installs personal firewall software or equivalent functionality on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access Mister (MCW)’s network.
Suitable protection is given to the use of mobile devices connected to networks.
Mister (MCW) only authorizes connections of mobile devices meeting organizational usage restrictions, configuration requirements, connection requirements, and implementation guidance; enforces requirements for the connection of mobile devices to sensitive information systems; and monitors for unauthorized connections. Information system functionality on mobile devices that provides the capability for automatic execution of code without user direction is disabled.
Individuals are issued specifically configured mobile devices for travel to locations Mister (MCW) deemed to be of significant risk in accordance with organizational policies and procedures. The devices are checked for malware and physical tampering upon return from these locations.
Mobile computing devices are also physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centers, and meeting places. A specific procedure considering legal, insurance, and other security requirements of Mister (MCW) is established for cases of theft or loss of the mobile computing devices. Equipment carrying important, covered, and/or critical business information is not to be left unattended without being physically protected.
Training is arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way of working and the controls that need to be implemented.
A documented list is kept of approved application stores defined as acceptable for mobile devices accessing or storing entity (client) or cloud service provider-managed client data, and the use of unapproved application stores is prohibited for company-owned and BYOD mobile devices. The installation of non-approved applications or approved applications not obtained through a pre-identified application store is prohibited.
Mister (MCW) prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

A centralized, mobile device management solution is deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data.
Prohibition on the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting) is enforced through detective and preventative controls on the device or through a centralized device management system (e.g., Tanium), including enabling secure containers and or sandbox solutions.
Only mobile devices permitted for official business use are company provided workstations, or a company-assigned mobile device allow for remote wipe by the company's corporate IT or have all company-provided data wiped by the company's corporate IT. (May be hard sell, aspirational)
Mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version and patch validation. All mobile devices have the latest available security-related patches installed upon general release by the device manufacturer or carrier, and authorized IT personnel can perform these updates remotely.

01.07b Teleworking Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) only authorize teleworking activities if satisfied that appropriate security arrangements and controls are in place, and that they comply with Mister (MCW)’s security policy. Suitable protection of the teleworking site is in place to protect against the theft of equipment and information, the unauthorized disclosure of information, unauthorized remote access to Mister (MCW)’s internal systems, or misuse of facilities.
The following matters are addressed prior to authorizing teleworking:
- The communications security requirements, considering the need for remote access to Mister (MCW)’s internal systems, the sensitivity of the information that will be accessed and pass over the communication link, and the sensitivity of the internal system;
- The use of home networks and requirements or restrictions on the configuration of wireless network services including encryption (AES WPA2, at a minimum);
- Antivirus protection, operating system and application patching, and firewall requirements consistent with corporate policy; and
- Revocation of authority and access rights and the return of equipment when the teleworking activities are terminated.
Verifiable unique IDs are required for all teleworkers accessing Mister (MCW)’s network via a remote connection. The connection between Mister (MCW) and the teleworker's location is secured via an encrypted channel. Mister (MCW) maintains ownership over the assets used by the teleworker to achieve the requirements of this control (e.g., issuance of a USB device to allow for remote access via an encrypted tunnel).
Teleworking activities are both authorized and controlled by management. Mister (MCW) management ensured that suitable arrangements are in place for this way of working. Training on security awareness, privacy, and teleworker responsibilities is required prior to authorization, and training methods are reviewed in accordance with Mister (MCW)’s policy (see 02.e).
Remote access is granted for MCW users who have a business need to connect to MCW systems. Remote access may be suspended or revoked immediately if MCW security determines or suspects the account has been misused or has been compromised.
Remote Access from non-US based Locations - access from locations outside the U.S. must be requested in advance to ensure access is granted.
The request must be made via ticketing system and must include: The request must include country from which remote access is requested as well as start and end dates for the remote access. Requests should be made five (5) business days in advance of remote access need. Failure to provide sufficient lead time may result in a delay in providing access.
The request for remote access from non-US based locations must address a business need for MCW and may be denied if a reasonable business case is not provided.
Each request will be reviewed by the ISO. If approved, the requester will have remote access from a non-U.S based location only for the duration specified. Extensions must be requested in writing with new end date specified.
Requests for remote access may be denied if access is requested from countries considered to be high security risk.
Remote access requires the use of MFA.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The following matters are addressed prior to authorizing teleworking:
- The existing physical security of the teleworking site, considering the physical security of the building and the local environment;
- The proposed physical teleworking environment; and
- The threat of unauthorized access to information or resources from other persons using the accommodation (e.g., family and friends).

Back to Top

SECTION 02.0 - HUMAN RESOURCES SECURITY

The following standards are necessary to support the Human Resources security policy statements. These standards serve as guidance to implement the NIST framework.

02.01 Prior to Employment Standards

02.01a Roles and Responsibilities Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) develops, disseminates, and reviews and updates annually:
- A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.
Security roles and responsibilities include the following requirements:
- Implementing and act in accordance with Mister (MCW)’s information security policies;
- Protecting assets from unauthorized access, disclosure, modification, destruction, or interference;
- Executing particular security processes or activities;
- Ensuring that responsibility is assigned to the individual for actions taken; and
- Reporting security events, potential events, or other security risks to Mister (MCW).
Security roles and responsibilities are defined and clearly communicated to IT job candidates during the pre-employment process. Security roles and responsibilities are included in Mister (MCW)’s information security policy, as well as any involvement in processing sensitive documented in relevant job descriptions.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The pre-employment process is reviewed by recruitment to ensure that security roles and responsibilities are defined and clearly communicated to IT job candidates. Mister (MCW) assigns risk designations to all organizational positions as appropriate, establishes screening criteria, and reviews and revises designations every 365 days.
Mister (MCW) defines the roles, responsibilities, and authority of all security personnel.

02.03 During Employment Standards

02.03a Management Responsibility Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Management responsibilities include ensuring that employees, contractors, and third-party users:
- Are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive or information systems;
- Are provided with guidelines to state security expectations of their role within Mister (MCW);
- Are motivated and comply with the security policies of Mister (MCW);
- Achieve a level of awareness on security relevant to their roles and responsibilities within Mister (MCW);
- Conform to the terms and conditions of employment, which includes Mister (MCW)’s information security policy and appropriate methods of working; and
- Continue to have the appropriate skills and qualifications.
Mister (MCW) establishes an information security workforce development and improvement program.
Mister (MCW):
- Implements a process for ensuring that organization plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
Are developed and maintained; and
Continue to be executed in a timely manner.
- Reviews testing, training, and monitoring plans for consistency with Mister (MCW)’s risk management strategy and organization-wide priorities for risk response actions.
Mister (MCW) develops usage policies for critical employee-facing technologies to define proper use of these technologies for all employees and contractors.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) assigns an individual or team to manage information security responsibilities of employees, contractors, and third-party users.
These usage policies address the following if applicable:
- Explicit management approval (authorization) to use the technology;
- Authentication for use of the technology;
- Acceptable uses of the technologies (see 07.c;
- Acceptable network locations for the technologies;
- A list of company-approved products;
- Prohibition of storage of regulated data onto local hard drives, floppy disks, or other external media.
Management:
- Clearly identifies applications, application stores and application extensions and plugins approved for BYOD usage;
- Defines the device and eligibility requirements to allow for BYOD usage;
- Clarifies its expectations of privacy and its requirements for litigation, e-discovery, and legal holds with respect to mobile devices;
- Clearly states expectations regarding the loss of non-company data in the case a wipe of a mobile device is required; and
- Clarifies the systems and servers allowed for use or access on a BYOD-enabled device.

02.03b Information Security Awareness, Education, and Training Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Awareness training commences with a formal induction process designed to introduce Mister (MCW)’s security and privacy policies, state and federal laws, and expectations before access to information or services is granted and no later than 60 days after the date the employee, contractor, and other workforce member is hired, or a contractual arrangement is made with a collaborating organization.
At a minimum, Mister (MCW)’s security awareness and training program identifies how workforce members are provided security awareness and training; identifies the workforce members (including managers, senior executives, and as appropriate, business associates/partners, and contractors) who will receive security awareness and training; describes the types of security awareness and training that is reasonable and appropriate for its workforce members; describes how workforce members are provided security and awareness training when there is a change in Mister (MCW)’s information systems; and outlines how frequently security awareness and training is provided to all workforce members.
Ongoing training for these individuals and organizations includes security and privacy requirements (e.g., objective, scope, roles and responsibilities, coordination, compliance, communicating threat information, legal responsibilities, and business controls) as well as training in the correct use of information assets and facilities (including, but not limited to, log-on procedures, use of software packages, anti-malware for mobile devices, and information on the disciplinary process). Training discusses how Mister (MCW) addresses each area (e.g., audit logging and monitoring); how events or incidents are identified (e.g., monitoring for inappropriate or failed user logins), and the actions Mister (MCW) takes in response to events or incidents (e.g., notifying the workforce member or the members supervisor), as appropriate to the area of training.
Mister (MCW) provides incident response and contingency training to information system users consistent with assigned roles and responsibilities:
- Within 90 days of assuming an incident response role or responsibility;
- When required by information system changes; and
- Within every 365 days thereafter.
Mister (MCW) documents that the training has been provided to the individual.
A list of applications, application stores, and application extensions and plugins approved for BYOD usage is provided during training.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) formally creates dedicated security awareness training as part of a resource on-boarding process to Mister (MCW). Mister (MCW) documents its formal induction security awareness training process. Mister (MCW) conducts an internal annual review of the effectiveness of its security awareness training program and updates the program to reflect risks identified in Mister (MCW)’s risk assessment.
Mister (MCW) manages a security awareness training program for all employees and contractors with tracking of completion and a requirement for refresher training at least every 365 days. Employees are required to acknowledge they have received training and are aware of their responsibilities through signoff.
Mister (MCW) includes security awareness training on recognizing and reporting potential indicators of an insider threat.
Mister (MCW)’s security personnel, including organizational business unit security points of contact, receive specialized security education and training appropriate to their role and responsibilities. Developers are trained at least annually in up-to-date, secure coding techniques, including how to avoid common coding vulnerabilities. Mister (MCW) ensures that developers understand how sensitive data is handled in memory.
Mister (MCW)’s security awareness program:
- Focuses on the methods commonly used in intrusions that can be blocked through individual action;
- Delivers content in short online modules convenient for employees;
- Receives frequent updates (at least annually) to address the latest attack techniques; and
- Includes the senior leadership teams personal messaging and involvement.
Mister (MCW) trains its workforce to ensure sensitive is stored in organization-specified locations.
Mister (MCW) ensures that the senior executives have been trained in their specific roles and responsibilities.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Personnel with significant information security roles and responsibilities are required to undergo appropriate role-based information system security training:
- Prior to authorizing access to Mister (MCW)’s networks, systems, and/or applications;
- When required by significant information system or system environment changes;
- When an employee enters a new position that requires additional role-specific training; and
- Refresher training annually thereafter.
Mister (MCW) maintains a documented list of everyone who completes the onboarding process. Training records are retained for at least five years thereafter.
Workforce members are trained on how to properly respond to perimeter security alarms (see 08.b, level 3).

02.03c Disciplinary Process Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., 24 hours) when a formal sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. The disciplinary process is not commenced without prior verification that a security breach has occurred. The formal disciplinary process ensures correct and fair treatment for employees who are suspected of committing breaches of security. The formal disciplinary process provides for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether this is a first or repeat offense, whether the violator was properly trained, relevant legislation, business contracts, and other factors as required. For each incident, Mister (MCW) documents the personnel involved in the disciplinary process, the steps taken, the timeline associated with those steps, the steps taken for notification, the rationale for the discipline, whether the discipline was due to a compliance failure, and the outcome.
Mister (MCW) includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action.
Mister (MCW) maintains a list or documents an indication of employees involved in security incident investigations and the resulting outcome in the employees Human Resources (HR) folder.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) creates a point of contact from HR to handle any incidents relating to employees.
Mister (MCW) notifies the information security officer (ISO) or a designated representative, of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction.

02.04 Termination or Change of Employment Standards

02.04a Removal of Access Right Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Upon termination, the access rights for the terminated individual are disabled in a timely manner, at least within 24 hours.
The access rights are removed or adapted include physical and logical access, keys, identification cards, IT systems and applications, subscriptions, and removal from any documentation that identifies them as a current member of Mister (MCW). If a departing employee, contractor, third-party user, or other workforce member has known passwords for shared or group accounts remaining active, these are changed upon termination or change of employment, contract, agreement, or another workforce arrangement.
Changes of employment or other workforce arrangement (e.g., transfers) are reflected in removal of all access rights that are not approved for the new employment or workforce arrangement. Access changes due to personnel transfer are managed effectively. Any old accounts are closed after 90 days if new accounts are created.
Access rights to information assets and facilities are reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors, including:
- Whether the termination or change is initiated by the employee, contractor, third-party user, other workforce member, or by management, and the reason for termination;
- The current responsibilities of the employee, contractor, workforce member, or any other user; and
- The value of the assets currently accessible.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) employs automated mechanisms to notify specific personnel or roles (formally defined by Mister (MCW)) upon termination of an individual.
Mister (MCW) immediately terminates the access rights following a resignation notice, notice of dismissal, etc., prior to or during the personnel termination process. Termination allows for immediate escorting out of the site, if necessary, wherever continued access is perceived to cause an increased risk, e.g., in the case of serious misconduct.

Back to Top

SECTION 03 – RISK MANAGEMENT

The following standards are necessary to support the risk management policy statements. These standards serve as guidance to implement the NIST framework.

03.01 Risk Management Program Standards:

03.01a Performing Risk Assessment Standards

Level One Implementation Standards

Mister (MCW) must conduct security/risk assessments to evaluate the level of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification or destruction of the information system and the information it processes, stores, or transmits.
Mister (MCW) shall conduct security/risk assessments at minimum annually, or whenever there are significant changes to the critical information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
A third-party assessment of all critical systems (Confidential or Regulated) and associated security controls will be conducted at a minimum every 1 years.
All assessment results will be provided to the Director (ISO) within thirty (30) days of completion.
The risk assessment must consider risks posed to Mister (MCW) operations, or assets from external parties, including but not limited to the following:
Organizations such as business competitors that may have an interest in information supplied to Mister (MCW).

