reduce file transfer risk with validated compliances(tchf4k45nbwilq45usxclk45... · 2016. 7. 8. ·...

A COALFIRE PERSPECTIVE

Reduce File Transfer Risk with Validated ComplianceA Framework to assess secure cloud providers

Gerald A. Drake III, QSA, MSIA

April 2014

2 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.

877.224.8077 |www.coalfire.com

Summary

This paper will help organizations determine how cloud file transfer services can support their information

security programs and data security controls. Most organizations understand there are benefits derived from

cloud-based file transfer solutions, but the benefits don’t outweigh concerns about the solution providers’

ability to deliver and manage a secure and compliant solution. The approach some secure cloud providers take

actually introduces risk: withholding information, implementing insecure configurations, and/or charging exorbitant

fees to attain the secure and compliant solution. This document offers a framework to identify providers who

provide a secure compliance validated file transfer cloud solution and reduce an organization's overall risk for

compliance.

Introduction

Compliant and secure cloud computing is available but choosing the right partner is critical to managing risk.

Legitimate concerns exist surrounding data security within the cloud-computing realm. Recent security

breaches have shaken industry confidence and have led to regulatory compliance initiatives aimed at improving

information security. Partner entities with use or access to protected information, like cloud file transfer service

providers, are accountable to the same requirements.

How will your organization determine the appropriate service provider? Organizations should select a cloud file

transfer service provider that shoulders as much of the compliance and security burden as possible. Compliance

with the numerous data security regulations and legislations is complex and your cloud service provider can

work with you to address these concerns and proactively enforce heighted data security.

The cloud-computing model is effective and secure when it is implemented properly. The cloud offers a proven

cost reduction, fast time-to-value, and business continuity for hosted data and middleware services. But none of

this matters if the cloud solution can’t address data security and compliance. You need a cloud service provider

that is trustworthy and capable of taming the compliance beast.

This paper outlines the main concerns organizations have about entrusting critical business operations to the

cloud. Then it draws a picture of the ideal cloud service offering, detailing how it removes those concerns so you

can invest confidently to get the benefits the cloud offers.

Concerns about cloud security and compliance



There are many reasons to consider cloud services, but concerns about data security and perceived lack of

regulatory compliance have prevented many organizations from moving to the cloud. Customer data, which can

include credit card information, protected health information, and financial information, can be at risk to

malicious attackers trying to infiltrate the hosting environments. Many organizations have reservations about

hosting their data in the cloud because of a lack of control of their data.

While some cloud providers offer secure and compliant services, detailed description of assurances, services and

costs may not be clear. For example, an organization may purchase a service from a provider they think is

secure and compliant, only to find that add-on services at significant additional cost are required to adequately

meet their security and compliance needs.

Organizations need a security-hardened cloud solution operated by a provider with a robust information

security program in place. There are a number of areas of risk that a cost-effective security-centered solution

needs to address:

Configuration standards are a vital component in the overall security of the supporting infrastructure

Security hardened infrastructure

Clearly defined agreement for services covered under the security umbrella

Robust security programs

Documented pricing for all applicable services

A mismanaged security program or inadequate agreement can prove catastrophic, leading to an increased risk

exposure and possibility of a security breach not to mention unexpected costs.

Moving Towards Compliance

Cloud providers are required to provide their customers with a ‘reasonable’ assurance of data security.

However, is there a way to validate assurance to auditors? Yes, validated assurance is required to effectively

manage risk! Recent movements in the arenas of compliance and security have forced third party organizations

towards compliance and the provision of assurance. With implementation of the final healthcare Omnibus Rule,

business associates are on the compliance hook. Organizations are now required to be in compliance with

HIPAA and the HITECH Act regulations. There is an initiative by the Office of Civil Rights (OCR) to perform

independent security audits of service providers’ information security programs. The Omnibus Rule establishes

a structure for penalties and fees for security breaches, and lays the foundation for enforcing compliance on all

applicable organizations including covered entities, business associates and sub-contractors. It’s vital that



organizations make an informed decision to choose a trustworthy cloud provider to support their compliance

goals for two reasons: 1) predictable and manageable costs, and 2) effective process for compliance audits.

