Skip to content

Instantly share code, notes, and snippets.

@aminland
Forked from opexxx/AICPA-SOC2-TSP.json
Created June 29, 2020 19:41
Show Gist options
  • Save aminland/cafd25cd85dbecfd6570f8a8f493dd05 to your computer and use it in GitHub Desktop.
Save aminland/cafd25cd85dbecfd6570f8a8f493dd05 to your computer and use it in GitHub Desktop.
AICPA-SOC2-TSP
[
{
"CC1.0": "CC1.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Organization and Management",
"Not Specified": "Not Specified",
"CC1.1": "CC1.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls are assigned to individuals within the entity with authority to ensure policies, and other system requirements are effectively promulgated and placed in operations.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs."
},
{
"CC1.0": "CC1.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Organization and Management",
"Not Specified": "Not Specified",
"CC1.1": "CC1.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring of the system affecting security, availability, and confidentiality have the qualifications and resources to fulfill their responsibilities.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "New employee hiring procedures are in place to guide the hiring process and include verification that candidates possess the required qualifications to perform the duties as outlined in the job description. Reference “Security Principle” Control ID CC1.1 above for job descriptions. Employees are required to complete security awareness training on an annual basis to understand their obligations and responsibilities to comply with the corporate and business unit security policies. Management monitors compliance with training requirements on a [XXXX] basis. Training courses are available to new and existing employees to maintain and advance the skill level of personnel."
},
{
"CC1.0": "CC1.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Organization and Management",
"Not Specified": "Not Specified",
"CC1.1": "CC1.4",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity has established workplace conduct standards, implemented workplace candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to security, availability, and confidentiality.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Policies and procedures require that employees sign an acknowledgment form, upon hire and at least annually, indicating that they have been given access to the employee manual and understand their responsibility for adhering to the code of conduct outlined within the manual. Background checks are performed for employees as a component of the hiring process."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external system users to permit users to understand their role in the system and the results of system operation.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "A system description is documented that includes the services provided, data, people, software, infrastructure, procedures, control environment, risk assessment, monitoring, and information and communication systems. The system description is communicated to authorized internal and external users."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity's security, availability, and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal system users to enable them to carry out their responsibilities.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The entity's security, availability, and confidentiality commitments and the associated system requirements are documented in customer contracts and nondisclosure agreements. Employees are required to complete training on an annual basis to understand their obligations and responsibilities to comply with the corporate and business unit commitments and the associated system requirements. Documented policies and procedures are in place to guide personnel in the entity’s security, availability, and confidentiality commitments and the associated system requirements. The policies and procedures are communicated to internal personnel via the company Intranet. New hires and users requesting access to the network domain are required to acknowledge in writing that they have read and understood the documented policies and procedures that outline the system requirements."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity communicates the responsibilities of internal and external users and others whose roles affect system operation.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": " New hires and users requesting access to the network domain are required to acknowledge in writing that they have read and understood the documented policies and procedures that outline the system requirements."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.4",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security, availability, and confidentiality of the system, have the information necessary to carry out those responsibilities.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": " New hires and users requesting access to the network domain are required to acknowledge in writing that they have read and understood the documented policies and procedures that outline the system requirements."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.5",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Internal and external system users have been provided with information on how to report security, availability, and confidentiality failures, incidents, concerns, and other complaints to appropriate personnel.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Documented escalation procedures for reporting security, availability, and confidentiality incidents are provided to internal and external users to guide users in identifying and reporting failures, incidents, concerns, and other complaints."
},
{
"CC1.0": "CC2.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Communications",
"Not Specified": "Not Specified",
"CC1.1": "CC2.6",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "System changes that affect internal and external system user responsibilities or the entity's commitments and requirements relevant to security, availability, and confidentiality are communicated to those users in a timely manner.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "A change management meeting is held on a [XXXX] basis to discuss and communicate the ongoing and upcoming projects that affect the system. Release notes are documented and communicated to management and users for changes and maintenance that affect system security. Documented position descriptions are in place and updated as needed to communicate changes in roles and responsibilities. Reference “Security Principle” Control ID CC1.1 for organizational structure"
},
{
"CC1.0": "CC3.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Risk Management and Design and Implementation of Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC3.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity (1) identifies potential threats that would impair system security, availability, and confidentiality commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies).",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "An inventory listing of all hardware and software within the scope of services are maintained and reviewed on at least an annual basis during the risk assessment process. Documented policies and procedures are in place to guide personnel when performing the risk assessment process. A formal risk assessment is performed on an annual basis. Risks that are identified are rated using a risk evaluation process and are formally documented, along with mitigation strategies, for management review."