Service Providers:

Contractors operating information systems on behalf of Mister (MCW)
Individuals accessing Mister (MCW)’s information systems
Outsourcing entities (e.g. cloud service providers (CSPs) MicroLogic etc)
Mister (MCW) need to obtain prior approval from the Mister (MCW) Director of Security (ISO) before contracting with cloud-hosted solutions or off-site hosting services and must ensure vendor compliance with Mister (MCW) security policies.
Mister (MCW) shall ensure that contract language requires vendors that interface with CDE environments to provide as attestation to their compliance, an industry recognized, third party assessment report or conduct a due diligence security review and document findings.
Procurement language must also require, in addition to initial validation, cloud/vendor must annually provide the validation of their continued compliance to Mister (MCW) policies and procedures. This requirement includes all vendors supporting Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS). Examples of acceptable assessment reports include, Federal Risk and Authorization Management Program (FedRAMP) certification, SOC 2 Type 2, SSAE 16 and ISO 27001. CSPs must demonstrate to Mister (MCW) that continuous monitoring activities are in place and compliance is being met.
When planning and budgeting for security/risk assessments, the following requirements must be met:
Annual assessments must be included in information system budgets and planning.
Other significant, planned activities must be considered in budgets and planning (e.g., life cycle activities, enhancements, audits) to ensure cost effective use of resources.
Assessments must be coordinated between information systems with security control inheritance and other relational dependencies.
Mister (MCW) shall conduct an assessment using NIST 800-53 controls that includes at a minimum their critical systems shall be done.
an independent assessor to conduct the annual assessment.
A Risk Register for the systems documenting the planned, remedial actions to correct weaknesses or deficiencies in security controls and to reduce or eliminate known vulnerabilities must be developed.
The existing Risk Register must be updated weekly based on findings of weaknesses including, but not limited to, the following:
Reviews, tests, audits, or assessments
Security impact analyses
Independent verification and validation findings
Continuous monitoring activities
Incidents
All findings, recommendations, and their source must be tracked to the related item in the Risk Register.
Findings must be analyzed as to their level of risk (i.e., high, medium, low) and a determination must be made for appropriate action(s) to be taken to correct or mitigate, as appropriate, the identified weaknesses to an acceptable level of risk.
One or more tasks to remediate a finding must be documented in the Risk Register for any of the following:
Critical-level risks that are not remediated within 7 days
High-level risks that are not corrected within 21 days
Medium-level risks that are not corrected within 30 day
Low level risks as required by the ISO and that are not corrected within 90 days

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) updates the results of a comprehensive risk assessment every 2 years, or whenever there is a significant change to the information system or operational environment, assesses a subset of the security controls within every 365 days during continuous monitoring, and reviews the risk assessment results annually.
Mister (MCW) employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments and ensure impartiality of the results. These assessors accept the results of an assessment performed by another assessor when the assessment meets the same organization-defined level of independence.
A formal, documented process is in place for identifying risks and performing risk assessments, including the criteria for the evaluation and categorization of risks, and communicating the results of the risk assessments to the affected parties, and to management. A repository and tracking system are in place to manage risk assessments performed.
The likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits is included in the risk assessment process. The likelihood and impact associated with inherent and residual risk are determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).
Information security risk assessments requires knowledge of the following:
- External environment factors that could exacerbate or moderate any or all the levels of the risk components described previously;
- The types of accounts offered by Mister (MCW);
- The methods Mister (MCW) provides to open and access its accounts;
- Knowledge and experiences of incident histories and actual case impact scenarios; and
- Systems architectures.

03.01b Risk Mitigation Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Risks can be dealt with in one of four ways:
- Avoidance - This approach eliminates the risk by avoidance of the activity that provides the risk. For example, the risk associated with utilization of wireless technologies can be mitigated by deciding not to use wireless technologies at all.
- Reduction - Risk can be reduced by way of controls that can reduce the likelihood or impact of a risk. An example would be encryption of network traffic to minimize risks that threaten the confidentiality of data.
- Transference - Risk can be transferred by shifting it to an outside entity. An example would be the purchase of insurance against fire damage.
- Acceptance – Risk can be accepted by not selecting any of the aforementioned approaches. When acceptance is selected, management acceptance must be documented.
Mister (MCW) defines and documents the criteria to determine whether a risk is avoided, mitigated, transferred, or accepted.
The factors to be considered include the following:
- Industry sector, industry or organizational laws, regulations, and standards;
- Contractual, business, or other priorities;
- Cultural fit;
- Customer or client concerns;
- Coherence with IT, corporate risk acceptance, and business strategy;
- Cost;
- Effectiveness;
- Type of protection;
- Number of threats covered;
- Risk level at which the controls become justified;
- Risk level that led to the recommendation being made;
- Alternatives already in place; and
- Additional benefits derived.
Mister (MCW) implements a process for ensuring that corrective action plans for the security program and the associated organizational information systems are prioritized and maintained and the remedial information security actions necessary to mitigate risk to organizational operations and assets, individuals, and other organizations are documented.
Mister (MCW) reviews corrective action plans (plans of action and milestones) for consistency with Mister (MCW)’s risk management strategy and organization-wide priorities for risk response actions.
Mister (MCW) updates existing remediation or corrective action plans monthly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Mister (MCW) mitigates any harmful effect that is known to Mister (MCW) of a use or disclosure of sensitive (e.g., PII) by Mister (MCW) or its business partners, vendors, contractors, or similar third-party, in violation of its policies and procedures.
Mister (MCW) implements an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) develops a formal mitigation plan that includes:
- Performing a cost/benefit analysis for identified countermeasures;
- Documenting a risk treatment plan that provides recommended countermeasures to management;
- Documenting and presenting risk treatment summary reports to management;
- Management approving countermeasures documented in the risk treatment plan;
- Mapping decisions taken against the list of NIST CSF controls;
- Plans for implementations (current and future) documented in Mister (MCW)’s security improvement plan;
- Implementing the management-approved risk treatment plan; and
- Continually assessing the capability of technology needed to sustain an appropriate level of information security based on the size, complexity, and risk appetite of Mister (MCW).

03.01c Risk Evaluation Standards:

Level One Implementation Standards

The following is the Level One implementation standard:

The risk management program includes the requirement that risk assessments be reevaluated at least annually or when there are significant changes in the environment.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The risk management process is integrated with the change management process within Mister (MCW), and a risk assessment is conducted whenever there is a significant change in the environment or there is a change that could have a significant impact. Results of the risk assessment are included in the change management process, so they may guide the decisions within the change management process (e.g., approvals for changes).
Mister (MCW) updates the risk assessment:
- Before issuing a new formal authorization to operate or within every three years, whichever comes first; or
- Whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); or
- If there are other conditions that may impact the security or authorization state of the system.
The privacy, security and risk management program(s) are updated to reflect changes in risks based on:
- Any experiences with security incidents, weaknesses, breaches, or identity theft;
- Changes in the environment (e.g., new methods of attack, new sources of attack, new vulnerabilities);
- Changes in prevention, detection, or response methods for security;
- Changes within Mister (MCW), including:
Organizational mergers, acquisitions, alliances, joint ventures, or service provider arrangements;
New systems or facilities;
New service offerings; and
New types of accounts.

Back to Top

SECTION 04 – SECURITY POLICY

The following standards are necessary to support the security policy statements. These standards serve as guidance to implement the NIST framework.

04.01 Information Security Policy Standards:

04.01a Information Security Policy Document Standard

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Information security policy documents are developed, published, disseminated, and implemented. The information security policy documents state the purpose and scope of the policy, communicate management's commitment, describe management and workforce member's roles and responsibilities, and establish Mister (MCW)’s approach to managing information security.
As applicable to the focus of a particular document, the information security program documentation contains:
- Mister (MCW)’s mission, vision, values, objectives, activities, and purpose, including Mister (MCW)’s place in critical infrastructure;
- A definition of information security, its overall objectives and scope, and the importance of security as an enabling mechanism for information sharing;
- A statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives;
- A framework for setting control objectives and controls, including the structure of risk assessment and risk management;
- The need for information security;
- The goals of information security
- Compliance scope;
- Legislative, regulatory, and contractual requirements, including those for the protection of sensitive and the legal and ethical responsibilities to protect this information;
- Arrangements for notification of information security incidents, including a channel for raising concerns regarding confidentially, without fear of blame or recrimination;
- A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to Mister (MCW), including but not limited to NIST CSF control objectives such as:
  - Compliance with legislative, regulatory, and contractual requirements;
  - Security education, training, and awareness requirements for the workforce, including researchers and research participants;
  - Incident response and business continuity management;
  - Consequences of information security policy violations;
  - Continuous monitoring;
  - Designating and maintaining an appropriately resourced and technically experienced information security team;
  - Physical security of areas where sensitive information (e.g., PCI, and PII data);
  - Coordination among organizational entities;
  - A definition of general and specific responsibilities for information security management, including reporting information security incidents;
  - The development, dissemination, and review/update of formal, documented procedures to facilitate the implementation of security policy and associated security controls; and
  - References to documentation that may support the policy (e.g., more detailed security policies and procedures for specific information systems or security rules users to comply with).
- These information security policy documents are communicated to users throughout Mister (MCW) in a form that is relevant, accessible, and understandable to the intended reader.
- In the instance of any acquisitions, re-organizations, or mergers, or where Mister (MCW) obtains support from third-party organizations or collaborates with third parties, and especially if these activities involve other jurisdictions, the policy framework includes a documented policy, controls, and procedures that cover such interactions and that specifies the responsibilities of all parties.

04.01b Review of the Information Security Policy Standard:

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The information security policy documents are reviewed at planned intervals or if significant changes occur to ensure the policies' continuing adequacy and effectiveness.
Additional factors when developing or changing an information security policy document include, but are not limited to, regulatory mandates, accreditation requirements, and industry best practices, e.g., for system and services development and acquisition. A process is defined and implemented for individuals to make complaints concerning the information security policy and procedures or Mister (MCW)’s compliance with the policy and procedures. All complaints and requests for changes are documented, including their disposition, if any.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The information security policy documents are reviewed at planned intervals, at a minimum every 365 days, or if significant changes occur in the operating or business environment to ensure its continuing adequacy and effectiveness and that the totality of the policy has been addressed at least every 365 days.
The information security policy documents have an owner who has approved management responsibility for the development, review, and evaluation of the information security policy. The review includes assessing opportunities for improvement of Mister (MCW)’s information security policy documents and approach to managing information security in response to changes to Mister (MCW)’s environment, business circumstances, legal conditions, or technical environment.
The input to the management review includes information on:
- Feedback from interested parties;
- Results of independent reviews (see 5.h);
- Status of preventive and corrective actions (see 5.h and 6.g);
- Results of previous management reviews;
- Process performance and information security policy compliance;
- Changes that could affect Mister (MCW)’s approach to managing information
- Security, including changes to Mister (MCW)’s environment; business circumstances; resource availability; contractual, regulatory, and legal conditions; or to the technical environment;
- Trends related to threats and vulnerabilities;
- Reported information security incidents (see 11.a); and
- Recommendations provided by relevant authorities (see 5.f).
The output from the management review includes any decisions and actions related to:
- Improvement of Mister (MCW)’s approach to managing information security and its processes;
- Improvement of control objectives and controls; and
- Improvement in the allocation of resources and/or responsibilities.
A record of the management review is maintained. Management approval for the revised policy documents is obtained.

Back to Top

SECTION 05 - ORGANIZATION OF INFORMATION SECURITY

The following standards are necessary to support Mister (MCW) of Information Security Policy Statements. These standards serve as guidance to implement the NIST framework.

05.01 Internal Organization Standards

05.01a Management Commitment to Information Security Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW)’s senior management:
- Appoints a senior-level information security official for the development, implementation, and administration of security matters;
- Establishes and communicates Mister (MCW)’s priorities for organizational mission, objectives, and activities;
- Ensures that Mister (MCW)’s information security processes are in place, are communicated to all stakeholders, and consider and address organizational requirements;
- Formally assigns an organization single point of contact or group to provide program oversight (governance), reviews and updates Mister (MCW)’s security plan (strategy, policies, etc.), ensures compliance with the security plan by the workforce, and evaluates and accepts information security risk on behalf of Mister (MCW) (e.g., CEO, COO, Security Steering Committee, etc.);
- Formulates, reviews, and approves information security policies and a policy exception process;
- Periodically, at a minimum annually, reviews and assesses the effectiveness of the implementation of the information security policy;
- Provides clear direction and visible management support for security initiatives;
- Provides the resources needed for information security;
- Initiates plans and programs to maintain information security awareness;
- Ensures that all appropriate measures are taken to avoid cases of identity theft targeted at clients, customers, employees and third parties;
- Ensures that the implementation of information security controls is coordinated across Mister (MCW); and
- Determines and coordinates, as needed, internal or external information security specialists, and reviews and coordinates results of the specialists' advice throughout Mister (MCW).
Mister (MCW):
- Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
- Employs a business case to record the resources required; and
- Ensures that information security resources are available for expenditure as planned.
If the senior-level information security official is employed by Mister (MCW), one of its affiliates, or a third-party service, Mister (MCW) must:
- Retain responsibility for its cybersecurity program in compliance with applicable regulatory requirements;
- Designate a senior member of Mister (MCW)’s personnel responsible for direction and oversight of the third-party service provider; and
- Require the third-party service to maintain a cybersecurity program that protects Mister (MCW) and complies with applicable regulatory requirements.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW)’s senior management:
- Ensures that Mister (MCW)'s information security strategy and goals are identified and considered, addresses organizational and business-specific requirements, and verifies that appropriate processes are in place to meet Mister (MCW)’s strategy and goals;
- Formally reviews and approves in writing the establishment and administration of any information privacy, security, and risk management programs;
- Formally approves in writing the assignment of specific roles and responsibilities for information security across Mister (MCW);
- Ensures the senior security official can demonstrate professional competency in security matters via a recognized security industry certification, appropriate vendor certifications or a minimum of five years of security-related experience;
- Documents its risk acceptance process; and
- Conducts an annual review (may be performed by a third-party) of the effectiveness of its security program.
Mister (MCW) formally appoints in writing non-professional or professional security contacts by name in each major organizational area or business unit.
The ISO of Mister (MCW) reports in writing on Mister (MCW)’s cybersecurity program and material cybersecurity risks at least annually to Mister (MCW)’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, reporting must be made to the individual or committee responsible for Mister (MCW)’s cybersecurity program. The report must include, to the extent applicable but is not limited to, the following:
- The confidentiality of nonpublic information and the integrity and security of Mister (MCW)’s information systems;
- Mister (MCW)’s cybersecurity policies and procedures;
- Material cybersecurity risks to Mister (MCW);
- Overall effectiveness of Mister (MCW)’s cybersecurity program; and
- Material cybersecurity events involving Mister (MCW) during the period addressed by the report.