Any cloud provider involved with financial transactions between banks, credit unions, and financial institutions

or provides services that aid in those transactions, is required to comply with FFIEC regulations. Additionally

there are specific guidelines for safeguarding customer data included in the Gramm-Leach-Bliley Act of 1999

(GLBA). These guidelines require service providers to implement appropriate security controls to ensure secure

handling of customer data. GLBA and FFIEC mandated regulations enforce data security through established

guidelines based on best practices including the National Institute of Standards and Technology (NIST), The

Information Systems Audit and Control Association (ISACA), Control Objectives for Information Technology

(COBIT), and International Organization for Standardization (ISO). It is the responsibility of the organization to

partner with a cloud provider who support these guidelines and implement appropriate security controls to

comply with the secure handling of customer data.

Dismissing Cloud Concerns

Some cloud providers offer cloud-based solutions that are both secure and compliant. Finding them can prove

difficult, but consider looking for cloud based solutions hosted at physically secure data center locations, which

have been assessed and validated against specific regulations like HIPAA, PCI, FFIEC, and Service Organization

Control’s (SOC) Report Type 1, 2, and 3. Each of these regulations defines required physical security controls like

24/7 video cameras at each ingress/egress location, badge controlled access and policies that limit access to

approved personnel or visitors with advance notice and approval. It’s also important to consider disaster

recovery services, which are many times not included or is available only at an additional cost.

Concerns over data security in a private or public cloud can be overcome by a partnering with a provider that

offers a validated solution compliant with established security regulations. Secure connections using encrypted

transmission, defined ports and protocols, as well as strict access controls and firewall rules, provide data

integrity. Consider asking the cloud provider for third party security assessments, compliance letters, or request

a meeting with the provider to discuss data security concerns. Cloud providers with validated solutions will

welcome these requests, but it’s your responsibility to obtain the necessary data security and compliance

assurances before you make a commitment.



Organizations should understand whether the cloud provider’s infrastructure is designed to virtually partition

data and configuration, so that each customer organization works in their own virtual environment. An effective

partitioning implementation includes perimeter firewalls and firewall rules that restrict inbound and outbound

traffic to defined ports, protocols, and services. The cloud provider needs to deploy these firewall rules to deny

all but explicitly authorized traffic. A deny-all rule should be the default to restrict unauthorized traffic. The

cloud provider must also limit to only customer defined and business justified traffic, ports, and protocols. A

knowledgeable cloud provider can provide aid and guidance to customers in the types of traffic that is permitted

through secure ports and protocols. There are other ways to enforce partitioning, including router access

control lists and virtual local area networks (VLANs) with strong ACLs.

The MOVEit Cloud Difference

What is MOVEit Cloud?

Ipswitch MOVEit Cloud is a security-hardened managed file transfer cloud service through which applications

and end-users can safely exchange files using standard secure file transfer protocols. MOVEit Cloud uses

MOVEit Managed File Transfer software infrastructure, which thousands of customers worldwide trust and

adopt to secure their data transfers. MOVEit Cloud can help reduce overall cost and scope related to physical

infrastructure, maintenance, support and perhaps most importantly compliance. Everything on the cloud data

plain is the responsibility of Ipswitch, including network devices, firewalls and software infrastructure.

MOVEit Cloud is validated through an independent, third-party assessor firm as PCI DSS, HIPAA, and FFIEC

compliant. MOVEit Cloud delivers market leading file transfer security and compliance (See related details in

Appendix D):

Strong logical access controls, including between organizations, divisions, departments and user roles. It

is impossible for any organization to see and access another organizations data.

End-to-end encrypted transfer in compliance with PCI DSS, HIPAA, and FFIEC requirements:

o Validated encryption of data in transit with support for SSLv3 through TLS 1.2 or SSH2 encrypted

methods (AS1, AS2, AS3, FTPS, HTTPS, SCP2, SFTP, or TLS).

o FIPS validated encryption for data at rest without using PGP.

Perimeter firewalls protect the MOVEit Cloud environment, with firewall rule sets in place to restrict

inbound and outbound traffic to specific ports, protocols, and services. In addition, each application,



database, and web server has host-based firewalls.

The cloud based infrastructure supports secure configuration and resides in appropriately hardened

data centers according to industry guidelines and best practices, based on Center for Internet Security

(CIS) benchmarks.