},
{
"CC1.0": "CC3.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Risk Management and Design and Implementation of Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC3.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Security reviews and vulnerability assessments are performed by information technology personnel and third party vendors on a periodic basis. Remediation plans are proposed and monitored through resolution. Security monitoring applications and manual reviews are utilized to monitor and analyze the in-scope systems for possible or actual security breaches. Reference “Security Principle” Control ID CC3.1 for risk assessments"
},
{
"CC1.0": "CC3.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Risk Management and Design and Implementation of Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC3.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technological) that could significantly affect the system of internal control for security, availability, and confidentiality and reassess risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The entity’s IT security group monitors the security impact of emerging technologies and the impact of applicable laws or regulations are considered by senior management. Developments in technology and the impact of applicable laws or regulations are considered by senior management as part of the annual risk assessment and IT security planning process."
},
{
"CC1.0": "CC4.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Monitoring Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC4.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The design and operating effectiveness of controls are periodically evaluated against security, availability, and confidentiality commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The security monitoring applications are configured to alert IT personnel via e-mail notifications when certain defined thresholds have been reached. Documented escalation procedures are in place to guide employees in reporting, acting upon, and resolving reported events. Reference “Security Principle” Control ID CC3.2 for security reviews and monitoring applications"
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Logical access to security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized users access to system components, or portions thereof, authorized by management including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Documented standard build procedures are utilized for installation and maintenance of production servers and include use of an access control system to control access to authorized users. Internal and external user access requests are documented on a standard access request form and require the approval of a manager. User access reviews are performed on an [XXXX] basis to ensure that access to data was restricted. \"The in-scope systems are configured to log access related events including, but not limited to, the following and send e-mail notifications to [XXXX] upon certain events that have occurred:\n·         XXX\" The in-scope systems are configured to authenticate users with a unique user account  and enforce predefined user account and minimum password requirements. Encrypted VPNs are required for remote access to production and enforce two-factor authentication. Predefined security groups are utilized to assign role-based access privileges and segregate access to data to the in-scope systems. User access reviews are performed on an [XXXX] basis to ensure that access to data was restricted and provided for appropriate segregation of duties. Administrative access privileges to the in-scope systems are restricted to user accounts accessible by authorized personnel. Privileged user access reviews are performed on an [XXXX] basis to ensure that access to data was restricted and authorized.\n"
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "New internal and external system users are registered and authorized prior to being issued system credentials and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Contractor or vendor access requests are documented on a standard access request form and require the approval of a manager. The accounts remain enabled for defined period of time and automatically expire. Reference “Security Principle” Control ID CC5.1 for internal and external user access requests and unique user accounts and password parameters. A termination checklist is completed and access is revoked for employees as a component of the employee termination process. Reactivation or use of a terminated employee's ID can only be performed using the ticketing system and must include the purpose and justification of the access, the systems that are to be reactivated, and the time period for which the account will be active. The account is reset with a new password and is activated for the time period requested. Use of the account is logged and reviewed by security personnel. Shared accounts are prohibited unless documented approval is obtained by [XXXX] via a standard exception form. "
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software and data).",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC5.1 for unique user accounts and password parameters. Reference “Security Principle” Control ID CC5.2 for shared accounts \"Reference “Security Principle” Control ID CC5.1 for unique user accounts and password parameters. Reference “Security Principle” Control ID CC5.1 for remote VPN access."