05.01b Independent Review of Information Security Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

An independent review of Mister (MCW)’s information security management program is initiated by management. Such an independent review is necessary to ensure the continuing suitability, adequacy, and effectiveness of Mister (MCW)’s approach to managing information security and privacy.
The review:
- Includes an assessment of Mister (MCW)’s adherence to its security plan and the tests and methods used is sufficient to validate the effectiveness of the security plan;
- Includes notification requirements to confirm whom to inform within Mister (MCW) about the timing and nature of the assessment;
- Addresses the need for changes to the approach to security considering evolving circumstances, including the policy and control objectives and other opportunities for improvement, including those based on regular vulnerability assessments (e.g., network scans and penetration testing);
- Carefully controls information security tests to limit the risks to confidentiality, integrity, and system availability;
- Is carried out by individuals independent of the area under review (e.g., the internal audit function, an independent manager or a third-party organization specializing in such reviews); and
- Is carried out by individuals who have the appropriate skills and experience.
The results of the independent review are:
- Recorded and reported to the management who initiated the review; and
- Maintained for a predetermined period as determined by Mister (MCW), but not less than three years.
If the independent review identifies that Mister (MCW)’s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document (see 4.a), management takes corrective actions.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The independent review of the information security management program and information security controls is conducted at least annually or whenever there is a material change to the business practices that may implicate the security or integrity of records containing personal information.

05.02 External Party Standards

05.02a Identification of Risks Related to External Party Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Due diligence, including an evaluation of the information security risks posed by external parties, is carried out to identify any requirements for specific controls where access to sensitive information (e.g., sensitive, cardholder data) by external parties is required prior to establishing a formal relationship with the service provider.
The identification of risks related to external party access considers the following issues:
- The information asset(s) an external party is required to access and the type of access the external party will have to the information and information asset(s), such as:
Physical access (e.g., to offices, computer rooms, tunnel, retail locations);
Logical access (e.g., to an organization's databases, information systems); or
Network connectivity between Mister (MCW)’s and the external party's network(s) (e.g., permanent connection, remote access);
- Whether the access is taking place on-site or off-site;
- The value and sensitivity of the information involved and its criticality for business operations;
- The controls necessary to protect information that is not intended to be accessible by external parties;
- The external party personnel involved in handling Mister (MCW)’s information;
- How Mister (MCW) or personnel authorized to have access can be identified, the authorization verified, and how often this needs to be reconfirmed;
- The different means and controls employed by the external party when storing, processing, communicating, sharing, and exchanging information;
- The impact of access not being available to the external party when required and the external party entering or receiving inaccurate or misleading information;
- Practices and procedures to deal with information security incidents and potential damages and the terms and conditions for the continuation of external party access in the case of an information security incident;
- Legal and regulatory requirements and other contractual obligations relevant to the external party that are considered; and
- How the interests of any other stakeholders may be affected by the arrangements.
Access by external parties to Mister (MCW)’s information is not provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement. All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party (see 5.i and 5.j). All remote access connections between Mister (MCW) CDE or other sensitive systems and all external parties are secured via encrypted channels (e.g., VPN). Any sensitive shared with an external party is encrypted prior to transmission.
External parties are granted the minimum necessary access to Mister (MCW)’s information assets to minimize risks to security. All access granted to external parties is limited in duration and revoked when no longer needed.
External parties are made aware of their obligations and accept the responsibilities and liabilities involved in accessing, processing, communicating, or managing Mister (MCW)’s information and information assets.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) conducts due diligence of an external party via interviews, document review, checklists, review certifications (e.g., NIST), or other remote means. The process for conducting external party due diligence is integrated with the execution of a non-disclosure agreement (NDA) (see 05.e).
Mister (MCW) obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners or third-party providers upon which its information supply chain depends.

05.02b Addressing Security in Third-Party Agreement Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) identifies and mandates information security controls to specifically address supplier access to Mister (MCW)’s information and information assets.
Mister (MCW) maintains written agreements (contracts) that include an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data the third-party possesses or otherwise stores, processes, or transmits on behalf of Mister (MCW) or to the extent that they could impact the security of Mister (MCW)’s information environment. Agreements include requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain, and these requirements are subsequently applicable to subcontractors, etc., of the third-party, i.e., fourth parties, and so on throughout the supply chain.
The agreement ensures that there is no misunderstanding between Mister (MCW) and the third-party. Mister (MCW) satisfy themselves as to the indemnity of the third-party.
The following terms are implemented for inclusion in the agreement to satisfy the identified security requirements (see 05.i):
- The information security policy;
- Controls to ensure asset protection, including:
Procedures to protect organizational assets, including information, software, and hardware;
Any required physical protection controls and mechanisms;
Controls to ensure protection against malicious software (see 9.j);
Procedures to determine whether any compromise of the assets (e.g., loss or modification of information, software, and hardware) has occurred;
Controls to ensure the return or destruction of information and assets at the end of, or at an agreed point in time, during the agreement;
Confidentiality, integrity, availability, and any other relevant property of the assets; and
Restrictions on copying and disclosing information, and using confidentiality agreements (see 05.b);
- User and administrator training in methods, procedures, and security;
- User awareness for information security responsibilities and issues;
- Provision for the transfer of personnel, where appropriate;
- Responsibilities regarding hardware and software installation and maintenance;
- A clear reporting structure and agreed reporting formats;
- A clear and specified process of change management;
- Access control policy, covering:
The different reasons, requirements, and benefits that make the access by the third-party necessary;
Permitted access methods (e.g., multifactor authentication) and the control and use of unique identifiers such as user IDs and passwords;
An authorization process for user access and privileges;
A requirement to maintain a list of individuals authorized to use the services being made available, and those individuals’ rights and privileges with respect to such use;
A statement that all access that is not explicitly authorized is forbidden; and
A process for revoking access rights or interrupting the connection between systems;
- Arrangements for reporting, notification (e.g., how, when and to whom), and investigation of information security incidents and security breaches, as well as violations of the requirements in the agreement, stating that:
The third-party, following the discovery of a breach of unsecured sensitive, notifies Mister (MCW) of such breach, including the identification of everyone who’s unsecured PII has been, or is reasonably believed by the business partner to have been, accessed, acquired, or disclosed during such breach;
All notifications are made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach if the business associate is an agent of Mister (MCW), otherwise the timing of the notification is explicitly addressed in the contract if the business associate is not an agent of Mister (MCW);
Evidence is maintained demonstrating that all notifications were made without unreasonable delay; and
Any other information that may be needed in the notification to individuals, either at the time the notice of the breach is provided or promptly thereafter as information becomes available.
- A description of the product or service to be provided, and a description of the information to be made available along with its security classification (see CSF 07.d);
- The target level of service and unacceptable levels of service;
- The definition of verifiable performance criteria and their monitoring and reporting;
- The right to monitor and revoke any activity related to Mister (MCW)’s assets;
- The right to audit responsibilities defined in the agreement, to have those audits carried out by a third-party, and to enumerate the statutory rights of auditors;
- The penalties exacted in the event of any failure in respect of the above;
- The establishment of an escalation process for problem resolution;
- Service continuity requirements, including measures for availability and reliability, in accordance with an organization's business priorities;
- The respective liabilities of the parties to the agreement;
- Responsibilities with respect to legal matters and how it is ensured that the legal requirements are met (e.g., data protection legislation) especially considering different national legal systems if the agreement involves co-operation with organizations in other countries (see 6.1);
- Intellectual property rights (IPRs) and copyright assignment (see 6. b) and protection of any collaborative work (see 5.e); and
- Conditions for renegotiation or termination of agreements:
A contingency plan is in place in case either party wishes to terminate the relation before the end of the agreements;
Renegotiation of agreements if the security requirements of Mister (MCW) change; and
Current documentation of asset lists, licenses, agreements, or rights relating to them.
Mister (MCW) establishes and documents personnel security requirements, including security roles and responsibilities for third-party providers that are coordinated and aligned with internal security roles and responsibilities and monitor provider compliance.
A screening process is also carried out for contractors and third-party users. Where contractors are provided through an organization, the contract with Mister (MCW) clearly specifies Mister (MCW)’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third-party clearly specifies all responsibilities and notification procedures for screening.
Mister (MCW) requires third-party providers to notify a designated individual or role (e.g., a member of the contracting or supply chain function) of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within 15 calendar days.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) employs formal contracts that, at a minimum, specify:
- The confidential nature and value of the sensitive;
- The security measures to be implemented and/or complied with, including Mister (MCW)’s information security requirements as well as appropriate controls required by applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
- Limitations to access to these services by third parties;
- the service levels to be achieved in the services provided;
- The format and frequency of reporting to Mister (MCW)’s Information Security Management Forum;
- The arrangement for representation of the third-party in appropriate organization meetings and working groups;
- The arrangements for compliance auditing of the third parties;
- The penalties exacted in the event of any failure in respect of the above; and
- The requirement to notify a specified person or office of any personnel transfers or terminations of third-party personnel working at organizational facilities with organizational credentials, badges, or information system privileges within one business day.

Back to Top

SECTION 06 – COMPLIANCE

The following standards are necessary to support the compliance policy statements. These standards serve as guidance to implement the NIST framework.

06.01 Compliance with Legal Requirement Standards:

06.01a Protection of Organizational Record Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Important records, such as contracts, personnel records, financial information, client, or customer information, etc., of Mister (MCW) are protected from loss, destruction, and falsification. Security controls, such as access controls, encryption, backups, electronic signatures, locked facilities, or containers, etc., are implemented to protect these essential records and information.
Guidelines are issued by Mister (MCW) on the ownership, classification, retention, storage, handling and disposal of all records and information. Designated senior management within Mister (MCW) review and approve the security categorizations and associated guidelines.
All regulatory and legislative retention requirements are met.
Mister (MCW)’s formal policies and procedures, other critical records (e.g., results from a risk assessment), and disclosures of individuals' PII AND PCI-DSS data are retained for a minimum of six years.
Mister (MCW) documents compliance with the notice requirements by retaining copies of the notices issued by the covered entity for a period of six years and, if applicable, any written acknowledgements of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgement.
Mister (MCW) documents restrictions in writing and formally maintain such writing, or an electronic copy of such writing, as an organizational record for a period of six years.
Mister (MCW) documents and maintains records (PII) that are subject to access by individuals and the titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six years.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) establishes a formal record retention program that addresses:
- The secure disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of sensitive (see 09.p and 08.l);
- Coverage over all storage of sensitive; and
- A programmatic review process (automatic or manual) to identify and remove sensitive that exceeds the requirements of the data retention policy on a quarterly basis.
Detailed procedures for record storage, access, retention, and destruction are implemented. In doing so, the following controls are implemented:
- A retention schedule is drawn up identifying essential record types and the period for which they must be retained;
- An inventory of sources of key information is maintained;
- Any related cryptographic keys are kept securely and made available only when necessary; and
- Any related cryptographic keying material and programs associated with encrypted archives or digital signatures are also stored to enable decryption of the records for the length of time the records are retained.

06.01b Data Protection and Privacy of Sensitive Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

An organizational data protection and privacy policy is developed and implemented. This policy is communicated to all persons involved in the processing of sensitive. Compliance with this policy and all relevant data protection legislation and regulations is supported by management structure and control. Responsibility for handling sensitive and ensuring awareness of the data protection principles is dealt with in accordance with relevant legislation and regulations.
Technical security controls, including access controls, special authentication requirements, and monitoring, and organizational measures to protect sensitive are implemented.
There is an appointment of a person responsible, such as a data protection officer or privacy officer, who is responsible for Mister (MCW)’s individual privacy protection program, and the officer reports directly to the highest management level of Mister (MCW) (e.g., CEO? Legal?). The data protection officer is designated based on professional qualities and expert knowledge of data protection law and practices and the ability to fulfill required tasks.
Responsibilities include the development and implementation of privacy policies and procedures, serving as the point of contact for all privacy-related issues, including the receipt of privacy-related complaints, and providing privacy-related guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that are followed. The data protection officer will, in the performance of those tasks, have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing.
The data protection officer may fulfil other tasks and duties; however, Mister (MCW) ensures that any such tasks and duties do not result in a conflict of interests.
Where required by legislation, consent is obtained before any PII (e.g., about a client r customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed, to parties external to Mister (MCW).
The information system protects the confidentiality and integrity of information at rest. Sensitive, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computers (laptops, desktops) portable digital media, backup media, servers, databases, or in logs, by using any of the following approaches:
- Full disk encryption (mandatory for laptops and other mobile devices that support full disk encryption, see 01.x);
- Virtual disk encryption;
- Volume disk encryption; and
- File and folder encryption.
The encryption approach is implemented using one or a combination of the following:
- One-way hashes based on strong cryptography; truncation; and
- Strong cryptography with associated key-management processes and procedures.
The system implements one of the following encryption algorithms:
- AES-CBC (AES in Cipher Block Chaining mode) with a symmetric 128-bit key minimum (256-bit key for cloud services) or asymmetric 2048-bit key minimum (3072-bit key for cloud services); or
- Triple DES (3DES-CBC);
If encryption is not applied because it is determined to not be reasonable or appropriate, Mister (MCW) documents its rationale for its decision or uses alternative compensating controls other than encryption if the method is approved and reviewed annually by the ISO.
If disk encryption is used (rather than file- or column-level database encryption), logical access is managed independently of native operating system access control mechanisms, and decryption keys are not tied to user accounts. See NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, for more information on implementing strong cryptography technologies.
Organizations explicitly identify and ensure the implementation of security and privacy protections for the transfer of organizational records, or extracts of such records, containing sensitive personal information to a state or federal agency or other regulatory body that lawfully collects such information.
Mister (MCW) specifies where sensitive data can be stored.
Sensitive storage is kept to a minimum.
Mister (MCW) supports the data protection officer in performing the tasks required by law or regulation by providing resources necessary to carry out those tasks and access to personal data and processing operations and to maintain the data protection officers expert knowledge.
Mister (MCW) ensures that the data protection or privacy officer does not receive any instructions regarding the exercise of those tasks, and the officer is bound by secrecy or confidentiality concerning the performance of the of those tasks, in accordance with applicable law or regulation. The officer is not dismissed or penalized by Mister (MCW) for performing those tasks.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Sensitive storage is kept to a minimum. Storage amount and retention time is limited to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
Mister (MCW) implements technical means to ensure sensitive is stored in organization-specified locations.

06.01c Prevention of Misuse of Information Asset Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The following procedures are implemented to ensure proper authorization and use of computer information assets:
- Notification to all employees that their actions may be monitored and that they consent to such monitoring (Note: the legality of such monitoring must be verified in each legal jurisdiction);
- Acceptable use agreements that are signed by all Mister (MCW) employees, contractors, and third-party users indicating that they have read, understand, and agree to abide by the rules of behavior before management authorizes access to the information system and its resident information. These acceptable use agreements are retained by Mister (MCW);
- Reviews and updates the rules of behavior every 365 days; and
- Requires individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge when the rules of behavior are revised/updated.
Management approves the use of information assets. If any unauthorized activity is identified by monitoring or other means, this activity is brought to the attention of the individual manager concerned for consideration of appropriate disciplinary and/or legal action.
All employees and contractors are informed in writing (e.g., when they sign rules of behavior or an acceptable use agreement) that violations of security policies may result in sanctions or disciplinary action (see 02.f).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Computer login banners are displayed stating:
- The computer being accessed is private;
- Unauthorized access is prohibited;
- Conditions for access (including consent to monitoring and recording), acceptable use, and access limitations; and
- Privacy and security notices.
The user is required to acknowledge the login banner to continue with the log-on.

06.02 Compliance with Security Policies and Technical Compliance Standards

06.02a Compliance with Security Policies and Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Reviews of the compliance of systems with security and privacy policies, standards and any other security and privacy requirements (PCI-DSS, legal, etc.) are supported by system and information owners. Compliance reviews are conducted by security, privacy and/or audit individuals and incorporate reviews of documented evidence. Automated tools are used where possible, but manual processes are acceptable.
Annual compliance assessments are conducted. If any non-compliance is found as a result of the review, managers:
- Determine the causes of the non-compliance;
- Evaluate the need for actions to ensure that non-compliance does not recur;
- Determine and implement appropriate corrective action; and
- Review the corrective action taken.
The results and recommendations of these reviews are documented and approved by management.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The internal security organization regularly reviews the compliance of information processing as part of a formal risk assessment process. Automated compliance tools or scans are used where possible.
Mister (MCW) employs assessors or assessment teams to monitor the security controls in the information system on an ongoing basis as part of a continuous monitoring program. These teams will have a level of independence appropriate to Mister (MCW)’s continuous monitoring strategy.
Mister (MCW) develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
- Establishment of defined metrics to be monitored annually, at a minimum;
- Ongoing program assessments in accordance with its continuous monitoring strategy that includes, at a minimum:
Annual compliance assessments across the entire organization, and
Third-party independent compliance assessments performed bi-annually;
- Ongoing status monitoring in accordance with its continuous monitoring strategy;
- Correlation and analysis of security-related information generated by assessments and monitoring;
- Response actions to address results of these analyses; and
- Reporting the security state of the information system to appropriate organizational officials monthly and, if required, to external agencies (e.g., HHS, CMS) as required by that agency.
The security organization maintains records of the compliance results (e.g., organization-defined metrics) to better track security trends within Mister (MCW), respond to the results of correlation and analysis, and to address longer term areas of concern.

06.02b Technical Compliance Checking Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) checks the technical security configuration of information systems and network components (e.g., firewalls, routers, and switches). Checking is performed either manually, by an individual with experience with the systems, and/or with the assistance of automated software tools. These compliance checks are performed annually.
If any non-compliance is found as a result of the compliance checks, Mister (MCW):
- Determines the causes of the non-compliance;
- Evaluates the need for actions to ensure that non-compliance does not recur;
- Determines and implements appropriate corrective action; and
- Reviews the corrective action taken.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Technical compliance checking is performed by an experienced security/assurance personnel with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. Deviations are logged and automatically reported. Technical compliance checks are performed at least annually, and more frequently where needed based on risk, as part of an official risk assessment process.
Special attention is drawn to compliance for the purpose of technical interoperability.
Mutually-agreed-upon provisions and/or terms are established to satisfy customer (tenant) requirements for service-to-service application (API) and information processing interoperability and portability for application development and information exchange, usage, and integrity persistence.
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) incorporate at least the following mutually-agreed-upon provisions and/or terms:
- The scope of the business relationship and services offered (e.g., customer [tenant] data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer [tenant] and any subcontracted or outsourced business relationships, physical geograPII and PCIcal location of hosted services, and any known regulatory compliance considerations);
- Information security requirements, provider, and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes and technical measures implemented to enable effective governance, risk management, assurance, and legal, statutory, and regulatory compliance obligations by all impacted business relationships;
- Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts;
- Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain);
- Assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to Mister (MCW);
- Expiration of the business relationship and treatment of customer (tenant) data impacted; and
- Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence.
Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships.
Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.

Back to Top

SECTION 07 – ASSET MANAGEMENT

The following standards are necessary to support the asset management policy statements. These standards serve as guidance to implement the NIST framework.

07.01 Responsibility for Asset Standards

07.01a Inventory of Asset Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) identifies and inventories all assets and services, including information (e.g., PII), encrypted or unencrypted, wherever it is created, received, maintained, or transmitted, including organizational and third-party sites, and documents the importance of these assets. Locations in which PII constitutes a designated record set are explicitly identified in the asset inventory. Approved BYOD equipment is also included on Mister (MCW)’s inventories. The asset inventories also include all information necessary to recover from a disaster, including the type or classification of the asset, format, location, backup information, license information, and the importance of these assets (business value). The inventory does not duplicate other inventories unnecessarily, but Mister (MCW) ensures that the content is aligned.
Mister (MCW) maintains an inventory of authorized wireless access points (WAPs
Specific policies exist for maintaining records of organizational property (capital and noncapital) assigned to employees, contractors, or volunteers. Mister (MCW) management is responsible for establishing procedures to issue and inventory property assigned to employees.
Records of property assigned to employees are reviewed and updated annually. The records are used to document and ensure that all property is returned to Mister (MCW) upon employee termination or transfer out of Mister (MCW) or to a role where the property is no longer needed.
Mister (MCW) ensures that, if organization owned property is assigned to contractors, the procedures for assigning and monitoring the use of the property are included in contracts. If organization-owned property is assigned to volunteer workers, there is a written agreement specifying how and when the property will be inventoried and how it is returned upon completion of the volunteer assignment.
Mister (MCW) creates and documents the process and procedure it intends to use for deleting data from hard drives prior to property transfer, exchange, or disposal/surplus. Mister (MCW) creates and documents the process and procedure it intends to use to transfer, exchange or dispose of an IT-related asset (according to Mister (MCW)’s established lifecycle).
If dynamic host configuration protocol (DHCP) is used to dynamically assign IP addresses, ensure the DHCP server logs are used to help detect unknown systems on the network, and improve Mister (MCW)’s asset inventory.
The asset inventory includes all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory includes every system that has an IP address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, multi-homed addresses, virtual addresses, etc. The asset inventory also includes data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data are identified, regardless of whether they are attached to Mister (MCW)’s network.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Ownership, custodianship, and information classification are agreed and documented for each of the assets. Based on the importance of the asset, its business value and its security classification, levels of protection and sustainment commensurate with the importance of the assets are identified.
Mister (MCW) maintains inventory logs of all media and conduct media inventories at least annually.

07.01b Acceptable Use of Asset Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) establishes and makes readily available to all information system users, a set of rules that describe their responsibilities and expected behavior with regards to information and information system usage. Employees, contractors, and third-party users using or having access to Mister (MCW)’s assets are aware of the limits existing for their use of Mister (MCW)’s information and assets associated with information processing facilities and resources. They are responsible for their use of any information processing resources, and of any such use carried out under their responsibility.
Acceptable use addresses:
- Rules for electronic mail and Internet usages; and
- Guidelines for the use of mobile devices, especially for the use outside the premises of Mister (MCW).
Mister (MCW) includes in the rules of behavior, explicit restrictions on the use of social media and networking sites, posting information on commercial websites, and sharing information system account information.

Back to Top

SECTION 08 – PHYSICAL AND ENVIRONMENTAL SECUIRTY

The following standards are necessary to support the physical and environmental security policy statements. These standards serve as guidance to implement the NIST framework.

08.01 Secure Area Standards

08.01a Physical Entry Control Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

At a minimum, Mister (MCW):
- Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
- Issues authorization credentials for facility access;
- Reviews the access list and authorization credentials periodically but no less than quarterly; and
- Removes individuals from the facility access list when access is no longer required.
For facilities where the information system resides, Mister (MCW) enforces physical access authorizations at defined entry and exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that Mister (MCW) determines are necessary for areas officially designated as publicly accessible.
Except those areas officially designated as publicly accessible, Mister (MCW) maintains visitor access logs for facilities where information systems reside for at least three months and reviews visitor records periodically but no less than monthly.
Visitor records contain:
- The name and organization of the person visiting;
- The signature of the visitor;
- A form of identification;
- The date of access;
- The time of entry and departure; and
- The purpose of visit.
Access to areas where sensitive information (e.g., sensitive, payment card data) is processed or stored is controlled and restricted to authorized persons only. All visitors are escorted and supervised (their activities monitored) unless their access has been previously approved.
Third-party support services personnel are granted restricted access to secure areas or sensitive processing facilities only when required. This access is authorized and monitored.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

A visitor log is required, including:
- The date and time of entry and departure;
- The visitor's name;
- The Mister (MCW) representative; and
- The employee authorizing physical access.
The log is reviewed no less than monthly and upon occurrence of organization-defined security events and is retained for at least two years in accordance with Mister (MCW)’s retention policy. Visitors are only granted access for specific and authorized purposes and are given instructions on the security requirements of the area and on emergency procedures.
Authentication controls (e.g., access control card plus PIN) are used to authorize and validate all access. Access must be authorized and based on individual job function. An audit trail of all access is securely maintained.
Mister (MCW) ensures that onsite personnel and visitors can be easily distinguished. All employees, contractors, third-party users, and all visitors are required to wear some form of visible identification and immediately notify security personnel if they encounter unescorted visitors or anyone not wearing visible identification. Visitors are given a badge or access device that identifies them as non-employees, and they are required to surrender the badge or access device before leaving the facility or upon expiration. Mister (MCW) ensures that onsite (HQ, Warehouses, Retail Stores etc) personnel and visitor identification (e.g., badges) are revoked or terminated when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards, and combinations, are returned, disabled, or changed. Identification is also updated when access requirements change to ensure their status can be easily distinguished.
Access rights to secure areas are regularly reviewed, at a minimum every 90 days, and updated or revoked when necessary.
A restricted area, security room, or locked room is used to control access to areas containing sensitive. These areas will be controlled accordingly.

08.01b Protecting Against External and Environmental Threat Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) develops, disseminates, reviews, and updates annually:
- A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
The following controls are implemented to avoid damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster:
- Appropriate fire extinguishers are located throughout the facility and are no more than 50 feet away from critical electrical components; and
- Fire detectors (e.g., smoke or heat activated) are installed on and in the ceilings and floors.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Any security threats presented by neighboring premises are identified (e.g., a fire in a neighboring building, water leaking from the roof or in floors below ground level, or an explosion in the street).
Fire prevention training is included in the regular training programs provided to Mister (MCW) personnel.
Appropriate fire suppression systems (e.g., sprinklers, gas) are implemented throughout the building and within secure areas containing information processing devices. For facilities not staffed continuously, these suppression systems are automated.
The building's heating, ventilation, and air conditioning (HVAC) system is configured to automatically shut down upon fire detection.

08.02 Equipment Security Standards

08.02a Equipment Maintenance Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) develops, disseminates, reviews, and updates annually:
- A formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.
Equipment is maintained in accordance with the supplier's recommended service intervals and specifications. Only authorized maintenance personnel carry out repairs and service equipment. Appropriate controls are implemented when equipment is scheduled for maintenance (e.g., authorization levels) considering whether this maintenance is performed by personnel on site or external to Mister (MCW).
Mister (MCW):
- Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
- Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
- Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Mister (MCW) monitors and controls nonlocal maintenance and diagnostic activities and prohibits nonlocal system maintenance unless explicitly authorized, in writing, by the VP of Information Technology or a designated representative. If nonlocal maintenance and diagnostic activities are authorized, Mister (MCW):
- Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and as documented in the security plan for the information system;
- Employs strong identification and authentication techniques in the establishment of nonlocal maintenance and diagnostic sessions;
- Maintains records for nonlocal maintenance and diagnostic activities; and
- Terminates all sessions and network connections when nonlocal maintenance is completed.
Mister (MCW) obtains maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable Recovery Time Objective (RTO) specified in the contingency plan.
All requirements imposed by insurance policies are complied with.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Sensitive is cleared from the equipment, or the maintenance personnel are sufficiently cleared prior to all maintenance. Records are kept of all suspected or actual faults and all preventive and corrective maintenance, including:
- The date and time of maintenance;
- The name of individual performing maintenance;
- The name of the escort;
- A description of maintenance performed; and
- A list of equipment removed or replaced.
Mister (MCW) checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

08.02b Secure Disposal or Re-Use of Equipment Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Surplus equipment is stored securely while not in use and disposed of or sanitized when no longer required.
Devices containing sensitive are physically destroyed or the information is destroyed, deleted, or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.
The following are appropriate techniques to securely remove information:
- Disk wiping.
- Degaussing.
The following are appropriate techniques to securely destroy electronic and hard copy media:
- Shredding disk platters.
- Disintegration.
- Grinding surfaces.
- Incineration.
- Pulverization.
- Melting.
See NIST SP 800-88, Guidelines for Media Sanitization, for more information on implementing media sanitization and destruction techniques.
Mister (MCW) renders information unusable, unreadable, or indecipherable on system media, both digital and non-digital, prior to disposal or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies. Mister (MCW) destroys media containing sensitive information that cannot be sanitized.

Back to Top

SECTION 09 – COMMUNICATIONS AND OPERATIONS MANAGEMENT

The following standards are necessary to support the communications and operations management policy statements. These standards serve as guidance to implement the NIST framework.

09.01 Documented Operating Procedure Standards

09.01a Change Management Standards

Level One Implementation Standards

The following is the Level One Implementation Standard:

Changes to information assets, including systems, networks, and network services, are controlled, and archived.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Changes are managed strictly and consistently. Formal management responsibilities and procedures are in place to ensure satisfactory control of all changes to equipment, software, or procedures, including:
- The identification and recording of significant changes;
- The planning and testing of changes;
- The assessment of the potential impacts, including security impacts, of such changes;
- The formal approval for proposed changes; and
- The communication of change details to all relevant persons.
Fallback procedures are defined and implemented, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.

09.01b Segregation of Duties Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. Whenever it is difficult to segregate controls, such as monitoring of activities, audit trails, management supervision, or a system of dual control (e.g., two individuals with separate responsibilities needing to work together to accomplish a task) are required.
Security audit activities always remain independent.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. No single person can access, modify, or use assets without authorization or detection. The initiation of an event is separated from its authorization to reduce the possibility of collusion. Mister (MCW) identifies duties that require separation of duties and defines information system access authorizations to support separation of duties. Job descriptions reflect accurately the assigned duties and responsibilities that support separation of duties.
Incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud. In cases where conflicting duties must be assigned to a single user, activity logging and log reviews by an independent party are required.

09.02 Control Third-Party Service Delivery Standards

09.02a Service Delivery Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

In an agreed service arrangement, service delivery by a third-party (e.g., a certification authority for the provision of cryptographic services) includes:
- Service definitions;
- Delivery levels;
- Security controls, including third-party personnel security, information classification, transmission, and authorization;
- Aspects of service management, including monitoring, auditing, impacts to Mister (MCW)’s resilience, and change management; and
- Issues of liability, reliability of services and response times for the provision of services.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) develops, disseminates, reviews, and updates annually a list of current service providers, which includes a description of the services provided.
In the case of outsourcing arrangements, Mister (MCW) plans the necessary transitions (of information, information processing systems, and anything else that needs to be moved), and ensures that security is maintained throughout the transition period. The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk.
Mister (MCW) defines and documents oversight (e.g., governmental, organizational) and user roles and responsibilities regarding external information system services.
Mister (MCW) ensures that the third-party maintains sufficient service capabilities together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster.
Mister (MCW) restricts the location of facilities that process, transmit, or store sensitive (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual, and other security and privacy-related obligations.

09.02b Monitoring and Review of Third-Party Service Standards

Level One Implementation Standards

The following is the Level One Implementation Standard:

A periodic review of service level agreements (SLAs) is conducted at least annually and compared against the monitoring records.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) monitors security control compliance by external service providers on an ongoing basis. Monitoring involves a service management relationship and process between Mister (MCW) and the third-party.
Service performance levels are monitored to check adherence to the agreements. Service reports produced by the third-party are reviewed and regular progress meetings arranged as required by the agreements. third-party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered are reviewed.
Information about information security incidents is provided to the incident response team. This information is reviewed by the third-party that experienced the incident and by Mister (MCW), which the third-party provides services to, as required by the agreements and any supporting guidelines and procedures. Any identified problems are resolved and reviewed by Mister (MCW) as noted above.
Mister (MCW) monitors the network service features and service levels to detect abnormalities and violations. Mister (MCW) periodically audits the network services to ensure that network service providers implement the required security features and meet the requirements agreed with management, including with new and existing regulations.

09.04 Protection Against Malicious and Mobile Code Standards

09.04 Controls Against Malicious Code Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
Formal policies are required, and technologies implemented for the timely installation and upgrade of the protective measures, including the installation and regular, automatic updating of antivirus or anti-spyware software, including virus definitions, whenever updates are available. Periodic reviews and scans are required of installed software and the data content of systems to identify and, where possible, remove any unauthorized software. However, server environments for which the server software developer specifically recommends not installing host-based antivirus and anti-spyware software, may address the requirement via a network-based malware detection (NBMD) solution.
If an NBMD solution is used, Mister (MCW) also:
- Disables USB ports;
- Prohibits the use of writable media (e.g., DVD-R);
- Restricts the use of read-only media (e.g., DVD-ROM) to legitimate commercial sources for legitimate business reasons (e.g., Linux installation disks); and
- Allows only whitelisted software to run on the system.
The NBMD solution will be installed in-band, whether or not blocking is enabled. Cloud-based implementations with blocking enabled is preferred. If Mister (MCW) chooses to implement a local solution and/or disables blocking, the decision will be supported by a formal risk analysis, and any additional risk formally accepted by management as required by its risk management policy.
Mister (MCW) employs anti-malware software that offers a centralized infrastructure that compiles information on file reputations or has administrators manually push updates to all machines. After applying an update, automated systems verify that each system has received its signature update.
Procedures are defined for response to identification of malicious code or unauthorized software. Checking antivirus or anti-spy software generates audit logs of the checks performed.
The checks carried out by the malicious code detection and repair software to scan computers and media include:
- Checking any files on electronic or optical media and files received over networks for malicious code before use;
- Checking electronic mail attachments and downloads for malicious code or file types that are unnecessary for Mister (MCW)’s business before use; this check is carried out at different places (e.g., at electronic mail servers, desk top computers and when entering the network of Mister (MCW));
- Checking web traffic, such as HTML, JavaScript, and HTTP, for malicious code; and
- Checking removable media (e.g., USB tokens and hard drives, CDs/DVDs, FireWire devices, and external serial advanced technology attachment devices) when inserted.
Formal policies are required prohibiting the use or installation of unauthorized software, including a prohibition of obtaining data and software from external networks.
User awareness and training on these policies and methods are provided for all users on a regular basis.
BYOD users are required to use anti-malware software (where supported).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Critical system file scans are performed during system boot and every 12 hours. Malicious code is blocked and quarantined, and an alert is sent to administrators in response to malicious code detection. Mister (MCW) addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Malicious code protection mechanisms are centrally managed.
For systems considered to be not commonly affected by malicious software, Mister (MCW) performs periodic assessments to identify and evaluate evolving malware threats to confirm whether such systems continue to not require antivirus software.
Mister (MCW):
- Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
- Implements spam protection mechanisms at information system entry and exit points to detect and act on unsolicited messages transported by email, email attachments, web accesses, or other common means;
- Automatically updates malicious code and spam protection mechanisms (including signature definitions) when new releases are available in accordance with Mister (MCW)’s configuration management policy and procedures;
- Configures malicious code protection mechanisms to perform periodic scans of the information system according to organization guidelines and real-time scans of files from external sources at either endpoints or network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and blocks malicious code, quarantine malicious code, or sends alerts to administrator in response to malicious code detection; and
- Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Malicious code and spam protection mechanisms are centrally managed.
User functionality (including user interface services [e.g., web services]) is separated from information system management (e.g., database management systems) functionality.
The information system must implement safeguards to protect its memory from unauthorized code execution.

09.04b Controls Against Mobile Code Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations).
A formal policy is in place for mobile code protection and to ensure protective measures, including antivirus and anti-spyware, are in place and regularly updated.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) formally addresses controls (e.g., policies and procedures) for blocking any use and receipt (e.g., downloading and execution) of mobile codes.
The following actions are carried out to protect against mobile code performing unauthorized actions:
- Ensuring a logically isolated environment is established for executing mobile code;
- Activating technical measures as available on a specific system to ensure mobile code is managed; and
- Controlling the resources with access to mobile code.

09.05 Information Back-Up Standards

09.05a Back-Up Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Back-up copies of information and software are made, at appropriate intervals, and when equipment is moved (relocated), and tested regularly in accordance with an agreed-upon back-up policy. A formal definition of the level of back-up required for each system is defined and documented, including the scope of data to be imaged, frequency of imaging, and duration of retention. This is based on the contractual, legal, regulatory, and business requirements.
Complete restoration procedures are defined and documented for each system.
The back-ups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site. Physical and environmental controls are in place for the back-up copies. Mister (MCW) ensures that backups, including remote and cloud-based backups, are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network.
Regular testing of back-up media and restoration procedures is performed. Inventory records for the back-up copies, including content and current location, are maintained.
When the back-up service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity, and availability of the back-up information.
Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, BYOD users are required to perform backups of organizational and/or client data on their device(s).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Automated tools track all back-ups.
The integrity and security of the backup copies are maintained to ensure future availability in accordance with the agreed backup policy. To mitigate the risk of attacks that seek to encrypt or damage data on addressable data shares, including backup destinations, Mister (MCW) provides key systems with at least one backup destination that is not continuously addressable through operating system calls. Any potential accessibility problems with the back-up copies are identified and mitigated in the event of an area-wide disaster.
Sensitive is backed-up in an encrypted format to guarantee confidentiality

09.06 Network Security Management Standards

09.06a Network Control Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

IT Operations implement controls to ensure the security of information in networks and the protection of connected services from unauthorized access. Controls are implemented to ensure the availability of network services and information services using the network. Responsibilities and procedures are established for the management of equipment on the network, including equipment in user areas.
When configuring WAPs and devices, Mister (MCW) changes the following:
- Vendor default encryption keys;
- Encryption keys anytime anyone with knowledge of the keys leaves the company or changes positions;
- Default SNMP community strings on wireless devices;
- Default passwords or passphrases on access points;
- Other security-related wireless vendor defaults, if applicable.
A current network diagram (for example, one that shows how sensitive data flows over the network) exists, documenting all connections to systems storing, processing, or transmitting sensitive card data, including any wireless networks. Network architecture diagrams clearly identify high-risk environments and data flows that may have legal compliance impacts. Review and update the network diagram as based on the changes in the environment and no less than every six months.
Mister (MCW) monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of WAPs unless explicitly authorized, in writing, by the Director of IT Support or a designated representative. If wireless access is explicitly approved, WAPs and devices have appropriate (e.g., FIPS-approved; minimum of AES WPA2) encryption enabled for authentication and transmission.
WAPs are placed in secure areas.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) uniquely identifies and authenticates network devices that require authentication mechanisms, before establishing a connection, that, at a minimum, use shared information (i.e., MAC or IP address) and access control lists to control remote network access.
To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either:
- Shared known information solutions (Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses); or
- An organizational authentication solution (IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP- TLS authentication).
The required strength of the device authentication mechanism is determined by the security categorization of the information system.
A formal process is established for approving and testing all network connections and changes to firewall, router, and switch configurations. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. Mister (MCW) builds a firewall configuration that restricts connections between un-trusted networks (any networks that are external to the networks belonging to Mister (MCW), and/or which are out of the Mister (MCW)'s ability to control or manage) and any system components in the sensitive environment. Any changes to the firewall configuration are updated in the network diagram.
The firewall configuration:
- Restricts inbound and outbound traffic to that which is necessary for the sensitive system's environment;
- Secures and synchronizes router configuration files;
- Requires firewalls between any wireless networks and the sensitive system's environment; and
- Configures these firewalls to deny or control any traffic from a wireless environment into the card data environment (CDE).
Mister (MCW) ensures that information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. Mister (MCW) requires information systems to use FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined, alternative physical measures.
Mister (MCW) performs quarterly scans for unauthorized WAPs or unauthorized components and devices and takes appropriate action if any unauthorized connection is discovered.
Mister (MCW):
- Authorizes connections from the information system to other information systems outside of Mister (MCW) using interconnection security agreements or other formal agreements;
- Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated;
- Employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of Mister (MCW); and
- Applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed.

09.06b Security of Network Service Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The ability of the network service provider to manage agreed services in a secure way is determined and regularly monitored, and the right to audit is agreed to by management. The security arrangements necessary for services, including security features, service levels, and management requirements, are identified and documented.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW):
- Authorizes connections from the information system to other information systems outside of Mister (MCW) using interconnection security agreements or other formal agreement;
- Centrally documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and
- Reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements.
Mister (MCW) employs, and documents in a formal agreement or other document (e.g., an applicable security plan), either (i) an allow-all, deny-by-exception or (ii) a deny-all, permit-by-exception (preferred) policy for allowing specific information systems (defined in the applicable agreement, security plan, etc.) to connect to external information systems.
Mister (MCW) requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of such external or outsourced services.
The contract with the external or outsourced service provider includes the specification that the service provider is responsible for the protection of sensitive shared in the contract.

09.07 Media Handling Standards

09.07a Management of Removal Media Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) formally establishes and enforces controls (e.g., policies and procedures) for the management of removable media and laptops, including:
- Restrictions on the type(s) of media, and usages thereof, to maintain security; and
- Registration of certain type(s) of media including laptops.
Mister (MCW) limits the use of removable media to those with a valid business need.
Media containing sensitive is physically stored and its data encrypted in accordance with Mister (MCW)’s data protection and privacy policy on the use of cryptographic controls (see 06.d) until the media are destroyed or sanitized (see 09.p) and commensurate with the confidentiality and integrity requirements for its data classification level.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Redundancy of storage is established considering the risks to the removable media, including where storage retention requirements exceed the rated life of the media.
Mister (MCW) identifies digital and non-digital media requiring restricted use and the specific safeguards necessary to restrict use.
Mister (MCW):
- Protects and controls digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography and tamper-evident packaging and
if hand carried, using a securable container (e.g., locked briefcase) via authorized personnel, or
if shipped, trackable with receipt by commercial carrier;
- Maintains accountability for information system media during transport outside of controlled areas;
- Documents activities associated with the transport of information system media; and
- Restricts the activities associated with transport of such media to authorized personnel.

09.07b Disposal of Media Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) destroys media when it is no longer needed for business or legal reasons.
Formal procedures for the secure disposal of media minimize the risk of information leakage to unauthorized persons. The procedures for the secure disposal of media containing information are commensurate with the sensitivity of that information.
The following items are addressed:
- The use of generally accepted secure disposal or erasure methods (see 08.l) for use by another application within Mister (MCW) for media that contains (or might contain) sensitive; and
- The identification of information that qualifies as covered or a policy is developed that all information is considered covered in the absence of unequivocal evidence to the contrary.
It may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the items containing sensitive. If collection and disposal services offered by other organizations are used, care is taken in selecting a suitable contractor with adequate controls and experience.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Procedures are implemented to prevent the aggregation effect, which may cause a large quantity of non-sensitive to become covered when accumulating media for disposal.

09.07c Information Handling Procedure Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Procedures for handling, processing, communication, and storage of information (including information media awaiting disposal) are established, monitored, and enforced to protect data from unauthorized disclosure or misuse, including:
- Physical and technical access restrictions commensurate with the data classification level;
- Handling and labeling of all media according to its indicated classification (sensitivity) level;
- Periodic review (at a minimum annually) of distribution and authorized recipient lists; and
- Monitoring the status and location of media containing unencrypted sensitive.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) maintains inventories of media to maintain strict control over storage and accessibility. Management approves all media that is moved from a secured area, especially when media is distributed to individuals. Maintenance of formal records of data transfers, including logging and an audit trail, is maintained.

09.08 Exchange of Information Standards

09.08a Information Exchange Policies and Procedure Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) ensures that communications protection requirements, including the security of exchanges of information, is the subject of policy development (see also 04.a and 04.b) and compliance audits (see 06.g) consistent with relevant legislation.
When using electronic communication applications or systems for information exchange, the following items are addressed:
- Policies or guidelines are defined outlining acceptable use of electronic communication applications or systems;
- The use of anti-malware for the detection of and protection against malicious code that may be transmitted using electronic communications;
- Procedures are implemented for the use of wireless communications, including an appropriate level of encryption (see 09.m);
- Employee, contractor, and any other user's responsibilities are defined to not compromise Mister (MCW) (e.g., through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.);
- The required use of cryptographic techniques to protect the confidentiality, integrity, and authenticity of sensitive;
- The retention and disposal guidelines are defined for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations; and
- Controls and restrictions are implemented associated with the forwarding of communications (e.g., automatic forwarding of electronic mail to external mail addresses).
Mister (MCW) establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
- Access the information system from external information systems; and
- Process, store, or transmit organization-controlled information using external information systems.
Personnel are appropriately educated and periodically reminded of the following:
- Not to leave covered or critical information on printing systems (e.g., copiers, printers, and facsimile machines) as these may be accessed by unauthorized personnel;
- To take necessary precautions, including not to reveal sensitive, to avoid being overheard or intercepted when making a phone call by:
People in their immediate vicinity - particularly when using mobile phones, wiretapping, and other forms of eavesdropping through physical access to the phone handset or the phone line, or using scanning receivers, or
People at the recipient's end;
- Not to leave messages containing sensitive information on answering machines since these may be replayed by unauthorized persons, stored on communal systems, or stored incorrectly because of misdialing;
- The problems that could result from using facsimile machines, namely:
Unauthorized access to built-in message stores to retrieve messages, deliberate or accidental programming of machines to send messages to specific numbers, and
Sending documents and messages to the wrong number either by misdialing or using the wrong stored number;
- Not to register demographic PII and PCI data, such as the email address or other personal information, in any software to avoid collection for unauthorized use; and
- That modern facsimile machines and photocopiers have page caches and store pages in case of a paper or transmission fault, which will be printed once the fault is cleared.
Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems.
Formal procedures are defined to encrypt data in transit including use of strong cryptography protocols to safeguard sensitive during transmission over less trusted or open public networks.
Valid encryption processes include:
- TLS 1.1 or later;
- IPSec VPNs:
Gateway-to-gateway architecture,
Host-to-gateway architecture, or
Host-to-host architecture;
- TLS VPNs:
Portal VPN, or
Tunnel VPN.
See NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementation, and NIST SP 800-77, Guide to IPsec VPNs, for more information on implementing encryption technologies for information transmissions.
Examples of less trusted or open, public networks include:
- The Internet;
- Wireless technologies;
- Global System for Mobile Communications (GSM); and
- General Packet Radio Service (GPRS).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW) permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when Mister (MCW):
- Verifies the implementation of required security controls on the external system, as specified in Mister (MCW)’s information security policy and security plan; or
- Retains approved information connection or processing agreements with the entity hosting the external information system (see 09.t).
Mister (MCW) limits the use of organization-controlled portable storage media by authorized individuals on external information systems.
Terms and conditions are established for authorized individuals to:
- Access the information system from an external information system; and
- Process, store, and/or transmit organization-controlled information using an external information system.
The information system:
- Prohibits remote activation of collaborative computing devices; and
- Provides an explicit indication of use to users physically present at the devices.

09.08b Electronic Messaging Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Legal considerations, including requirements for electronic signatures, are addressed. Approval is obtained prior to using external public services, including instant messaging or file sharing. Stronger levels of authentication controlling access from publicly accessible networks are implemented.
Stronger controls, such as electronic signatures, are implemented to protect certain electronic messages (e.g., those containing PII or other sensitive).
The electronic messages are protected throughout the duration of its end-to-end transport path. Cryptographic mechanisms are employed to protect message integrity and confidentiality unless protected by alternative measures, e.g., physical controls.
Mister (MCW) never sends unencrypted sensitive information (e.g., sensitive, PANs, FTI) by end-user messaging technologies (e.g., email, instant messaging, and chat).

09.09 Electronic Commerce Standards

09.09a On-line Transaction Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Data involved in electronic commerce and online transactions is checked to determine if it contains sensitive.
Security is maintained through all aspects of the transaction, ensuring that:
- User credentials of all parties are valid and verified;
- The transaction remains confidential; and
- Privacy associated with all parties involved is retained.
Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The use of electronic signatures by each of the parties involved in the transaction is required.
Mister (MCW) ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on Mister (MCW)’s intranet) and are not retained and exposed on a storage medium directly accessible from the Internet.
Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process.
Communications path between all involved parties is encrypted. The protocols used for communications are enhanced to address any new vulnerability, and the updated versions are adopted as soon as possible.

09.10 Monitoring Standards

09.10a Audit Logging Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Information systems processing sensitive create a secure audit record each time a user accesses, creates, updates, or archives sensitive via the system. Where possible, transaction-level logging and auditing are performed (e.g., on a database system).
The audit logs include:
- A unique user identifier;
- A unique data subject (e.g., client or customer) identifier;
- The function performed by the user (e.g., login, including failed attempts; record creation; access; update; etc.); and
- The time and date that the function was performed.
Logs for operators or administrators also include:
- The type of event that occurred (e.g., success or failure);
- The time at which an event occurred;
- Information about the event (e.g., files handled) or failure (e.g., error occurred, and corrective action taken);
- The account(s) and administrator(s) or operator(s) involved; and
- The process(es) involved.
Retention for audit logs is specified by Mister (MCW) and retained accordingly.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Messaging systems used to transmit messages containing sensitive keep a log of message transmissions, such a log contain the time, date, origin, and destination of the message, but not its content. Mister (MCW) carefully assesses and determines the retention period for these audit logs, with reference to professional standards and legal obligations, to enable investigations to be carried out when necessary, and to provide evidence of misuse where necessary.
Audit logs include but are not limited to:
- Dates, times, and details of key events (e.g., log-on and log-off);
- Records of successful and rejected system access attempts;
- Records of successful and rejected data and other resource access attempts;
- Changes to system configuration and procedures for managing configuration changes;
- Use of privileges;
- Use of system utilities and applications;
- Files accessed and the kind of access;
- Network addresses and protocols;
- Alarms raised by the access control system;
- Activation and de-activation of protection systems, including antivirus systems and intrusion detection systems, and identification and authentication mechanisms; and
- Creation and deletion of system level objects.
Mister (MCW) provides a rationale for why the auditable events are deemed adequate to support after-the-fact investigations of security incidents and which events require auditing on a continuous basis in response to specific situations. The listing of auditable events is reviewed and updated within every 365 days. Information systems' audit logging systems are always operational while the information system being audited is available for use. Where necessary for highly sensitive logs, separation of duties and split key access are employed.
Audit records are retained for 90 days, and old records archived for 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and Mister (MCW)-specific retention requirements.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Audit logs include but are not limited to:
- Server alerts and error messages;
- User log-on and log-off (successful or unsuccessful);
- All system administration activities;
- Modification of privileges and access;
- Start-up and shutdown;
- Application modifications;
- Application alerts and error messages;
- Configuration changes;
- Account creation, modification, or deletion;
- File creation and deletion;
- Read access to sensitive information;
- Modification to sensitive information; and
- Printing sensitive information.
The information system also generates audit records containing the following additional, more detailed, information:
- Filename accessed;
- Program or command used to initiate the event; and
- Source and destination addresses.
Disclosures of sensitive are recorded. Information type, date, time, receiving party, and releasing party are logged. Mister (MCW) verifies every 90 days for each extract that the data is erased, or its use is still required.
Account creation, modification, disabling, enabling, and removal actions are automatically logged and audited providing notification, as required, to appropriate individuals.

09.10b Monitoring System Use Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) complies with all relevant legal requirements applicable to its monitoring activities. Items that are monitored include:
- Authorized access; and
- Unauthorized access attempts.
Mister (MCW) specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
Mister (MCW) periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes.
Information collected from multiple sources is aggregated for review.

Level Two Implementation Standards

In addition to the requirements of the above Level One standards, Level Two implementation standards require the following:

Information systems containing sensitive are actively provided with automated assets for monitoring events of the system(s), detecting attacks, and analyzing logs and audit trails that:
- Allow the identification of all system users who have accessed, or modified a given record(s) over a given period; and
- Allow the identification of all records that have been accessed or modified by a given system user over a given period.
Mister (MCW) monitors (e.g., host-based monitoring) the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm that the system is functioning in an optimal, resilient, and secure state.
Monitoring devices are strategically deployed within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system.
Mister (MCW) deploys NetFlow collection and analysis to DMZ network flows to detect anomalous activity.
Mister (MCW):
- Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
- Reviews physical access logs weekly and upon occurrence of security incidents involving physical security; and
- Coordinates results of reviews and investigations with Mister (MCW)’s incident response capability.
Monitoring of authorized access includes:
- The user ID;
- The date and time of key events;
- The types of events;
- The files accessed; and
- The program or utilities used.
All privileged operations are monitored, including:
- The use of privileged accounts (e.g., supervisor, root, administrator);
- The system start-up and stop; and
- I/O device attachment and detachment.
Monitoring of unauthorized access attempts includes:
- Failed or rejected user actions, including attempts to access deactivated accounts;
- Failed or rejected actions involving data and other resources;
- Access policy violations and notifications for network gateways and firewalls; and
- Alerts from proprietary IDSs.
System alerts or failures are monitored, including:
- Console alerts or messages;
- System log exceptions;
- Network management alarms;
- Alarms raised by the access control system (e.g., intrusion detection, intrusion prevention, or networking monitoring software); and
- Changes to, or attempts to change, system security settings and controls.
The information system provides the capability to automatically process audit records in the information system for events of interest based on selectable event criteria.
Systems support audit reduction and report generation that supports expeditious, on demand review, analysis, reporting and after-the-fact incident investigations of security incidents and does not alter the original content or time marking of audit records.

Level Three Implementation Standards

In addition to the requirements of the above Level One and Level Two implementation standards, Level Three implementation standards require the following:

Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered.
The results of monitoring activities are reviewed daily, using automated tools, for:
- All security events;
- Logs of all critical system components; and
- Logs of all servers that perform security functions like IDS, IPS, and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).
The automated tools generate alert notification for technical staff review and assessment.
Mister (MCW) reviews the logs of all other system components periodically based on its policies and risk management strategy, as determined by Mister (MCW)’s annual risk assessment.
System records are reviewed for:
- Initialization sequences;
- Log-ons and errors;
- System processes and performance; and
- System resources utilization.
The reviews are conducted daily, and the results used to determine anomalies on demand. An alert notification is generated for technical personnel to review and analyze.
Suspicious activity or suspected violations on the information system identified during the review process are investigated, with findings reported to appropriate officials and appropriate actions taken in accordance with the incident response or organizational policies.
Manual reviews of system audit records are performed randomly on demand, but at least once every 30 days.
Mister (MCW) employs automated mechanisms to integrate the audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
Mister (MCW) employs automated tools to support near real-time analysis of events and maintains an audit log to track prohibited sources and services. Inbound and outbound communications are monitored at an organization-defined frequency for unusual or unauthorized activities or conditions.
Mister (MCW) specifies the permitted actions for information system processes, roles, and/or users associated with review, analysis, and reporting of audit records (e.g., read, write, execute, append, and delete).
Mister (MCW) deploys a change-detection mechanism (e.g., file-integrity monitoring tools) to alert personnel of unauthorized modification of critical system files, configuration files, or content files; configures the software to perform critical file comparisons at least weekly; and responds to any alerts generated.
The information system provides near-real-time alerts when the following indications of compromise or potential compromise occur:
- Presence of malicious code;
- Unauthorized export of information;
- Signaling to an external information system; or
- Potential intrusions.
Mister (MCW) analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems, machines, or devices and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, Mister (MCW) (system administrators and security personnel) devises profiles of common events from given systems, machines, or devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.

09.10c Administrator and Operator Log Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) ensures that proper logging is enabled to audit administrator activities.
System administrator and operator logs are reviewed on a regular basis.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

An IDS managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance

Back to Top

SECTION 10.0 – INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE

The following standards are necessary to support the information systems acquisition, development, and maintenance policy statements. These standards serve as guidance to implement the NIST framework.

10.01 Security Requirements of Information System Standards

10.01a Security Requirements Analysis and Specification Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) develops, disseminates, reviews, and updates annually:
- A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.
Specifications for the security control requirements include that security controls be incorporated in the information system, supplemented by manual controls as needed. These considerations are applied when evaluating software packages, developed, or purchased.
Security requirements and controls reflect the business value of the information assets involved (see 7.d) and the potential business damage that might result from a failure or absence of security.
For a purchased commercial product, a formal acquisition process is followed. Contracts with the supplier include the identified security requirements. Where the security functionality in a proposed product does not satisfy the specified requirement, then the risk introduced, and associated controls are reconsidered prior to purchasing the product. Where additional functionality is supplied and causes a security risk, the additional functionality is disabled or mitigated through application of additional controls.
Mister (MCW) requires developers of information systems, components, and services to identify (document) early in the system development life cycle (SDLC), the functions, ports, protocols, and services intended for organizational use.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Information security and privacy are addressed in all phases of the project management methodology. Mister (MCW) establishes and appropriately protects a secure development environment for system development and integration efforts that cover the entire SDLC.
Mister (MCW) applies information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. Mister (MCW) includes business requirements for the availability of information systems when specifying security and privacy requirements. Where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies.
Specifications for the security and privacy control requirements include those automated controls are incorporated in the information system, supplemented by manual controls as needed. This is evidenced in a formal SDLC, which covers request initiation, requirements definition, analysis, communication, conflict detection and resolution, and evolution of requirements.
Mister (MCW)’s security risk management process is integrated into all SDLC activities. System requirements for information security and processes for implementing security are integrated in the requirements definition phase. Also, in the SDLC initial planning or requirement stage, data classification and risk of the assets are assigned to ensure that appropriate controls are considered, and the correct project team members are involved. The risk and classification activities require sign-off by management.
Mister (MCW) performs thorough testing and verification during the development process. Independent acceptance testing is then undertaken (both for in-house and for outsourced developments) to ensure that the system works as expected and only as expected. The extent of testing is in proportion to the importance and nature of the system.
Information security roles and responsibilities are defined and documented throughout the SDLC.
Commercial products sought to store and/or process sensitive undergo a security assessment and/or security certification by a qualified assessor prior to implementation. (This is not applicable to operating system software).

10.02 Application Standards

10.02a Input Data Validation Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

If the client does system development, include: Mister (MCW) applies checks to the input of business transactions, standing data, and parameter tables - and minimally for sensitive.
Mister (MCW) develops applications based on secure coding guidelines to prevent common coding vulnerabilities in software development processes, including but not limited to:
- Injection flaws, particularly SQL injection (validate input to verify user data cannot modify meaning of commands and queries, utilize parameterized queries, etc.);
- Buffer overflow (validate buffer boundaries and truncate input strings);
- Insecure cryptographic storage (prevent cryptographic flaws);
- Insecure communications (properly encrypt all authenticated and sensitive communications);
- Improper error handling (do not leak information via error messages);
- Broken authentication or sessions (prevent unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable an intruder to assume the identity of an authorized user).
For web applications and application interfaces (internal or external), this also includes but is not limited to:
- Cross-site scripting (XSS) (validate all parameters before inclusion, utilize context sensitive escaping, etc.);
- Improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access functions (properly authenticate users and sanitize input; do not expose internal object references to users);
- Cross-site request forgery (CSRF) (do not reply on authorization credentials and tokens automatically submitted by browsers);
Web-based applications are checked for the most current OWASP top 10 input validation-related vulnerabilities.
Alternatively, the inclusion of input validation checks in the testing methodology is in place and performed at least annually. Input validation testing can be manually performed.
The following input validation procedures are performed:
- Dual input or other input checks, such as boundary checking or limiting fields to specific ranges of input data, to detect the following errors:
Out-of-range values;
Invalid characters in data fields;
Missing or incomplete data;
Exceeding upper and lower data volume limits; or
Unauthorized or inconsistent control data;
- Periodic review of the content of key fields or data files to confirm their validity and integrity;
- Procedures for responding to validation errors;
- Procedures for testing the plausibility of the input data;
- Verifying the identity of an individual opening or updating an account;
- Defining the responsibilities of all personnel involved in the data input process; and
- Creating a log of the activities involved in the data input process (see 9.aa).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Applications that store, process, or transmit sensitive undergo application vulnerability testing at least annually by a qualified party, with an emphasis on input validation controls. Application input validation testing is automated through use of tools or other non-manual methods.
Additionally, Mister (MCW):
- Develops and documents system and information integrity policy and procedures;
- Disseminates the system and information integrity policy and procedures to appropriate areas within Mister (MCW);
- Assigns responsible parties within Mister (MCW) to annually review system and information integrity policy and procedures; and
- Updates the system and information integrity policy and procedures when organizational review indicates updates are required.
The information system checks the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible.
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes; or
- Installing an automated technical solution that detects and prevents web-based attacks (e.g., a web-application firewall) in front of public-facing web applications to continually check all traffic.
If a public-facing application is not web-based, Mister (MCW) implements a network-based firewall specific to the application type.
If the traffic to the public-facing application is encrypted, the device either sits behind the encryption or can decrypt the traffic prior to analysis.
For in-house developed software, Mister (MCW) ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.
Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of Mister (MCW).

10.03 Cryptographic Control Standards

10.03a Policy on the Use of Cryptography Control Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The cryptographic policy addresses the use of encryption for protection of sensitive transported by mobile or removable media, devices, or across communication lines. Supporting cryptographic procedures address:
- The required level of protection (e.g., the type and strength of the encryption algorithm required); and
- Specifications for the effective implementation throughout Mister (MCW) (i.e., which solution is used for which business processes).
The cryptographic policy is aligned with Mister (MCW)’s data protection and privacy policy (see 06.d)

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

When implementing Mister (MCW)’s cryptographic policy and procedures, the regulations and national restrictions that apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information (see 06.f) are adhered to.

10.04 Security of System File Standards

10.04a Control of Operational Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

To minimize the risk of corruption to operational systems, the following procedures are implemented to control changes:
- The updating of the operational software, applications, and program libraries are only performed by authorized administrators; and
- Operational systems can only hold approved programs or executable code (i.e., no development code or compilers).
Vendor supplied software used in operational systems is maintained at a level supported by the supplier.
Mister (MCW) uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application.
Mister (MCW) maintains information systems according to a current baseline configuration and configure system security parameters to prevent misuse. The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline.
Any decision to upgrade to a new release considers the business requirements for the change and the security and privacy impacts of the release (e.g., the introduction of new security functionality or the number and severity of security problems affecting this version).
If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, Mister (MCW) must show evidence of a formal migration plan approved by management to replace the system or system components.
Rules for the migration of software from development to operational status are defined and documented by Mister (MCW) hosting the affected application(s), including that development, test, and operational systems be separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system.

10.05 Security in Development and Support Process Standards

10.05a Change Control Procedure Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Project and support environments are strictly controlled. Leadership responsible for application systems are also responsible for the security of the project or support environment. They ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.
Mister (MCW) manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance is developed. The configuration management policy and procedures are reviewed and updated annually.
Mister (MCW) develops, documents, and implements a configuration management plan for the information system that:
- Addresses roles, responsibilities, and configuration management processes and procedures;
- Defines the configuration items for the information system and, when in the SDLC, the configuration items are placed under configuration management;
- Establishes a process for identifying configuration items throughout the SDLC and for managing the configuration of the configuration items; and
- Protects the configuration management plan from unauthorized disclosure and modification.
Formal change control procedures are documented and enforced to minimize the corruption of information systems. Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control, and managed implementation.
This process includes a risk assessment, analysis of the security and privacy impacts of changes, and specification of security controls needed. This process also ensures that existing security and control procedures are not compromised, that support developers are given access only to those parts of the system necessary for their work, and that formal agreement and approval for any change is obtained.
Installation checklists are used to validate the configuration of servers, devices, and appliances. In addition, vulnerability port scanning occurs on server and desktops and compares to a known effective baseline to ensure configuration meets minimum security standards. If a change that is not listed on Mister (MCW)’s approved baseline is discovered, an alert is generated and reviewed by Mister (MCW).
The change procedures minimally include:
- Ensuring changes are submitted by authorized users;
- Maintaining a record of agreed authorization levels;
- Reviewing controls and integrity procedures to ensure that they will not be compromised by the changes;
- Identifying all software, information, database entities, and hardware that require amendment;
- Obtaining formal approval for detailed proposals requesting changes before work commences;
- Documenting unit, system, and user acceptance testing procedures in an environment segregated from development and production;
- Ensuring that all system components are tested and approved (operating system, utility, applications) prior to promotion to production;
- Documenting rollback procedures for failed changes;
- Ensuring that authorized users accept changes prior to implementation based on the results on the completion of each change or testing of the changes;
- Ensuring that the system documentation set is updated, and that old documentation is archived or disposed of;
- Maintaining a version control for all software updates;
- Maintaining an audit trail of all change requests and approvals;
- Testing for mobile device, operating system, and application compatibility issues via a documented application validation process; and
- Ensuring that operating documentation (see 9.a) and user procedures are changed as necessary to remain appropriate.
Automated updates are not used on critical systems, as some updates may cause critical applications to fail.
Mister (MCW) requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles.

10.06 Technical Vulnerability Management Standards

10.06a Control of Technical Vulnerabilities Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g., what software is installed on what systems) and the person(s) within Mister (MCW) responsible for the software.
Appropriate, timely action is taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, Mister (MCW) identifies the associated risks and the actions to be taken. Such action involves patching of vulnerable systems and/or applying other controls.

Level Two Implementation Standards

In addition to the requirements of the above Level One Implementation standards, Level Two implementation standards require the following:

System administrators (IT Operations and IT Support) shall ensure that all current maintenance and security vulnerability patches are applied and that only essential application services and ports are enabled and opened in the system’s firewall, as applicable. Vulnerabilities that threaten the security of the Mister (MCW) network or IT assets shall be addressed through updates and patches based upon assigned vulnerability ratings:
Personnel shall manage systems to reduce vulnerabilities through vulnerability testing and management, promptly installing patches and updates, and eliminating or disabling unnecessary services.
Mister (MCW) shall use where possible tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities.
Perform scans, typically, on systems and networks known to be stable and preferably during times of least impact to the critical functionality of the system. Expect vulnerability scanning to occur during various phases of the system’s life cycle.
Vulnerability Risk Ratings
The risk ratings assigned to a vulnerability are as follows:
Critical-level Risk: A vulnerability that could cause grave consequences and potentially lead to leakage of Confidential or Regulated data, if not addressed and remediated immediately. This type of vulnerability is present within the most sensitive portions of the network or IT asset, and could cause functionality to cease, exfiltration of data, or an intruder to gain access to the network or IT asset.
High-level Risk: A vulnerability that could lead to a compromise of the network(s) and systems(s) if not addressed and remediated within the established timeframe. This vulnerability could cause functionality to cease or control of the network or IT asset to be gained by an intruder.
Medium-level Risk: A vulnerability that should be addressed within the near future. Urgency in correcting this type of vulnerability still exists; however, the vulnerability may be either a more difficult exploit to perform or of lesser concern to the data owner.
Low-level Risk: A vulnerability that should be fixed; however, it is unlikely that this vulnerability alone would allow the network or IT asset to be exploited and/or it is of little consequence to the data owner. Vulnerabilities of this nature are common among most networks and IT assets and usually involve a simple patch to remedy the problem. These patches can also be defined as enhancements to the network or IT asset.
Vulnerability Mitigation
Mitigation timeframes for identified or assessed vulnerabilities shall be based on the assigned Vulnerability Risk Rating:
Critical-level risk vulnerabilities must be mitigated as soon as possible. “Critical-level risk” vulnerabilities must be, at a minimum, mitigated within 7 days, and remediated (if possible) within 21 days
High-level risk vulnerabilities must be mitigated or remediated within thirty (30) days
Medium-level risk vulnerabilities must be mitigated or remediated within sixty (60) days
Low-level risk vulnerabilities must be mitigated or remediated within ninety (90) days
MCW vulnerability mitigation procedures must specify, at a minimum, the proposed resolution to address identified vulnerabilities, required tasks necessary to affect changes, and the assignment of the required tasks to appropriate personnel.
Vulnerability exceptions are permitted in documented cases where a vulnerability has been identified but a patch is not currently available. When a vulnerability risk is ‘high-level’ and no patch is available, steps must be taken to mitigate the risk through other compensating control methods (e.g., group policy objects, firewalls, router access control lists). A patch needs to be applied when it becomes available. When a ‘high-level’ risk vulnerability cannot be totally mitigated within the requisite time frame, Mister (MCW) need to notify the Mister (MCW) Director of Information Security (ISO) of the condition.
- Appropriate testing and assessment activities shall be performed after vulnerability mitigation plans have been executed to verify and validate that the vulnerabilities have been successfully addressed.
- Appropriate notification shall be provided after vulnerability mitigation plans have been executed.
- In the event of a zero-day vulnerability, a situation where an exploit is used before the developer of the software knows about the vulnerability, Mister (MCW) shall mitigate the vulnerability immediately, if possible, and apply patches as soon as possible after the vendor provides them.
- Vulnerability Information Review and Analysis
- Relevant vulnerability information from appropriate vendors, third party research, and public domain resources shall be reviewed on a regular basis, per the policies and procedures.
- Relevant vulnerability information, as discovered, shall be distributed to the security office.
- Appropriate company personnel shall be alerted or notified in near real-time about warnings or announcements involving "High-risk" vulnerabilities
- Requirements for Compliance (See Vulnerability Management Handbook )
- Mister (MCW) must develop procedures to ensure the timely and consistent use of security patches and use a consistent vulnerability naming scheme to mitigate the impact of vulnerabilities in systems.
- Mister (MCW) shall have an explicit and documented patching and vulnerability standard, as well as a systematic, accountable, and documented set of processes and procedures for handling patches.
- The patching and vulnerability policy shall specify techniques MCW will use to monitor for new patches and vulnerabilities and personnel who will be responsible for such monitoring.
- MCW’s patching process shall define a method for deciding which systems are patched and which patches are installed first, as well as the method for testing and safely installing patches.
- MCW’s process for handling patches shall include the following:
- Using organizational inventories
- Using the Common Vulnerabilities and Exposures vulnerability naming scheme for vulnerability and patch monitoring (See Vulnerability Management Handbook )
- Patch prioritization techniques
- Patch testing, patch distribution, patch application verification, patch training, automated patch deployment, and automatic updating of applications
- Mister (MCW) shall evaluate updates for applicability to the systems.
- Mister (MCW) shall plan the installation of applicable updates.
- Mister (MCW) shall install updates using a documented plan.
- Mister (MCW) shall deploy new computers with up-to-date software.
- After making any changes in a system’s configuration or its information content, Mister (MCW) shall create new checksums or other integrity-checking baseline information for the system.

Back to Top

SECTION 11.0 – INFORMATION SECURITY INCIDENT MANAGEMENT

The following standards are necessary to support the information security incident management policy statements. These standards serve as guidance to implement the NIST framework.

11.01 Reporting Information Security Incidents and Weaknesses Standards

11.01a Reporting Information Security Event Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Formal information security event reporting procedures to support the corporate direction (policy) are established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event, treating the breach as discovered, and the timeliness of reporting and response. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that is included in the incident notification. This reporting also includes notifying internal and external stakeholders, the appropriate community emergency response team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving that organization in computer incidents. Mister (MCW) ensures that the Information Security Program establishes a process focused on information security incident handling at the direction of management.
A point of contact is established for the reporting of information security events. Mister (MCW) ensures that this point of contact is known throughout Mister (MCW), is always available, and can provide adequate and timely response. Mister (MCW) also maintains a list of third-party contact information (e.g., the email addresses of their information security offices), which can be used to report a security incident.
Employees and other workforce members, including third parties, can freely report security weaknesses (real and perceived) without fear of repercussion.
Mister (MCW) implements an insider threat program that includes a cross-discipline insider threat incident handling team.
Mister (MCW) ensures that workforce members do not interfere with federal or state investigations or disciplinary proceedings by willful misrepresentation or omission of facts or using threats or harassment against any person. Mister (MCW) ensures that violations of these requirements are incorporated into disciplinary procedures (see 02.f).

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The Information Security Program refers to the specific procedures and programs to address incidents and refers to a forensic program. Mister (MCW) institutes a mechanism to anonymously report security issues. Procedures are developed to provide for the definition and assessment of information security incidents (e.g., an event or incident classification scale to decide whether an event classifies as an incident), roles and responsibilities, incident handling, and reporting and communication processes. Mister (MCW) formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. The procedures also state the requirements for an incident handling team to address regulatory requirements, third0-party relationships, and the handling of third-party security breaches. Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of the incident, unless otherwise stated by law enforcement in writing or orally. If the statement is made in writing, the notification is delayed for the time specified by the official. If the statement is made orally, Mister (MCW) documents the statement, including the identity of the official making the statement, and delays the notification temporarily and no longer than 30 days from the date of the oral statement, unless a written statement from a law enforcement official is submitted during that time.
All employees, contractors and third-party users receive mandatory incident response training to ensure that they are aware of their responsibilities to report any information security events as quickly as possible, the procedure for reporting information security events and the point(s) of contact, including the incident response team, and the contact information is published and made readily available.
The reporting procedures include:
- Feedback processes to ensure that those reporting information security events are notified of results after the issue has been dealt with and closed;
- Information security event reporting forms to support the reporting action and to help the person reporting remember all necessary actions in case of an information security event including:
The correct behavior to be undertaken in case of an information security event and immediately noting all important details (e.g., type of noncompliance or breach) occurring malfunction, messages on the screen, strange behavior; and
Not carrying out any action but immediately reporting to the point of contact;
- Reference to an established formal disciplinary process for dealing with employees, contractors, or third-party users who commit security breaches;
- Communicating with everyone affected by, or who is reasonably believed to have been affected by, the incident;
- Communicating with business associate(s) identifying everyone affected by, or who is reasonably believed to have been affected by, the incident;
- Communicating incidents to local and federal law enforcement agencies; and
- Automated workflow processes for incident management, reporting, and resolution.
Reports to the individuals affected by the incident are provided with notification by first class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or by electronic mail if specified as a preference by the individual. Mister (MCW) may provide notifications by telephone in cases deemed urgent by Mister (MCW). If there are 10 or more individuals for whom there is insufficient or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication), a conspicuous posting is placed on the home page of Mister (MCW)’s website for a period of 90 days. A toll-free phone number that remains active for at least 90 days is also posted where an individual can learn whether the individual's information may be included in the breach. For fewer than 10 individuals, a substitute form of notice reasonably calculated to reach the individual is provided, except when there is insufficient or out-of-date information that precludes written notification to the next of kin or personal representative. Mister (MCW) also notifies, without unreasonable delay, any consumer reporting agency of the time the notification is distributed and the content of the notification.
If more than 500 residents of a state or jurisdiction were, or are reasonably believed to have been, affected by the breach, notice is immediately provided to the federal government (to publicly disclose) and prominent media outlets.
The notification to individuals is written in plain language (e.g., at an appropriate reading level, using clear language and syntax, and does not include any extraneous material that might diminish the message it is trying to convey).
Alerts from Mister (MCW)’s intrusion detection and intrusion prevention systems are utilized for reporting information security events.

11.02 Management of Information Security Incident and Improvement Standards

11.02a Responsibility and Procedure Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) implements a formal incident response program, which includes the definition of specific phases for incident response.
Mister (MCW) implements an incident handling capability for security incidents that includes detection and analysis (including forensics), containment, eradication, and recovery (including public relations and reputation management).
A program of business processes and technical measures is established to triage security-related events and handle different types of information security incidents, including:
- Information system failures and loss of service;
- Malicious code;
- Denial of service;
- Errors resulting from incomplete or inaccurate business data;
- Breaches of confidentiality and integrity;
- Misuse of information systems;
- Identity theft; and
- Unauthorized WAPs.
In addition to normal contingency plans, the program also covers:
- Analysis and identification of the cause of the incident;
- Containment;
- Restoration and follow-up strategies;
- Increased monitoring of system use;
- Planning and implementation of corrective action to prevent recurrence, including:
Changing of password or security codes;
Changing of devices that permit access to Mister (MCW)’s systems or network;
Modifying or terminating an account of individuals involved directly or indirectly by the incident (e.g., employees, third-parties, contractors, customers); and
Assigning a single Mister (MCW) point of contact who is responsible for sharing information and coordinating responses and that has the authority to direct actions required in all phases of the incident response process.
Mister (MCW) tests and/or exercises its incident response capability regularly.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Audit trails and similar evidence are collected and secured, as appropriate, for:
- Internal problem analysis;
- Use as forensic evidence in relation to a potential breach of contract, regulatory requirement, or in the event of civil or criminal proceedings (e.g., under computer misuse or data protection legislation); and
- Negotiating for compensation from software and service suppliers.
A log of any occurring incident is maintained, and this log is to be submitted annually to the appropriate parties (e.g., a state, regional, or national regulatory agency).
Action to recover from security breaches and correct system failures is carefully and formally controlled. The procedures ensure that:
- Only clearly identified and authorized personnel are allowed access to live systems and data;
- All emergency actions taken are documented in detail;
- Damage is minimized through the containment of the incident, restoration of systems, and preservation of data and evidence;
- Emergency action is reported to management and reviewed in an orderly manner; and
- The integrity of business systems and controls is confirmed with minimal delay; and
- Stakeholders are notified immediately when a safe and secure environment has been restored.
Mister (MCW) disseminates incident response policy and procedures to appropriate elements within Mister (MCW). Responsible parties within Mister (MCW) review the incident response policy and procedures on a predefined frequency. Mister (MCW) updates the incident response policy and procedures when organizational review indicates updates are required.
Mister (MCW) responds to incidents in accordance with the documented procedures, which includes but is not limited to the following:
- Collecting evidence as soon as possible after the occurrence (see 11.e);
- Conducting information security forensic analysis, as required (see 11.e);
- Escalation, as required;
- Ensuring that all involved response activities are properly logged for later analysis;
- Communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need to know;
- Dealing with information security weakness(es) found to cause or contribute to the incident; and
- Once the incident has been successfully addressed, formally closing, and recording it.
Mister (MCW) coordinates incident response testing with organization elements responsible for related plans.
Incident response testing and exercise procedures include:
- Defining incident response tests or exercises, including automated mechanisms;
- Defining the frequency of incident response tests or exercises;
- Testing the incident response capability for the information system using organization-defined tests or exercises in accordance with the defined frequency; and
- Documenting the results of incident response tests or exercises.
In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts, and vulnerabilities is used to detect information security incidents.
Mister (MCW) tests and/or exercises the incident response capability for the information system within every 365 days using reviews, analyses, and simulations to determine the incident response effectiveness, and produces an after-action report to improve existing policy, standards, and procedures. Such testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. A formal test need not be conducted if Mister (MCW) actively exercises its response capability using real incidents.
The incident management plan (CIRT) is reviewed and updated annually.

11.02b Learning from Information Security Incidents Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents and update the incident response and recovery strategy.
Mechanisms are put in place to monitor and quantify the types, volumes, and costs of information security incidents.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Mister (MCW):
- Coordinates incident handling activities with contingency planning activities; and
- Incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training, and testing exercises, and implements the resulting changes accordingly.
Components of Incident Response include:
- The policy (setting corporate direction) and procedures defining roles and responsibilities;
- Incident handling procedures (business and technical);
- Communication;
- Reporting and retention; and
- References to vulnerability management program that includes network tools for IPS, IDS, forensics, vulnerability assessments, and validation.

Back to Top

SECTION 12.0 – BUSINESS CONTINUITY MANAGEMENT

The following standards are necessary to support the business continuity management policy statements. These standards serve as guidance to implement the NIST framework.

12.01 Information Security Aspects of Business Continuity Management Standards

12.01a Business Continuity and Risk Assessment Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Business Continuity Risk Assessments identify the critical business processes. Information security aspects of business continuity are based on identifying events (or sequence of events) that can cause interruptions to Mister (MCW)’s critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters, and acts of terrorism). This is followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale, and recovery period. Based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity. Once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Business Continuity Risk Assessments identify the critical business processes and integrates the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport, and facilities. The consequences of disasters, security failures, loss of service, and service availability are subject to a business impact analysis.
Business continuity risk assessments are carried out annually with full involvement from owners of business resources and processes. This assessment considers all business processes and is not limited to the information assets but includes the results specific to information security. It is important to link the different risk aspects together to obtain a complete picture of the business continuity requirements of Mister (MCW). The assessment identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to Mister (MCW), including critical resources, impacts of disruptions, allowable outage times, and recovery priorities

12.01b Developing and Implementing Continuity Plans, Including Information Security, Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

A formal, documented contingency planning policy (addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance) and formal, documented procedures (to facilitate the implementation of the contingency planning policy and associated contingency planning controls) are developed, disseminated, and reviewed annually.
The business continuity planning process includes the following:
- Implementation of the procedures to allow recovery and restoration of business operations and availability of information in required timescales;
- Particular attention is given to the assessment of internal and external business dependencies and the contracts in place;
- Documentation of agreed procedures and processes; and
- Testing and updating of at least a section of the plans.
The planning process focuses on the required business objectives (e.g., restoring of specific communication services to customers in an acceptable amount of time). The procedures for obtaining necessary electronic sensitive during an emergency are defined. The services and resources facilitating this are identified, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities. Such fallback arrangements may include arrangements with third parties in the form of reciprocal agreements or commercial subscription services.
Mister (MCW) coordinates contingency planning activities with incident handling activities.
Developed business continuity plans:
- Identify essential missions and business functions and associated contingency requirements;
- Provide recovery objectives, restoration priorities, and metrics;
- Address contingency roles, responsibilities, assigned individuals with contact information;
- Address maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- Address eventual, full information system restoration without deterioration of the security measures originally planned and implemented;
- Are reviewed and approved by designated officials within Mister (MCW); and
- Are protected from unauthorized disclosure and modification.
Continuity and recovery plans are developed and documented to deal with system interruptions and failures caused by malicious code. Business continuity plans include plans for recovering from malicious code attacks, including all necessary data and software backup and recovery arrangements.
Copies of the business continuity plans are distributed to the roles deemed necessary in the plan.
If alternative temporary locations are used, the level of implemented security controls at these locations is to have logical and physical access controls that are equivalent to the primary site, consistent with the NIST CSF.
The information system implements transaction recovery for systems that are transaction-based.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

The business continuity planning process includes the following:
- Identification and agreement of all responsibilities and business continuity procedures;
- Identification of the acceptable loss of information and services;
- Operational procedures to follow pending completion of response, recovery, and restoration including:
Alternative storage and processing site possibilities, and
Emergency power and back-up telecommunications to the primary site; and
Appropriate education of staff in the agreed procedures and processes, including crisis management.
Business continuity plans address organizational vulnerabilities and, therefore, may contain sensitive that needs to be appropriately protected. Copies of business continuity plans are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. Management ensures copies of the business continuity plans are up to date and protected with the same level of physical and logical security as applied at the main site. Other material necessary to execute the continuity plans is also stored at the remote location.
Mister (MCW) identifies alternative temporary locations for processing. The necessary third-party service agreements are established to allow for the transfer and resumption of information system operations of critical business functions within a time-period (e.g., priority of service provisions) as defined by a risk assessment (see 12.b). Mister (MCW) identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. The alternate location is at a sufficient distance to escape any damage from a disaster at the main site.
The type of configuration for the alternate site is defined by the risk assessment (see 12.b). Acceptable solutions include:
- Cold sites - a facility with adequate space and infrastructure to support the system;
- Warm sites - partially equipped office spaces that contain some or all the system hardware, software, telecommunications, and power sources;
- Hot sites – office spaces configured with all the necessary system hardware, supporting infrastructure, and personnel; and/or
- Mobile sites - self-contained, transportable shells custom-fitted with IT and telecommunications equipment necessary to meet the system requirements.
Mister (MCW) identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
Mister (MCW) develops alternate processing site agreements that contain priority-of-service provisions in accordance with Mister (MCW)’s availability requirements, including RTOs.
Mister (MCW) ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

12.01c Business Continuity Planning Framework Standards

Level One Implementation Standards

Following are the requirements of the Level One implementation standard:

Mister (MCW) creates, at a minimum, one business continuity plan. The business continuity plan describes the approach for continuity ensuring, at a minimum, and the approach to maintain information or information asset availability and security. The plan also specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. When new requirements are identified, any existing emergency procedures (e.g., evacuation plans or fallback arrangements) are amended as appropriate.
The plan has a specific owner. Emergency procedures, manual "fallback" procedures, and resumption plans are within the responsibility of the owner of the business resources or processes involved. Fallback arrangements for alternative technical services, such as information processing and communications facilities, are usually the responsibility of the service providers.
The business continuity planning framework addresses the identified information security requirements, including the following:
- The conditions for activating the plans that describe the process to be followed (e.g., how to assess the situation, who is to be involved) before each plan is activated;
- Emergency procedures that describe the actions to be taken following an incident that jeopardizes business operations;
- Fallback procedures that describe the actions to be taken to move essential business activities or support services to alternative temporary locations and to bring business processes back into operation in the required time scales;
- Resumption procedures that describe the actions to be taken to return to normal business operations;
- A maintenance schedule that specifies how and when the plan will be tested and the process for maintaining the plan;
- Awareness, education, and training activities that are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective; and
- The critical assets and resources needed to be able to perform the emergency, fallback, and resumption procedures.

Level Two Implementation Standards

In addition to the requirements of the above Level One implementation standards, Level Two implementation standards require the following:

Each business unit creates, at a minimum, one business continuity plan.
Procedures are included within Mister (MCW)’s change management program to ensure that business continuity matters are always addressed and timely as part of the change management process.
A business continuity planning framework addresses the identified information security requirements and the following:
- Temporary operational procedures to follow pending completion of recovery and restoration; and
- The responsibilities of the individuals, describing who is responsible for executing each component of the plan. Alternates are nominated as required.