Business continuity through support for disaster recovery in compliance with HIPAA and FFIEC

requirements. Data replication occurs between the primary and secondary data center locations in real

time with proven 99% uptime.

Antivirus support in compliance with PCI DSS, HIPAA, and FFIEC requirements.

Conclusion

Organizations need to understand how to best evaluate cloud file transfer service providers. Security issues

raise troubling concerns about security of data in the cloud, yet there are clear business and cost benefits for

implementing cloud-based solutions. Evaluating prospective service providers against criteria outlined in this

document can significantly narrow the field and increase confidence when making a commitment for a trusted

partnership with a cloud provider.

MOVEit Cloud is a proven cloud-based managed file transfer solution with third party validated security and

compliance. MOVEit Cloud offers customers the affordability of a cloud hosted solution and the security of a

managed file transfer solution. That unique combination positions MOVEit Cloud as a file transfer security and

compliance leader. Ipswitch understands how to overcome the obstacles necessary for compliance and is

committed to maintaining compliance with the security-related standards important to their customers

including PCI DSS, HIPAA, and FFIEC.



Appendix A – MOVEit Cloud Security and Compliance Features

This appendix provides additional detail about security and compliance features delivered in MOVEit Cloud.

These features and benefits reveal significant differences from other file transfer solution providers.

Infrastructure is secure and hardened

MOVEit Cloud has implemented effective logical segmentation within their cloud environment to protect

customer data and the environment from external threats. Deployed perimeter firewalls protect the MOVEit

Cloud environment, with firewall rule sets in place to restrict inbound and outbound traffic to specific ports,

protocols, and services defined by the MOVEit Cloud team. Any traffic not explicitly authorized is denied

through firewall rules. Additionally, each application, database, and web server has host-based firewalls in place

providing further segmentation and restriction on inbound and outbound traffic. Each firewall rule, perimeter

or host-based, is documented and justified for use within the environment. The combined use of the perimeter

firewall and host based firewall rules enforce logical segmentation between external networks, MOVEit

customers, Ipswitch personnel, and the MOVEit Cloud environment.

The cloud based infrastructure supports secure configuration and is appropriately hardened according to

industry guidelines and best practices, based on Center for Internet Security (CIS) benchmarks. These CIS

benchmarks are prevalent on each piece of infrastructure managed by the MOVEit Cloud team. Implementing

configuration standards and enforcing hardening guidelines are specified requirements for PCI DSS and FFIEC

compliance. By adhering to these guidelines and strictly enforcing these hardening standards, MOVEit Cloud

takes extensive measures to ensure the supporting infrastructure is configured and hardened. The adoption of

multiple security checks and configurations provides assurances that each piece of infrastructure has the

appropriate configuration and secure hardening applied in a repeatable fashion. Updates or vulnerabilities

uncovered in these configurations and hardening guidelines results in the MOVEit Cloud team providing

immediate updates and support to enact the necessary changes on the infrastructure. This will ensure each

component involved in the support of the solution is secure and hardened appropriately. Through the

configuration management of the MOVEit Cloud infrastructure, organizations can rely on the MOVEit Cloud

solution for limiting their risk exposure. Every organization considering using a cloud provider and solution

should request the necessary burden of proof that the solution, and its supporting infrastructure, is robust in its

security and compliance application.



Data is encrypted end-to-end

A key component and compliance feature to MOVEit Cloud is its FIPS validated encryption solution. Encryption

of data, both in transit and at rest, are compliance requirements for PCI DSS, HIPAA, and FFIEC. The MOVEit

Cloud solution has been assessed and validated against data encryption requirements for 42 distinct PCI DSS

controls, 2 HIPAA implementation specifications, and 2 FFIEC controls. Due to sensitive customer data

transmitted across open, public networks, it is critical for data protection throughout the entire managed file

transfer lifecycle. The encryption solution employed is unique in that even the MOVEit Cloud personnel do not

have any insight into the specific data contained within the uploaded/downloaded data file. This achieves

heightened levels of security to the customer, ensuring there is an ability to access their data without their

approved consent through logical access controls and permissions. The MOVEit Cloud compliance validation

included assessments against specific data encryption controls including:

Encrypted storage of data

Protection of encryption and decryption keys

Separate storage locations for data encrypting and key encrypting keys

Generation of strong cryptographic keys

Distribution of keys securely

Cryptographic key rotation based on cryptoperiods

Replacement of cryptographic keys when the integrity of the key has been weakened or compromised

Unauthorized substitution of cryptographic keys

Use of strong cryptography over open, public networks

Data encryption at rest is a key MOVEit differentiator, as this control eludes cloud providers in the quest to

achieve PCI, HIPAA, and FFIEC compliance. Additionally, at no point during the transmission, storage, or

download of customer data is it unencrypted within the MOVEit Cloud environment, nor does the MOVEit Cloud

team ever have access. Through the provisioning of end-to-end encryption, the customer can rest at ease

knowing their data will remain secure and confidential throughout the entirety of the managed file transfer

lifecycle and at rest within MOVEit Cloud.



Robust access control

Another distinguishing compliance feature of MOVEit Cloud is its logical access controls. MOVEit Cloud has

strong logical access controls in place, with each organization assigned a unique organization member value

within MOVEit Cloud. Specific access control requirements include the following:

User account provisioning, modification, and removal

Use of unique user ID

Access control procedures limited to minimum necessary requirements

User authentication mechanisms

Restriction of default, shared, and/or group accounts

Documented approval for all access requests

Strong passwords with minimum length and complexity enforced

Password aging and expiration

Session timeout and automatic logoff

After purchase by the customer, the MOVEit Cloud department configures the first organization administrator

within the solution. After the establishment of the member group and first administrator, the organization can

then manage their own users and assign necessary access. MOVEit Cloud employs strong logical access controls,

with user permissions defined access based on job role, referred to as role based access control (RBAC). It is

impossible for any organization to see and access another organizations data, with the implementation of logical

access controls to enforce data confidentiality and minimum necessary requirements. These strong access

controls based on RBAC are specific compliance requirement for PCI DSS, HIPAA, and FFIEC. Additionally, each

organization’s credentials are stored in an encrypted format on the security-infused infrastructure of MOVEit

Cloud.

Ipswitch security program and policies

The Ipswitch MOVEit Cloud information security program is robust. This security program is comprehensive and

managed by knowledgeable staff trained in information security. As part of the team’s responsibilities, there is

regular training conducted on complex security directives aimed at improving the information security posture

of the cloud provider, as well as enhancing the security of the MOVEit Cloud solution. The knowledge on display

by the MOVEit staff goes beyond just a compliant solution. Staff are knowledge in multiple facets of security

and stay abreast of evolving security issues, ultimately driving information security to the forefront of their



solution and enacting internal security focused changes company-wide. The MOVEit Cloud staff deployed and

continually manage the centralized log correlation engine on a 24/7 basis. Continual monitoring allows MOVEit

staff to be innately involved in the log management of MOVEit Cloud and quickly identify potential attack

scenarios whereby customer data may fall victim to a security breach. The MOVEit Cloud staff are proficient in

ensuring data security for their customers’ data throughout the entire managed file transfer lifecycle.

Managing risk and limiting the threat exposure of customer data is a major priority. Ipswitch MOVEit Cloud has

a mature vulnerability management program in place. The MOVEit Cloud team performs weekly security triage

that examines and ranks possible vulnerabilities discovered during their internal and external vulnerability

scanning process. The team uses industry sources of known vulnerabilities such as the National Vulnerability

Database, customer-reported issues, monthly results from static and dynamic code analysis, quarterly internal

and external vulnerability scans, and annual penetration testing. Critical vulnerabilities uncovered are resolved

within 30 days from the discovery. Confirmed vulnerabilities rated as “high” and “critical” are resolved no later

than the next general release of MOVEit application software. This approach protects customer data because it

represents a risk-based program to secure the entire system infrastructure and application code against the

highest priority threats.



Appendix B - MOVEit Cloud Benefits: Reduced Cost and Scope for Compliance

Ipswitch understands compliance requirements and shares responsibility for integration with your environment.

Organizations needing secure and compliant managed file transfer service benefit by scope reduction by using

MOVEit Cloud. The data diagram below shows a high-level representation of the environment relative to the

PCI, HIPAA, and FFIEC logical configuration. Organizations can access MOVEit Cloud via web browser, mobile

application, or file transfer clients. The customer is responsible for the management of all systems, devices, and

components within their environment. When using MOVEit Cloud, everything on the cloud data plane are the

responsibility of Ipswitch including network devices used to route traffic inbound and outbound, firewalls in

place limiting inbound and outbound traffic, servers residing in the DMZ, as well as the system components that

live within the internal segment of the MOVEit Cloud environment and all of the supporting infrastructure and

backend systems, including those used to store the customer specific data files. The demarcation point for the

customer organizations is the secure clients and Cisco ASA perimeter firewall managed by Ipswitch.

Ipswitch MOVEit Cloud Data Diagram



There are additional security controls in place too. MOVEit Cloud is primarily a Windows based environment,

with antivirus configured and deployed. The implementation and deployment of antivirus satisfies the

compliance requirements of HIPAA, PCI DSS, and FFIEC. MOVEit Cloud updates deployed antivirus definitions in

real-time, with weekly antivirus scans. Ipswitch personnel manage the antivirus and maintenance actions

necessary through their change management process.

An additional benefit of MOVEit Cloud is the secure software development and coding methodology. The

integration and API calls used within MOVEit Cloud have all been rigorously tested and reviewed. MOVEit Cloud

employs an Agile methodology for software development. All members of the Ipswitch development team train

extensively in secure coding techniques, including the OWASP Top 10, to ensure that the product is free from

coding vulnerabilities. Testing of the product occurs every code release, update, and iteration using dynamic

and static code analysis, as well as multiple manual code reviews. Some examples of application vulnerabilities

published by OWASP in their Top 10 list and are tested against include: injection flaws, buffer overflow, insecure

cryptographic storage, insecure communications, improper error handling, cross-site scripting, and cross-site

request forgery. On an annual basis, application penetration testing is performed by a third party assessor firm

to validate the software is free of exploitable vulnerabilities.

Organizations using MOVEit Cloud see a reduction in cost in three areas: physical infrastructure, maintenance,

and support. The entire infrastructure is hosted within secure and compliant data centers. Data replication

occurs between the primary and secondary data center locations in real time. The multilayer replication and

disaster recovery for MOVEit Cloud enable a proven 99% uptime. Customers do not have to deploy, manage,

and update the infrastructure that would be necessary in an onsite deployment. When using MOVEit Cloud,

customers don’t need to invest in physical IT infrastructure, deploying and managing it or, disaster recovery and

business continuity.



Appendix C - Deploying MOVEit Cloud

This appendix describes deployment options and benefits of a cloud based deployment. The secure

configuration and hardening guidelines used by MOVEit Cloud can alleviate concerns over an insecure cloud

deployment. The diagram depicted below is the typical deployment for MOVEit Cloud with the optional MOVEit

Central component. The customer infrastructure is shown on the right of the diagram and their partners’,

customers’ or vendors’ infrastructure is show on the left. The customer can access MOVEit Cloud through a web

browser, MOVEit Cloud client, or mobile device. Once the customer has established a connection with MOVEit

Cloud, the entire file transfer service including management, configuration, and compliance is no longer their

concern. The MOVEit Cloud service and the supporting backend infrastructure are the responsibility of Ipswitch,

who is a validated PCI DSS, HIPAA, and FFIEC compliant cloud provider. The customer is responsible for the

management of their environment only.

A key benefit of MOVEit Cloud, is the disaster recovery and business continuity, which is an FFIEC and HIPAA

compliance requirement. MOVEit Cloud has automated replication between the primary and DR facilities to

ensure quick and efficient recovery of data in the event of an emergency or disaster. In a traditional physical

infrastructure deployment, customers must purchase, deploy and administer backup and recovery infrastructure

necessary for storing, transmitting, and or processing their data. Use of MOVEit Cloud drastically reduces these

costs



Appendix D-PCI DSS Objectives

This appendix displays the PCI DSS objectives that Ipswitch MOVEit Cloud was assessed against. In total, there

are approximately 288 separate controls necessary for compliance validation.

Build and Maintain Secure Networks

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data

4. Encrypt transmission of cardholder and sensitive information across public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software.

6. Develop and Maintain Secure Systems and Applications.

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.



Appendix E-HIPAA Objectives

The following appendix shows the various safeguards, standards, and implementation specifications that

Ipswitch MOVEit Cloud was assessed against.

Administrative Safeguards (see § 164.308)

Standard Reference Implementation Specifications (R)= Required, (A)=Addressable

Security Management Process 164.308(a)(1)(i) Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)

Assigned Security Responsibility 164.308(a)(2) (R)

Workforce Security 164.308(a)(3)(i) Authorization and/or Supervision (A)

Workforce Clearance Procedure (A)

Termination Procedures (A)

Information Access Management 164.308(a)(4)(i) Isolating Health care Clearinghouse Function (R)

Access Authorization (A)

Access Establishment and Modification (A)

Security Awareness and Training 164.308(a)(5)(i) Security Reminders (A)

Protection from Malicious Software (A)

Log-in Monitoring (A)

Password Management (A)

Security Incident Procedures 164.308(a)(6)(i) Response and Reporting (R)

Contingency Plan 164.308(a)(7)(i) Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedure (A)

Applications and Data Criticality Analysis (A)

Evaluation 164.308(a)(8) (R)

Business Associate Contracts and Other Arrangement

164.308(b)(1) Written Contract or Other Arrangement (R)

Physical Safeguards (see § 164.310)

Technical Safeguards (see § 164.312)

Standard Reference Implementation Specifications

(R)= Required, (A)=Addressable Access Control 164.312(a)(1) Unique User Identification (R)

Emergency Access Procedure (R)

Automatic Logoff (A)

Encryption and Decryption (A)

Audit Controls 164.312(b) (R)


Facility Access Controls 164.310(a)(1) Contingency Operations (A)

Facility Security Plan (A)

Access Control and Validation Procedures (A)

Maintenance Records (A)

Workstation Use 164.310(b) (R)

Workstation Security 164.310(c) (R)

Device and Media Controls 164.310(d)(1) Disposal (R)

Media Re-use (R)

Accountability (A)

Data Backup and Storage (A)



Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected (A) Health Information

Person or Entity Authentication 164.312(d) (R)

Transmission Security 164.312(e)(1) Integrity Controls (A)

Encryption (A)

Organizational Requirements (see § 164.314)

Standard Reference Implementation Specifications

(R)= Required, (A)=Addressable Business Associate Contracts or Other Arrangements

164.314(a)(1)(i) Business Associate Contracts (R)

Other Arrangements (R)

Requirements for Group Health Plans

164.314(b)(1) Plan Documents (R)

Policies and Procedures and Documentation Requirements (see § 164.316)


Policies and Procedures 164.316(a) Policies and Procedures (R)

Documentation 164.316(b)(1)(i) Time Limit (R)

Availability (R)

Updates (R)

HITECH Act - Security Provisions

Area Reference Requirement

Notification in the Case of Breach 13402(a) In General

13402(b) Notification of Covered Entity by Business Associate

Timeliness of Notification 13402(d)(1) In General

Content of Notification 13402(f)(1) [Description of Breach]

[Description of EPHI Involved]

[Actions by Individuals]

[Actions by Covered Entity]

[Contact Procedures]



Appendix F-FFIEC Objectives

The following appendix shows the FFIEC objectives that Ipswitch MOVEit Cloud was assessed against. Each

control objective below consists of more than 100 control activities that served as the criteria for determining

compliance.

1.0 IT PLANNING AND OVERSIGHT

1.1 IT Planning

1.2 IT Organization

1.3 Management Direction

1.4 Human Resource Management

1.5 Risk Assessment

1.6 Incident Response Management

1.7 Vendor Management

1.8 Compliance

2.0 SYSTEM DEVELOPMENT, MAINTENANCE, AND CHANGE CONTROLS

2.1 Acquire & Maintain Systems

2.2 Manage System Changes

2.3 Test and Approve Changes

3.0 IT OPERATIONS

3.1 Manage IT Operations

3.2 Manage Data

4.0 PHYSICAL AND ENVIRONMENTAL PROTECTION

4.1 IT Physical Security

4.2 IT Environmental Protection

5.0 SYSTEM SECURITY

5.1 Ensure Systems Security

5.2 Authentication

5.3 Authorization

5.4 Accounting

6.0 Network Security

6.1 Network Security

6.2 Malicious Code/ Content Management

6.3 Network Monitoring

6.4 Network Remote Access

6.5 Network Access

7.0 BUSINESS CONTINUITY

7.1 Ensuring Continuous Service

7.2 Business Continuity Testing