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.4",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC5.1 for predefined user access roles and controls related to user access request process Reference “Security Principle” Control ID CC5.1 for user access reviews and controls related to user access request process"
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.5",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within these locations) is restricted to authorized personnel.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Physical access control systems are in place to restrict access to and within the corporate facility and data center housing the facilities, backup media, and other system components such as firewalls, routers, and servers to properly authorized individuals that include the following:\n• Badge access control system in place at the perimeter and within the facilities\n• Two-factor authentication system required access to the data center\n• Man trap at the entrance of the data center\n• Visitor logs recorded visitor access to the corporate facility and the data center\n• Visitors were required to wear visitor badges while onsite and the badges were distinguishable from employee badges\n• Visitors required an escort at all times \nPhysical access requests are documented on a standard access request form and require the approval of the [XXXX]. Physical access reviews are performed on an [XXXX] basis to ensure that access to data was restricted. A termination checklist is completed and physical access is revoked for employees as a component of the employee termination process.Data center customers are sent a physical access listing on an [XXXX] basis for review and updating. Reference “Security Principle” Control ID CC5.5 above for physical access reviews, termination checklist and removal of physical access. Visitors are required to surrender their badges upon exit. The badges are disabled when returned. Reference “Security Principle” Control ID CC5.5 above for physical access reviews, termination checklist and removal of physical access. "
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.6",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Logical access security measures have been implemented to protect against to security, availability, and confidentiality threats from sources outside the boundaries of the system.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "A firewall system is in place to filter unauthorized inbound network traffic from the Internet. An intrusion prevention/detection system (ID/PS) is utilized to analyze and report network events. Web servers utilize secure sockets layer (SSL) encryption for web communication sessions. Reference “Security Principle” Control ID CC5.1 for VPN encryption. Firewall and router rules are reviewed on a [XXXX] basis to ensure that only necessary connections are configured within the rule sets. Reference “Security Principle” Control ID CC3.2 for vulnerability assessments. "
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.7",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement, or removal enabling the entity to meet its commitments and requirements as they related to security, availability, and confidentiality.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Policies are in place that prohibits the transmission of sensitive information over the Internet or other pubic communications paths unless it is encrypted. Reference “Security Principle” Control ID CC5.1 for VPN encryption Reference “Security Principle” Control ID CC5.6 for SSL encryption The automated backup system is configured to encrypt backup media prior to being written to tape. Backup media are secured in a tamper resistant case prior to being transferred to the third party vaulting location. "
},
{
"CC1.0": "CC5.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Logical and Physical Assess Controls",
"Not Specified": "Not Specified",
"CC1.1": "CC.5.8",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "A central antivirus server is configured with antivirus software to protect registered production Windows servers and workstations with the following configurations:\n- Scan for updates to antivirus definitions and update registered clients on a daily basis.\n- Scan registered clients on a weekly basis."
},
{
"CC1.0": "CC6.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to System Operations",
"Not Specified": "Not Specified",
"CC1.1": "CC.6.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Vulnerabilities of system components to security, availability, and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The in-scope systems are configured to log to log events including, but not limited to, the following and send e-mail notifications to [XXXX] upon certain events that have occurred:\n·         XXX Reference “Security Principle” Control ID CC3.2 for security monitoring applications and vulnerability assessments. Automated backup systems are in place to perform scheduled backups of production servers at predefined times.\n"
},
{
"CC1.0": "CC6.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to System Operations",
"Not Specified": "Not Specified",
"CC1.1": "CC.6.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC4.1 for incident response procedures. Management meetings are held on a [XXXX] basis to discuss incidents and corrective measures to ensure that incidents are resolved. [XXXX] personnel utilize an automated ticketing system to document security violations, responses, and resolution.Reference “Security Principle” Control ID CC6.2 above for management meetings Policies are documented and maintained that address remedial actions for lack of compliance with policies and procedures. Reference “Security Principle” Control ID CC2.2 for documented employee acknowledgment with the policies and procedures Incidents requiring a change to the system follow the standard change control process.  Reference “Security Principle” Control ID CC6.2 above for incident response ticketing system "
},
{
"CC1.0": "CC7.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Change Management ",
"Not Specified": "Not Specified",
"CC1.1": "CC.7.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Security, availability, and confidentiality commitments and requirements are addressed during the system development lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Changes made to in-scope systems are authorized, tested, and approved prior to implementation. Reference “Security Principle” Control ID CC2.6 above for change management meetings"
},
{
"CC1.0": "CC7.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Change Management ",
"Not Specified": "Not Specified",
"CC1.1": "CC.7.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to security, availability, and confidentiality.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "A formal risk assessment is performed on an annual basis. Risks that are identified and require changes to the system are documented in the change management system. Reference “Security Principle” Control ID CC6.2 for management meetings"
},
{
"CC1.0": "CC7.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Change Management ",
"Not Specified": "Not Specified",
"CC1.1": "CC.7.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC6.2 for incidents requiring a change follow the change process"
},
{
"CC1.0": "CC7.0",
"Common Criteria Related to Organization and Management": "Common Criteria Related to Change Management ",
"Not Specified": "Not Specified",
"CC1.1": "CC.7.4",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with security, availability, and confidentiality commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC7.1 above for changes made to in-scope systems are authorized, tested, and approved prior to implementation. The production environment is logically and physically segmented from development and test environments. \"Access privileges to promote changes into the production environment are segregated from those with development responsibility and restricted to user accounts accessible by persons holding the following positions:\n• XXXX\n\" \"A file integrity tool to is utilized to monitor for changes to the production environment and send daily notifications to persons holding the following positions:\n• XXXX\" Backout procedures are documented for each change implementation to allow for rollback of changes when changes impair system operation. Change management policies and procedures are documented that outline that change management separation of duties such that authorization, development, testing and implementation are segmented functions within the process. "
},
{
"CC1.0": "A1",
"Common Criteria Related to Organization and Management": "Availability Principle",
"Not Specified": "Not Specified",
"CC1.1": "A1.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Current processing capacity and usage are maintained, monitored and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Enterprise monitoring applications are configured to monitor the in-scope systems capacity levels and alert IT personnel when predefined thresholds have been met. Management meetings are held on a [XXX] basis to review availability trends and availability forecasts as compared to system commitments. Reference “Availability Principle” Control ID 1.1 for enterprise monitoring"
},
{
"CC1.0": "A1",
"Common Criteria Related to Organization and Management": "Availability Principle",
"Not Specified": "Not Specified",
"CC1.1": "A1.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained and monitored to meet availability commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The data centers are equipped with the following environmental protection equipment:\n• Fire detection and suppression equipment\n• Uninterruptible power supply (UPS) systems \n• Generators\n• Air conditioning units\n\"Management retains the inspection report received from third party specialists evidencing completion of inspection and maintenance of the following on a periodic basis:\n• Fire detection and suppression equipment\n• UPS systems \n• Generators\n• Air conditioning units\n\". Shift turnover logs document environmental system monitoring performed during each shift. Automated backup systems are in place to perform scheduled backups of production data and systems at predefined times. The automated backup systems are configured to send alert notifications to IT personnel regarding backup job completion status. Backup media are securely stored at a location that is physically separate from the production environment. Disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event. A third party location is contracted as a recovery facility to permit the resumption of IT operations in the event of a disaster at its data center.\n"
},
{
"CC1.0": "A1",
"Common Criteria Related to Organization and Management": "Availability Principle",
"Not Specified": "Not Specified",
"CC1.1": "A1.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "IT personnel perform restoration of backup files as a component of business operations. Disaster recovery plans are tested on at least an annual basis."
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.1",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Confidential information is protected during the system design, development, testing, implementation, and change processes in accordance with confidentiality commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Client data is not utilized for application change control testing."
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.2",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Confidential information within the boundaries of the system is protected against unauthorized access, user and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Reference “Security Principle” Control ID CC.5.1 for user access authentication and password parameters and the VPN control for remote access. \"The in-scope systems are configured to log events including, but not limited to, the following and send e-mail notifications to [XXXX] upon certain events that have occurred:\n• XXX\n\" Confidential data is stored in an encrypted format. Access to the encryption keys is restricted to authorized personnel."
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.3",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The application is configured to authenticate users with a unique user account and enforce predefined user account and minimum password requirements. Access privileges to application output are restricted to user accounts accessible by authorized personnel. Confidential data is stored in an encrypted format. Reference “Security Principle” Control ID CC.5.6 for SSL encryption"
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.4",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "The entity obtains confidentiality commitments that are consistent with the entity's confidentiality requirements, from vendors and other third parties whose products and services comprise part of the system and have access to confidential information.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Confidentiality agreements are required to be in place with third parties prior to sharing information designated as confidential."
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.5",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Compliance with confidentiality commitments and requirements by vendors and other third parties whose products and services comprise part of the system is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "Management reviews documentation provided by third party providers to help ensure that third party providers are in compliance with security and confidentiality policies. "
},
{
"CC1.0": "C1",
"Common Criteria Related to Organization and Management": "Confidentiality Principle",
"Not Specified": "Not Specified",
"CC1.1": "C1.6",
"The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality, or any combination thereof].": "Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system.",
"Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees and updated as needed. Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for particular jobs.": "The entity’s confidentiality commitments and requirements are documented in customer contracts. The contracts are updated and a signature is obtained should the confidentiality practice change."
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment