CYBERSECURITY AND DATA PROTECTION

PROGRAM (CDPP)
ISO 27001:2013 / 27002:2022

ACME Consulting Services, LLC

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 TABLE OF CONTENTS
CYBERSECURITY AND DATA PROTECTION PROGRAM (CDPP) OVERVIEW 9
INTRODUCTION 9
PURPOSE 9
SCOPE & APPLICABILITY 9
POLICY OVERVIEW 10
VIOLATIONS OF POLICIES, STANDARDS AND/OR PROCEDURES 10
EXCEPTION TO STANDARDS 10
UPDATES TO POLICIES & STANDARDS 10
KEY TERMINOLOGY 11
CYBERSECURITY & DATA PROTECTION PROGRAM STRUCTURE 13
MANAGEMENT DIRECTION FOR CYBERSECURITY & DATA PROTECTION 13
POLICIES, CONTROLS, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE 13
SECURITY & PRIVACY GOVERNANCE (GOV) POLICY & STANDARDS 14
GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM 14
GOV-02: STEERING COMMITTEE 14
GOV-03: PUBLISHING SECURITY & PRIVACY POLICIES 15
GOV-04: PERIODIC REVIEW & UPDATE OF SECURITY & PRIVACY DOCUMENTATION 15
GOV-05: ASSIGNED SECURITY & PRIVACY RESPONSIBILITIES 15
GOV-06: MEASURES OF PERFORMANCE 15
GOV-07: CONTACTS WITH AUTHORITIES 16
GOV-08: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 16
GOV-09: DEFINED BUSINESS CONTEXT & MISSION 16
ASSET MANAGEMENT (AST) POLICY & STANDARDS 17
AST-01: ASSET GOVERNANCE 17
AST-02: ASSET-SERVICE DEPENDENCIES 17
AST-03: STAKEHOLDER IDENTIFICATION & INVOLVEMENT 17
AST-04: ASSET INVENTORIES 18
AST-05: SOFTWARE LICENSING RESTRICTIONS 18
AST-06: DATA ACTION MAPPING 18
AST-07: ASSIGNING OWNERSHIP OF ASSETS 19
AST-08: ACCOUNTABILITY INFORMATION 19
AST-09: PROVENANCE 19
AST-10: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS) 20
AST-11: SECURITY OF ASSETS & MEDIA 20
AST-12: UNATTENDED END-USER EQUIPMENT 21
AST-13: KIOSKS & POINT OF SALE (POS) DEVICES 21
AST-14: TAMPER PROTECTION & DETECTION 21
AST-15: SECURE DISPOSAL, DESTRUCTION OR RE-USE OF EQUIPMENT 22
AST-16: RETURN OF ASSETS 22
AST-17: REMOVAL OF ASSETS 22
AST-18: USE OF PERSONAL DEVICES 23
AST-19: TAMPER PROTECTION 23
BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) POLICY & STANDARDS 24
BCD-01: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) 24
BCD-02: BUSINESS CONTINUITY & DISASTER RECOVERY - COORDINATE WITH RELATED PLANS 24
BCD-03: COORDINATE WITH EXTERNAL SERVICE PROVIDERS 25
BCD-04: CONTINGENCY PLAN TESTING & EXERCISES 25
BCD-05: ALTERNATE STORAGE SITE 25
BCD-06: ALTERNATE PROCESSING SITE 26
BCD-07: DATA BACKUPS 26
BCD-08: TESTING FOR RELIABILITY & INTEGRITY 28
BCD-09: SEPARATE STORAGE FOR CRITICAL INFORMATION 28
BCD-10: CRYPTOGRAPHIC PROTECTION 28
BCD-11: REDUNDANT SECONDARY SYSTEM 28
CAPACITY & PERFORMANCE PLANNING (CAP) POLICY & STANDARDS 30
CAP-01: CAPACITY & PERFORMANCE MANAGEMENT 30
IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES
Page 2 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 CAP-02: CAPACITY PLANNING 30
CHANGE MANAGEMENT (CHG) POLICY & STANDARDS 31
CHG-01: CHANGE MANAGEMENT PROGRAM 31
CHG-02: CONFIGURATION CHANGE CONTROL 31
CHG-03: TEST, VALIDATE & DOCUMENT CHANGES 31
CLOUD SECURITY (CLD) POLICY & STANDARDS 33
CLD-01: CLOUD SERVICES 33
CLD-02: CLOUD SECURITY ARCHITECTURE 33
CLD-03: APPLICATION & PROGRAM INTERFACE (API) SECURITY 34
CLD-04: MULTI-TENANT ENVIRONMENTS 34
CLD-05: CLOUD RESPONSIBILITY MATRIX (CRM) 34
CLD-06 GEOLOCATION REQUIREMENTS FOR PROCESSING, STORAGE AND SERVICE LOCATIONS 34
COMPLIANCE (CPL) POLICY & STANDARDS 36
CPL-01: STATUTORY, REGULATORY & CONTRACTUAL COMPLIANCE 36
CPL-02: NON-COMPLIANCE OVERSIGHT 36
CPL-03: SECURITY & PRIVACY CONTROLS OVERSIGHT 36
CPL-04: INTERNAL AUDIT FUNCTION 37
CPL-05: SECURITY ASSESSMENTS 37
CPL-06: INDEPENDENT ASSESSORS 38
CPL-07: FUNCTIONAL REVIEW OF SECURITY CONTROLS 38
CPL-08: AUDIT ACTIVITIES 38
CONFIGURATION MANAGEMENT (CFG) POLICY & STANDARDS 40
CFG-01: CONFIGURATION MANAGEMENT PROGRAM 40
CFG-02: ASSIGNMENT OF RESPONSIBILITY 40
CFG-03: SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS 40
CFG-04: REVIEWS & UPDATES 41
CFG-05: DEVELOPMENT & TEST ENVIRONMENTS 42
CFG-06: CONFIGURE SYSTEMS, COMPONENTS OR DEVICES FOR HIGH-RISK AREAS 42
CFG-07: LEAST FUNCTIONALITY 42
CFG-08: PERIODIC REVIEW 43
CONTINUOUS MONITORING (MON) POLICY & STANDARDS 44
MON-01: CONTINUOUS MONITORING 44
MON-02: INTRUSION DETECTION & PREVENTION SYSTEMS (IDS & IPS) 45
MON-03: AUTOMATED TOOLS FOR REAL-TIME ANALYSIS 45
MON-04: INBOUND & OUTBOUND COMMUNICATIONS TRAFFIC 45
MON-05: SYSTEM GENERATED ALERTS 45
MON-06: REVIEWS & UPDATES 46
MON-07: CENTRALIZED EVENT LOG COLLECTION 46
MON-08: CORRELATE MONITORING INFORMATION 46
MON-09: CENTRAL REVIEW & ANALYSIS 47
MON-10: CONTENT OF AUDIT RECORDS 47
MON-11: PRIVILEGED FUNCTIONS LOGGING 47
MON-12: MONITORING REPORTING 48
MON-13: PROTECTION OF EVENT LOGS 48
MON-14: MONITORING FOR INDICATORS OF COMPROMISE (IOC) 48
CRYPTOGRAPHIC PROTECTIONS (CRY) POLICY & STANDARDS 50
CRY-01: USE OF CRYPTOGRAPHIC CONTROLS 50
CRY-02: EXPORT-CONTROLLED TECHNOLOGY 50
CRY-03: TRANSMISSION CONFIDENTIALITY 50
CRY-04: TRANSMISSION INTEGRITY 51
CRY-05: ENCRYPTING DATA AT REST 51
CRY-06: CRYPTOGRAPHIC KEY MANAGEMENT 52
CRY-07: CRYPTOGRAPHIC KEY LOSS OR CHANGE 53
CRY-08: CONTROL & DISTRIBUTION OF CRYPTOGRAPHIC KEYS 53
DATA CLASSIFICATION & HANDLING (DCH) POLICY & STANDARDS 54
DCH-01: DATA PROTECTION 54

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 3 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 DCH-02: DATA & ASSET CLASSIFICATION 54
DCH-03: MEDIA ACCESS 55
DCH-04: MASKING DISPLAYED DATA 55
DCH-05: MEDIA MARKING 55
DCH-06: MEDIA STORAGE 55
DCH-07: MEDIA TRANSPORTATION 56
DCH-08: CUSTODIANS 56
DCH-09: ENCRYPTING DATA IN STORAGE MEDIA 56
DCH-10: PHYSICAL MEDIAL DISPOSAL 57
DCH-11: DIGITAL MEDIA SANITIZATION 57
DCH-12: MEDIA SANITIZATION DOCUMENTATION 57
DCH-13: SANITIZATION OF PERSONAL DATA (PD) 58
DCH-14: MEDIA USE 58
DCH-15: LIMITATIONS ON USE 58
DCH-16: REMOVABLE MEDIA SECURITY 58
DCH-17: INFORMATION SHARING 59
DCH-18: AD-HOC TRANSFERS 59
DCH-19: MEDIA & DATA RETENTION 59
DCH-20: INFORMATION DISPOSAL 60
DCH-21: DE-IDENTIFICATION (ANONYMIZATION) 61
DCH-22: REMOVAL, MASKING, ENCRYPTION, HASHING OR REPLACEMENT OF DIRECT IDENTIFIERS 61
ENDPOINT SECURITY (END) POLICY & STANDARDS 62
END-01: ENDPOINT SECURITY 62
END-02: ENDPOINT PROTECTION MEASURES 62
END-03: PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 63
END-04: ACCESS RESTRICTION FOR CHANGE 63
END-05: MALICIOUS CODE PROTECTION (ANTI-MALWARE) 63
END-06: AUTOMATIC UPDATES 63
HUMAN RESOURCES SECURITY (HRS) POLICY & STANDARDS 65
HRS-01: HUMAN RESOURCES SECURITY MANAGEMENT 65
HRS-02: ROLES & RESPONSIBILITIES 65
HRS-03: COMPETENCY REQUIREMENTS FOR SECURITY-RELATED POSITIONS 65
HRS-04: PERSONNEL SCREENING 65
HRS-05: ROLES WITH SPECIAL PROTECTION MEASURES 66
HRS-06: FORMAL INDOCTRINATION 66
HRS-07: TERMS OF EMPLOYMENT 66
HRS-08: RULES OF BEHAVIOR 67
HRS-09: SOCIAL MEDIA & SOCIAL NETWORKING RESTRICTIONS 67
HRS-10: USE OF COMMUNICATIONS TECHNOLOGY 67
HRS-11: USE OF MOBILE DEVICES 68
HRS-12: ACCESS AGREEMENTS 68
HRS-13: CONFIDENTIALITY AGREEMENTS 68
HRS-14: PERSONNEL SANCTIONS 68
HRS-15: WORKPLACE INVESTIGATIONS 68
HRS-16: PERSONNEL TRANSFER 69
HRS-17: PERSONNEL TERMINATION 69
HRS-18: POST-EMPLOYMENT REQUIREMENTS 70
HRS-19: SEPARATION OF DUTIES 70
HRS-20: INCOMPATIBLE ROLES 70
IDENTIFICATION & AUTHENTICATION (IAC) POLICY & STANDARDS 72
IAC-01: IDENTITY & ACCESS MANAGEMENT (IAM) 72
IAC-02: IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS 72
IAC-03: IDENTIFICATION & AUTHENTICATION FOR NON-ORGANIZATIONAL USERS 72
IAC-04: IDENTIFICATION & AUTHENTICATION FOR DEVICES 73
IAC-05: IDENTIFICATION & AUTHENTICATION FOR THIRD PARTY SYSTEMS & SERVICES 73
IAC-06: USER PROVISIONING & DE-PROVISIONING 73
IAC-07: CHANGE OF ROLES & DUTIES 74

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 4 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 IAC-08: TERMINATION OF EMPLOYMENT 74
IAC-09: ROLE-BASED ACCESS CONTROL (RBAC) 74
IAC-10: IDENTIFIER MANAGEMENT (USER NAMES) 75
IAC-11: USER IDENTITY (ID) MANAGEMENT 75
IAC-12: CROSS-ORGANIZATION MANAGEMENT 75
IAC-13: AUTHENTICATOR MANAGEMENT 76
IAC-14: PASSWORD-BASED AUTHENTICATION 76
IAC-15: PROTECTION OF AUTHENTICATORS 78
IAC-16: VENDOR-SUPPLIED DEFAULTS 78
IAC-17: PASSWORD MANAGERS 78
IAC-18: ACCOUNT MANAGEMENT 79
IAC-19: AUTOMATED SYSTEM ACCOUNT MANAGEMENT 79
IAC-20: REMOVAL OF TEMPORARY/EMERGENCY ACCOUNTS 80
IAC-21: DISABLE INACTIVE ACCOUNTS 80
IAC-22: RESTRICTIONS ON SHARED GROUPS/ACCOUNTS 80
IAC-23: PRIVILEGED ACCOUNT MANAGEMENT (PAM) 80
IAC-24: PRIVILEGED ACCOUNT INVENTORIES 81
IAC-25: PERIODIC REVIEW OF USER PRIVILEGES 81
IAC-26: USER RESPONSIBILITIES FOR ACCOUNT MANAGEMENT 81
IAC-27: ACCESS ENFORCEMENT 82
IAC-28: ACCESS TO SENSITIVE DATA 82
IAC-29: DATABASE ACCESS 82
IAC-30: USE OF PRIVILEGED UTILITY PROGRAMS 83
IAC-31: LEAST PRIVILEGE 83
IAC-32: PRIVILEGED ACCOUNTS 83
IAC-33: ACCOUNT LOCKOUT 84
INCIDENT RESPONSE (IRO) POLICY & STANDARDS 85
IRO-01: INCIDENTS RESPONSE OPERATIONS 85
IRO-02: INCIDENT HANDLING 85
IRO-03: INTEGRATED INCIDENT RESPONSE PROGRAM (IIRP) 86
IRO-04: DATA BREACH 86
IRO-05: INCIDENT RESPONSE TRAINING 87
IRO-06: INCIDENT RESPONSE TESTING - COORDINATION WITH RELATED PLANS 87
IRO-07: INTEGRATED SECURITY INCIDENT RESPONSE TEAM (ISIRT) 87
IRO-08: CHAIN OF CUSTODY & FORENSICS 88
IRO-09: SITUATIONAL AWARENESS FOR INCIDENTS 88
IRO-10: INCIDENT STAKEHOLDER REPORTING 88
IRO-11: VULNERABILITIES RELATED TO INCIDENTS 89
IRO-12: SUPPLY CHAIN COORDINATION 89
IRO-13: COORDINATION WITH EXTERNAL PROVIDERS 89
IRO-14: ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 89
INFORMATION ASSURANCE (IAO) POLICY & STANDARDS 90
IAO-01: INFORMATION ASSURANCE (IA) OPERATIONS 90
IAO-02: SECURITY ASSESSMENTS 90
IAO-03: SPECIALIZED ASSESSMENTS 90
IAO-04: THREAT ANALYSIS & FLAW REMEDIATION DURING DEVELOPMENT 91
MAINTENANCE (MNT) POLICY & STANDARDS 92
MNT-01: MAINTENANCE OPERATIONS 92
MNT-02: CONTROLLED MAINTENANCE 92
MNT-03: TIMELY MAINTENANCE 93
MOBILE DEVICE MANAGEMENT (MDM) POLICY & STANDARDS 94
MDM-01: CENTRALIZED MANAGEMENT OF MOBILE DEVICES 94
MDM-02: ACCESS CONTROL FOR MOBILE DEVICES 94
MDM-03: REMOTE PURGING 95
NETWORK SECURITY (NET) POLICY & STANDARDS 96
NET-01: NETWORK SECURITY MANAGEMENT 96
NET-02: LAYERED DEFENSES 96

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 5 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 NET-03: BOUNDARY PROTECTION 96
NET-04: DATA FLOW ENFORCEMENT – ACCESS CONTROL LISTS (ACLS) 97
NET-05: DENY TRAFFIC BY DEFAULT & ALLOW TRAFFIC BY EXCEPTION 98
NET-06: NETWORK SEGMENTATION 98
NET-07: SECURITY MANAGEMENT SUBNETS 99
NET-08: DEMILITARIZED ZONE (DMZ) NETWORKS 99
NET-09: ELECTRONIC MESSAGING 99
NET-10: REMOTE ACCESS 99
NET-11: WORK FROM ANYWHERE (WFA) – TELECOMMUTING SECURITY 100
NET-12: WIRELESS NETWORKING 100
NET-13: DOMAIN NAME SYSTEM (DNS) & CONTENT FILTERING 101
PHYSICAL & ENVIRONMENTAL SECURITY (PES) POLICY & STANDARDS 102
PES-01: PHYSICAL & ENVIRONMENTAL PROTECTIONS 102
PES-02: PHYSICAL ACCESS AUTHORIZATIONS 102
PES-03: ROLE-BASED PHYSICAL ACCESS 102
PES-04: PHYSICAL ACCESS CONTROL 103
PES-05: CONTROLLED INGRESS & EGRESS POINTS 103
PES-06: PHYSICAL ACCESS LOGS 104
PES-07: PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES 104
PES-08: WORKING IN SECURE AREAS 104
PES-09: MONITORING PHYSICAL ACCESS 105
PES-10: INTRUSION ALARMS/SURVEILLANCE EQUIPMENT 105
PES-11: MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS 105
PES-12: VISITOR CONTROL 105
PES-13: SUPPORTING UTILITIES 106
PES-14: AUTOMATIC VOLTAGE CONTROLS 106
PES-15: EMERGENCY SHUTOFF 106
PES-16: EMERGENCY POWER 107
PES-17: EMERGENCY LIGHTING 107
PES-18: DELIVERY & REMOVAL 107
PES-19: EQUIPMENT SITING & PROTECTION 108
PES-20: TRANSMISSION MEDIUM SECURITY 108
PES-21: INFORMATION LEAKAGE DUE TO ELECTROMAGNETIC SIGNALS EMANATIONS 108
PRIVACY (PRI) POLICY & STANDARDS 110
PRI-01: PRIVACY PROGRAM 110
PRI-02: DISSEMINATION OF PRIVACY PROGRAM INFORMATION 110
PRI-03: SECURITY OF PERSONAL DATA 110
PRI-04: PURPOSE SPECIFICATION 111
PRI-05: CHOICE & CONSENT 111
PRI-06: COLLECTION 111
PRI-07: PERSONAL DATA RETENTION & DISPOSAL 111
PRI-08: INTERNAL USE OF PERSONAL DATA FOR TESTING, TRAINING AND RESEARCH 112
PRI-09: DATA MASKING 112
PRI-10: USAGE RESTRICTIONS OF PERSONAL DATA (PD) 112
PRI-11: INFORMATION SHARING WITH THIRD PARTIES 112
PRI-12: PRIVACY REQUIREMENTS FOR CONTRACTORS & SERVICE PROVIDERS 113
PRI-13: TESTING, TRAINING & MONITORING 113
PROJECT & RESOURCE MANAGEMENT (PRM) POLICY & STANDARDS 114
PRM-01: SECURITY PORTFOLIO MANAGEMENT 114
PRM-02: SECURITY & PRIVACY RESOURCE MANAGEMENT 114
PRM-03: ALLOCATION OF RESOURCES 114
PRM-04: SECURITY & PRIVACY IN PROJECT MANAGEMENT 115
PRM-05: SECURITY & PRIVACY REQUIREMENTS DEFINITION 115
PRM-06: SECURE DEVELOPMENT LIFE CYCLE (SDLC) MANAGEMENT 115
RISK MANAGEMENT (RSK) POLICY & STANDARDS 116
RSK-01: RISK MANAGEMENT PROGRAM 116
RSK-02: RISK FRAMING 116

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 6 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 RSK-03: RISK IDENTIFICATION 117
RSK-04: RISK ASSESSMENT 117
RSK-05: RISK REGISTER 118
RSK-06: RISK RANKING 118
RSK-07: RISK REMEDIATION 118
RSK-08: RISK RESPONSE 118
RSK-09: RISK ASSESSMENT UPDATE 119
RSK-10: BUSINESS IMPACT ANALYSIS (BIAS) 119
RSK-11: SUPPLY CHAIN RISK MANAGEMENT (SCRM) PROGRAM 119
RSK-12: SUPPLY CHAIN RISK ASSESSMENT 120
RSK-13: DATA PROTECTION IMPACT ASSESSMENT (DPIA) 120
SECURE ENGINEERING & ARCHITECTURE (SEA) POLICY & STANDARDS 122
SEA-01: SECURE ENGINEERING PRINCIPLES 122
SEA-02: ALIGNMENT WITH ENTERPRISE ARCHITECTURE 123
SEA-03: STANDARDIZED TERMINOLOGY 123
SEA-04: SECURE LOG-ON PROCEDURES 123
SEA-05: CLOCK SYNCHRONIZATION 124
SECURITY OPERATIONS (OPS) POLICY & STANDARDS 125
OPS-01: OPERATIONS SECURITY 125
OPS-02: STANDARDIZED OPERATING PROCEDURES (SOP) 125
OPS-03: SECURITY CONCEPT OF OPERATIONS (CONOPS) 126
OPS-04: SERVICE DELIVERY (BUSINESS PROCESS SUPPORT) 126
SECURITY AWARENESS & TRAINING (SAT) POLICY & STANDARDS 127
SAT-01: SECURITY & PRIVACY-MINDED WORKFORCE 127
SAT-02: SECURITY & PRIVACY AWARENESS 128
SAT-03: SECURITY & PRIVACY TRAINING 128
TECHNOLOGY DEVELOPMENT & ACQUISITION (TDA) POLICY & STANDARDS 129
TDA-01: TECHNOLOGY DEVELOPMENT & ACQUISITION 129
TDA-02: SECURITY REQUIREMENTS 129
TDA-03: DEVELOPMENT METHODS, TECHNIQUES & PROCESSES 129
TDA-04: DEVELOPER ARCHITECTURE & DESIGN 130
TDA-05: SECURE CODING 130
TDA-06: CRITICALITY ANALYSIS 131
TDA-07: SECURE DEVELOPMENT ENVIRONMENTS 131
TDA-08: SEPARATION OF DEVELOPMENT, TESTING & OPERATIONAL ENVIRONMENTS 131
TDA-09: SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT 132
TDA-10: USE OF LIVE DATA 132
TDA-11: DEVELOPER CONFIGURATION MANAGEMENT 133
TDA-12: DEVELOPER THREAT ANALYSIS & FLAW REMEDIATION 133
TDA-13: ACCESS TO PROGRAM SOURCE CODE 133
THIRD-PARTY MANAGEMENT (TPM) POLICY & STANDARDS 134
TPM-01: THIRD-PARTY MANAGEMENT 134
TPM-02: THIRD-PARTY INVENTORIES 134
TPM-03: THIRD-PARTY CRITICALITY ASSESSMENTS 135
TPM-04: SUPPLY CHAIN PROTECTION 135
TPM-05: ACQUISITION STRATEGIES, TOOLS & METHODS 135
TPM-06: LIMIT POTENTIAL HARM 135
TPM-07: PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES 136
TPM-08: THIRD-PARTY SERVICES 136
TPM-09: THIRD-PARTY RISK ASSESSMENTS & APPROVALS 136
TPM-10: CONFLICT OF INTERESTS 137
TPM-11: THIRD-PARTY PROCESSING, STORAGE AND SERVICE LOCATIONS 137
TPM-12: THIRD-PARTY CONTRACT REQUIREMENTS 137
TPM-13: SECURITY COMPROMISE NOTIFICATION AGREEMENTS 138
TPM-14: THIRD-PARTY PERSONNEL SECURITY 138
TPM-15: REVIEW OF THIRD-PARTY SERVICES 139
TPM-16: THIRD-PARTY DEFICIENCY REMEDIATION 139

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 7 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 TPM-17: MANAGING CHANGES TO THIRD-PARTY SERVICES 139
TPM-18: THIRD-PARTY INCIDENT RESPONSE & RECOVERY CAPABILITIES 139
THREAT MANAGEMENT (THR) POLICY & STANDARDS 141
THR-01: THREAT AWARENESS PROGRAM 141
THR-02: INDICATORS OF EXPOSURE (IOE) 141
THR-03: THREAT INTELLIGENCE FEEDS 141
VULNERABILITY & PATCH MANAGEMENT (VPM) POLICY & STANDARDS 143
VPM-01: VULNERABILITY & PATCH MANAGEMENT PROGRAM 143
VPM-02: ESTABLISH VULNERABILITY MANAGEMENT SCOPE 143
VPM-03: VULNERABILITY REMEDIATION PROCESS 143
VPM-04: VULNERABILITY RANKING 143
VPM-05: CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES 144
VPM-06: FLAW REMEDIATION WITH PERSONAL DATA 144
VPM-07: SOFTWARE & FIRMWARE PATCHING 145
VPM-08: VULNERABILITY SCANNING 145
GLOSSARY: ACRONYMS & DEFINITIONS 146
ACRONYMS 146
DEFINITIONS 146
KEY WORD INDEX 147
RECORD OF CHANGES 148

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 8 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
CYBERSECURITY AND DATA PROTECTION PROGRAM (CDPP) OVERVIEW

INTRODUCTION
The Cybersecurity and Data Protection Program (CDPP) provides definitive information on the prescribed measures used to
establish and enforce the security program at ACME Consulting Services, LLC (ACME).

ACME is committed to protecting its employees, partners, clients and ACME from damaging acts that are intentional or
unintentional. Effective security is a team effort involving the participation and support of every entity that interacts with ACME
data and systems, applications and services. Therefore, it is the responsibility of both ACME personnel and third-parties to be aware
of and adhere to ACME’s cybersecurity and data protection requirements.

Protecting ACME data and the systems that collect, process and maintain this data is of critical importance. Commensurate with
risk, security and privacy measures must be implemented to guard against unauthorized access to, alteration, disclosure or
destruction of data and systems, applications and services. This also includes protection against accidental loss or destruction. The
security of systems, applications and services must include controls and safeguards to offset possible threats, as well as controls to
ensure confidentiality, integrity, availability and safety:

 CONFIDENTIALITY – This addresses preserving authorized

restrictions on access and disclosure to authorized users and
services, including means for protecting personal privacy and
proprietary information.
 INTEGRITY – This addresses protecting against improper
modification or destruction, including ensuring non-repudiation
and authenticity.
 AVAILABILITY – This addresses timely, reliable access to data,
systems and services for authorized users, services and
processes.
 SAFETY – This addresses reducing risk associated with
technologies that could fail or be manipulated by nefarious
actors to cause death, injury, illness, damage to or loss of
equipment.

PURPOSE
The purpose of the Cybersecurity and Data Protection Program (CDPP) is to prescribe a comprehensive framework for:
 Creating an Information Security Management System (ISMS) in accordance with ISO 27001.
 Protecting the confidentiality, integrity and availability of ACME data and information systems.
 Protecting ACME, its employees and its clients from illicit use of ACME information systems and data.
 Ensuring the effectiveness of security controls over data and information systems that support ACME’s operations.
 Recognizing the highly networked nature of the current computing environment and provide effective company-wide
management and oversight of those related Information Security risks.
 Providing for development, review and maintenance of minimum security controls required to protect ACME’s data and
information systems.

The formation of these cybersecurity policies is driven by many factors, with the key factor being a risk. These policies set the ground
rules under which ACME operates and safeguards its data and systems to both reduce risk and minimize the effect of potential
incidents.

These policies, including their related control objectives, standards, procedures and guidelines, are necessary to support the
management of information risks in daily operations. The development of policies provides due care to ensure ACME users
understand their day-to-day security responsibilities and the threats that could impact the company.

SCOPE & APPLICABILITY

These policies, standards and guidelines apply to all ACME data, systems, activities and assets owned, leased, controlled or used by
ACME, its agents, contractors or other business partners on behalf of ACME. These policies, standards and guidelines apply to all
ACME employees, contractors, sub-contractors and their respective facilities supporting ACME business operations, wherever ACME

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 9 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
data is stored or processed, including any third-party contracted by ACME to handle, process, transmit, store or dispose of ACME
data.

Some standards apply specifically to persons with a specific job function (e.g., a System Administrator); otherwise, all personnel
supporting ACME business functions shall comply with the standards. ACME departments shall use these standards or may create a
more restrictive standard, but none that are less restrictive, less comprehensive or less compliant than these standards.

These policies do not supersede any other applicable law or higher-level company directive or existing labor management
agreement in effect as of the effective date of this policy.

ACME's documented roles and responsibilities provides a detailed description of ACME user roles and responsibilities, in regards to
cybersecurity-related use obligations.

ACME reserves the right to revoke, change or supplement these policies, standards and guidelines at any time without prior notice.
Such changes shall be effective immediately upon approval by management unless otherwise stated.

POLICY OVERVIEW
To ensure an acceptable level of cybersecurity risk, ACME is required to design, implement and maintain a coherent set of policies,
standards, procedures and guidelines to manage risks to its data and systems.

The CDPP addresses the policies, standards and guidelines. Data / process owners, in conjunction with asset custodians, are
responsible for creating, implementing and updated operational procedures to comply with CDPP requirements.

ACME users must protect and ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of data and systems, regardless of
how its data is created, distributed or stored.
 Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and
sensitivity of the data and system; and
 Security controls must be designed and maintained to ensure compliance with all legal requirements.

VIOLATIONS OF POLICIES, STANDARDS AND/OR PROCEDURES

Any ACME user found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and including
termination of employment. Violators of local, state, Federal and / or international law may be reported to the appropriate law
enforcement agency for civil and / or criminal prosecution.

EXCEPTION TO STANDARDS
While every exception to a standard potentially weakens protection mechanisms for ACME systems and underlying data,
occasionally exceptions will exist. When requesting an exception, users must submit a business justification for deviation from the
standard in question.

UPDATES TO POLICIES & STANDARDS

Updates to the Cybersecurity and Data Protection Program (CDPP) will be announced to employees via management updates or
email announcements. Changes will be noted in the Record of Changes to highlight the pertinent changes from the previous policies,
procedures, standards and guidelines.

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 10 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
CYBERSECURITY & DATA PROTECTION PROGRAM STRUCTURE

MANAGEMENT DIRECTION FOR CYBERSECURITY & DATA PROTECTION

The objective is to provide management direction and support for cybersecurity and data protection in accordance with business
requirements and relevant laws and regulations. 5

An Information Security Management System (ISMS) focuses on cybersecurity management and technology-related risks. The
governing principle behind ACME’s ISMS is that, as with all management processes, the ISMS must remain effective and efficient in
the long-term, adapting to changes in the internal organization and external environment.

In accordance with leading practices, ACME’s ISMS incorporates the typical "Plan-Do-Check-Act" (PDCA) or Deming Cycle, approach:
 Plan: This phase involves designing the ISMS, assessing IT-related risks and selecting appropriate controls.
 Do: This phase involves implementing and operating the appropriate security controls.
 Check: This phase involves reviewing and evaluating the performance (efficiency and effectiveness) of the ISMS.
 Act: This involves making changes, where necessary, to bring the ISMS back to optimal performance.

POLICIES, CONTROLS, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE

ACME’s cybersecurity and data protection documentation is comprised of five (5) core components:
(1) Policies are established by the organization’s corporate leadership establishes “management’s intent” for cybersecurity
and data protection requirements that are necessary to support the organization’s overall strategy and mission;
(2) Control Objectives identify the technical, administrative and physical protections that are generally tied to a law, regulation,
industry framework or contractual obligation;
(3) Standards provide organization-specific, quantifiable requirements for cybersecurity and data protection;
(4) Procedures (also known as Control Activities) establish the defined practices or steps that are performed to meet to
implement standards and satisfy controls / control objectives; and
(5) Guidelines are additional guidance that is recommended, but not mandatory.

Figure 1: Cybersecurity & Data Protection Documentation Structure

5 ISO 27002:2013 5.1

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES
Page 13 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
SECURITY & PRIVACY GOVERNANCE (GOV) POLICY & STANDARDS

Management Intent: The purpose of the Security & Privacy Governance (GOV) policy is to govern a documented, risk-based program
that supports business objectives while encompassing appropriate security and privacy principles that addresses all applicable
statutory, regulatory and contractual obligations.

Policy: ACME shall implement and maintain a maturity-based capability to strengthen the security and resilience of its technology
infrastructure and data protection mechanisms against both physical and cyber threats. Security control decisions shall take
applicable statutory, regulatory and contractual obligations into account, but ACME acknowledges that being compliant does not
equate to being secure, so all stakeholders shall protect the confidentiality, integrity, availability and safety of ACME’s technology
resources and data, regardless of the geographic location of the data or technology in use. Cybersecurity and data protection
controls shall be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of
the data and technology in use.

Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.

GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM

Control Objective: The organization facilitates the implementation of cybersecurity and privacy governance controls. 6

Standard: ACME’s security program must be represented in a single document, the Cybersecurity & Data Protection Program (CDPP)
that:
(a) Must be reviewed and updated at least annually; and
(b) Disseminated to the appropriate parties to ensure all ACME personnel understand their applicable requirements.

Guidelines: The security plans for individual systems and the organization-wide CDPP together provide complete coverage for all
cybersecurity and privacy-related controls employed within the organization.

GOV-02: STEERING COMMITTEE

Control Objective: The organization coordinates cybersecurity, privacy and business alignment through a steering committee or
advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis. 7

Standard: ACME must establish a cybersecurity and privacy steering committee, or advisory board, comprised of key stakeholders
from ACME Lines of Business (LOB) and technology-related executives that:
(a) Meets formally and on a regular basis; and
(b) Receives briefings from the following:
1. Chief Information Security Officer (CISO) on matters of cybersecurity;
2. Chief Privacy Officer (CPO) on matters of privacy; and
3. Chief Risk Officer (CRO) on matters of enterprise risk.

Guidelines: To achieve proper situational awareness across the organization, key cybersecurity and privacy leaders must facilitate
communication with business stakeholders. This includes translating cybersecurity, privacy and risk concepts and language into
business concepts and language as well as ensuring that business teams consult with cybersecurity and privacy teams to determine
appropriate controls measures when planning new business projects.

The steering committee, or advisory board, can best advise the CISO, CPO and CRO on important matters pertaining to the
organization to ensure technology, security and privacy practices support the overall strategy and mission of the organization.

6
ISO 27001-2013: 4.3, 4.4, 5.1, 6.1.1 | ISO 27002-2022: 5.1, 5.4, 5.37| NIST SP 800-53 R5: PM-1
7
ISO 27001-2013: 4.3, 6.2, 7.4, 9.3, 10.2

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 14 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
GOV-03: PUBLISHING SECURITY & PRIVACY POLICIES
Control Objective: The organization establishes, maintains and disseminates cybersecurity and privacy policies, standards and
procedures. 8

Standard: ACME’s security and privacy policies and standards must be represented in a consolidated document, the Cybersecurity
& Data Protection Program (CDPP) that is:
(a) Endorsed by executive management; and
(b) Disseminated to the appropriate parties to ensure all ACME personnel understand their applicable requirements.

Guidelines: An organization’s cybersecurity policies create the roadmap for implementing cybersecurity and privacy measures to
protect its most valuable assets. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.

GOV-04: PERIODIC REVIEW & UPDATE OF SECURITY & PRIVACY DOCUMENTATION

Control Objective: The organization reviews the cybersecurity and privacy program, including policies, standards and procedures, at
planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. 9

Standard: ACME’s business leadership (or other accountable business role or function) must review the Cybersecurity & Data
Protection Program (CDPP) at planned intervals or as a result of changes to the organization (e.g., mergers, acquisitions,
partnerships, new products, etc.) to ensure its continuing alignment with the security strategy, risk posture, effectiveness, accuracy,
relevance and applicability to statutory, regulatory and/or contractual compliance obligations.

Guidelines: Updates to the CDPP will be announced to employees via management updates or email announcements. Changes will
be noted in the Record of Changes to highlight the pertinent changes from the previous policies, procedures, standards and
guidelines.

GOV-05: ASSIGNED SECURITY & PRIVACY RESPONSIBILITIES

Control Objective: The organization assigns a qualified individual with the mission and resources to centrally-manage, coordinate,
develop, implement and maintain an enterprise-wide cybersecurity and privacy program. 10

Standard: Executive and line management must take formal action to support cybersecurity through clearly-documented direction
and commitment and must ensure the action has been assigned. The overall authority and responsibility for managing the security
program are delegated to ACME’s Chief Information Security Officer (CISO) and he/she must perform or delegate the following
security management responsibilities:
(a) Establish, document and distribute security policies and procedures;
(b) Monitor and analyze security alerts and information;
(c) Distribute and escalate security alerts to appropriate personnel;
(d) Establish, document and distribute security incident response and escalation procedures to ensure timely and effective
handling of all situations;
(e) Administer user accounts, including additions, deletions and modifications; and
(f) Monitor and control all access to data.

Guidelines: Central management refers to the organization-wide management and implementation of selected cybersecurity
controls and related processes. Central management includes planning, implementing, assessing, authorizing and monitoring the
organization-defined, centrally managed security controls and processes. Centrally-managed security controls and processes may
also meet independence requirements for assessments in support of initial and ongoing authorizations to operate as part of
organizational continuous monitoring.

GOV-06: MEASURES OF PERFORMANCE

Control Objective: The organization develops, reports and monitors cybersecurity and privacy program measures of performance. 11

8
ISO 27001-2013: 4.3, 5.2, 7.5.1, 7.5.2, 7.5.3 | ISO 27002-2022: 5.1, 5.37| NIST SP 800-53 R5: PM-1 | NIST CSF: ID.GV-1
9
ISO 27001-2013: 6.1.1, 7.4 | ISO 27002-2022: 5.1, 5.37| NIST SP 800-53 R5: PM-1
10
ISO 27001-2013: 5.3 | ISO 27002-2022: 5.2 | NIST SP 800-53 R5: PL-9, PM-2, PM-6, PM-29 | NIST CSF: ID.AM-6
11
ISO 27001-2013: 9.1 | NIST SP 800-53 R5: PM-6 | NIST CSF: PR.IP-8

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 15 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
INCIDENT RESPONSE (IRO) POLICY & STANDARDS

Management Intent: The purpose of the Incident Response (IRO) policy is to establish and maintain a capability to guide ACME’s
response when security-related incidents occur.

Policy: ACME shall implement and maintain a robust cybersecurity and privacy incident handling capability to strengthen the
resilience of its technology resources that can detect, analyze, contain and recover from incidents that result from physical and
cyber threats. ACME's executive leadership shall maintain situational awareness of incidents to properly support business operations
and take appropriate action to protect ACME's reputation.

Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.

IRO-01: INCIDENTS RESPONSE OPERATIONS

Control Objective: The organization implements and governs processes and documentation to facilitate an organization-wide
response capability for security and privacy-related incidents. 183

Standard: ACME’s Chief Information Security Officer (CISO), or the CISO’s designated representative(s) for incident response, must
develop and implement enterprise-wide incident response controls that, at a minimum, include :
(a) A formal, documented Integrated Incident Response Program (IIRP); and
(b) Processes to facilitate the implementation of the incident response processes and associated controls.

Guidelines: The objective is to ensure a consistent and effective approach to the management of cybersecurity incidents, including
communication on security events and weaknesses.

National Institute of Standards and Technology (NIST) guidance for incident response industry-recognized secure practices can be
referenced at:
 Computer Security Incident Handling Guide184
 Guide to Integrating Forensic Techniques into Incident Response 185

IRO-02: INCIDENT HANDLING

Control Objective: The organization's incident handling processes covers the preparation, detection, intake of incident reporting,
analysis, containment, eradication and recovery. 186

Standard: ACME’s Chief Information Security Officer (CISO), or the CISO’s designated representative(s) for incident response, must
develop and implement processes to:
(a) Investigate notifications from detection systems;
(b) Identify and assess the severity and classification of incidents;
(c) Define appropriate actions to take in response to the incident; and
(d) Respond with appropriate actions to minimize impact and ensure the continuation of business functions.

Guidelines: Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and
the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of
the definition, design and development of mission/business processes and systems. Incident-related information can be obtained
from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring,
user/administrator reports and reported supply chain events. Effective incident handling capability includes coordination among
many organizational entities including, for example, mission/business owners, system owners, authorizing officials, human
resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices and the risk
executive (function).

183
ISO 27002-2022: 5.24 | NIST SP 800-53 R5: IR-1 | NIST CSF: PR.IP-9 | NIST SP 800-171 R2: NFO - IR-1
184
Computer Security Incident Handling Guide - http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
185
Guide to Integrating Forensic Techniques into Incident Response - http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
186
ISO 27002-2022: 5.24, 5.25, 5.26, 6.8 | NIST SP 800-53 R5: IR-4 | NIST CSF: DE.AE-2, DE.AE-4, DE.AE-5, RS.AN-1, RS.AN-4, RS.MI-1, RS.MI-2, RS.RP-1, RC.CO-1,
RC.CO-2, RC.CO-3 | NIST SP 800-171 R2: 3.6.1, 3.6.2

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 85 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
GLOSSARY: ACRONYMS & DEFINITIONS

ACRONYMS
AD. Active Directory
BCP. Business Continuity Plan
CDE. Cardholder Data Environment
CERT. Computer Emergency Response Team
CMDB. Configuration Management Database
CTI. Controlled Technical Information 335
CUI. Controlled Unclassified Information 336
DAC. Discretionary Access Control
DLP. Data Loss Prevention
DRP. Disaster Recovery Plan
EPHI. Electronic Protected Health Information
FICAM. Federal Identity, Credential and Access Management
FIM. File Integrity Monitor
GDPR. General Data Protection Regulation
HIPAA. Health Insurance Portability and Accountability Act
IRP. Incident Response Plan
ISIRT. Integrated Security Incident Response Team
ISMS. Cybersecurity Management System
LAN. Local Area Network
LDAP. Lightweight Directory Authentication Protocol
MAC. Media Access Control
NIST. National Institute of Standards and Technology
PDCA. Plan Do Check Act
PIV. Personal Identity Verification
RBAC. Role-Based Access Control
SCRM. Supply Chain Risk Management
SDLC. System Development Life Cycle
TLS. Transport Layer Security
VLAN. Virtual Local Area Network
VPN. Virtual Private Network
WIDS/WIPS. Wireless Intrusion Detection / Protection System

DEFINITIONS
ACME recognizes two sources for authoritative definitions:
 The National Institute of Standards and Technology (NIST) IR 7298, Glossary of Key Cybersecurity Terms, is the approved
reference document used to define common digital security terms;337 and
 Unified Compliance Framework (UCF) Compliance Dictionary.338

Security Requirements and Controls

The term control can be applied to a variety of contexts and can serve multiple purposes. When used in the security context, a
security control can be a mechanism (e.g., a safeguard or countermeasure) designed to address protection needs that are specified
by a set of security requirements.
 Controls are defined as the power to make decisions about how something is managed or how something is done; the
ability to direct the actions of someone or something; an action, method or law that limits; or a device or mechanism used
to regulate or guide the operation of a machine, apparatus or system.
 Requirements are defined as statements that translate or express a need and its associated constraints and conditions. 339

335
CUI Registry - https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html
336
CUI Registry - https://www.archives.gov/cui/registry/category-list
337
NIST IR 7298 - https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.7298r3.pdf
338
UCF Compliance Dictionary - https://compliancedictionary.com
339
ISO/IEC/IEEE 29148

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 146 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
KEY WORD INDEX

Acceptable Use
Rules of Behavior, 68
Compliance, 37
Identifiers
Service Accounts, 76
User Names, 76
Information Security Management System, 14
Plan-Check-Do-Act, 14
Least Functionality, 43
Least Privileges, 43
Media Sanitization, 58, 59
Destruction, 58, 59
Mobile Devices, 95
Password
Complexity, 77
Length, 77
Maximum Life, 77
Remote Access, 100, 101
Risk Management, 117
Roles & Responsibilities
Information Security Officer (ISO), 16
Virtual Private Network (VPN). See Remote Access
Vulnerability Management
Remediation Process, 144
Wireless, 101

IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD-PARTIES

Page 147 of 148
WITHOUT AN EXECUTED NON-DISCLOSURE AGREEMENT (NDA)
 

 
 
 
 
 
 
 
 
 
 

‐ SUPPLEMENTAL DOCUMENTATION ‐  
 
 

 
CYBERSECURITY & DATA PROTECTION 
PROGRAM (CDPP) 
 
 
 
 
 
 
 
 

ANNEXES, TEMPLATES & REFERENCES
 
 
 
 
 
 
 
Version 2021.1 
 
 
 
 
 
 
 
 

 
 

TABLE OF CONTENTS 
 
ANNEXES  3 
ANNEX 1: DATA CLASSIFICATION & HANDLING GUIDELINES  3 
ANNEX 2: DATA CLASSIFICATION EXAMPLES  8 
ANNEX 3: DATA RETENTION PERIODS  10 
ANNEX 4: BASELINE SECURITY CATEGORIZATION GUIDELINES  12 
ANNEX 5: RULES OF BEHAVIOR (ACCEPTABLE & UNACCEPTABLE USE)  14 
ANNEX 6: GUIDELINES FOR PERSONAL USE OF ORGANIZATIONAL IT RESOURCES  16 
ANNEX 7: RISK MANAGEMENT FRAMEWORK (RMF)  17 
ANNEX 8: SYSTEM HARDENING  20 
TEMPLATES  22 
TEMPLATE 1: MANAGEMENT DIRECTIVE (POLICY AUTHORIZATION)  22 
TEMPLATE 2: USER ACKNOWLEDGEMENT FORM  23 
TEMPLATE 3: USER EQUIPMENT RECEIPT OF ISSUE  24 
TEMPLATE 4: SERVICE PROVIDER NON‐DISCLOSURE AGREEMENT (NDA)  25 
TEMPLATE 5: INCIDENT RESPONSE PLAN (IRP)  26 
TEMPLATE 6: INCIDENT RESPONSE FORM  37 
TEMPLATE 7: APPOINTMENT ORDERS (INFORMATION SECURITY OFFICER)  38 
TEMPLATE 8: PRIVILEGED USER ACCOUNT REQUEST FORM  39 
TEMPLATE 9: CHANGE MANAGEMENT REQUEST FORM  40 
TEMPLATE 10: CHANGE CONTROL BOARD (CCB) MEETING MINUTES  42 
TEMPLATE 11: PLAN OF ACTION & MILESTONES (POA&M) / RISK REGISTER  43 
TEMPLATE 12: PORTS, PROTOCOLS & SERVICES (PPS)  44 
TEMPLATE 13: BUSINESS IMPACT ANALYSIS (BIA)  45 
TEMPLATE 14: DISASTER RECOVERY PLAN (DRP) & BUSINESS CONTINUITY PLAN (BCP)  47 
TEMPLATE 15: PRIVACY IMPACT ASSESSMENT (PIA)  51 
REFERENCES  53 
REFERENCE 1: CDPP EXCEPTION REQUEST PROCESS  53 
REFERENCE 2: ELECTRONIC DISCOVERY (EDISCOVERY) GUIDELINES  54 
REFERENCE 3: TYPES OF SECURITY CONTROLS  55 
REFERENCE 4: INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)  56 
 
 
 
   

 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 2 of 56 
 

ANNEXES  
 
ANNEX 1: DATA CLASSIFICATION & HANDLING GUIDELINES 
 
 
DATA CLASSIFICATION 
Information assets are assigned a sensitivity level based on the appropriate audience for the information. If the information has 
been previously classified by regulatory, legal, contractual, or company directive, then that classification will take precedence. 
The sensitivity level then guides the selection of protective measures to secure the information. All data are to be assigned one 
of the following four sensitivity levels: 
 
CLASSIFICATION  DATA CLASSIFICATION DESCRIPTION 
Restricted information is highly valuable, highly sensitive business information and the level of 
protection is dictated externally by legal and/or contractual requirements. Restricted 
Definition 
information must be limited to only authorized employees, contractors, and business partners 
with a specific business need. 

RESTRICTED  ∙ SIGNIFICANT DAMAGE would occur if Restricted information were to become available to 
unauthorized parties either internal or external to [Company Name]. 
Potential 
Impact of  ∙ Impact could include negatively affecting [Company Name]’s competitive position, violating 
Loss  regulatory requirements, damaging the company’s reputation, violating contractual 
requirements, and posing an identity theft risk. 

Confidential information is highly valuable, sensitive business information and the level of 
Definition 
protection is dictated internally by [Company Name] 

∙ MODERATE DAMAGE would occur if Confidential information were to become available to 
CONFIDENTIAL  unauthorized parties either internal or external to [Company Name]. 
Potential 
Impact of  ∙ Impact could include negatively affecting [Company Name]’s competitive position, damaging 
Loss  the company’s reputation, violating contractual requirements, and exposing the geographic 
location of individuals. 
Internal Use information is information originated or owned by [Company Name], or entrusted 
to it by others. Internal Use information may be shared with authorized employees, 
Definition 
contractors, and business partners who have a business need, but may not be released to the 
general public, due to the negative impact it might have on the company’s business interests. 
INTERNAL USE 
∙ MINIMAL or NO DAMAGE would occur if Internal Use information were to become available 
Potential  to unauthorized parties either internal or external to [Company Name]. 
Impact of 
Loss  ∙ Impact could include damaging the company’s reputation and violating contractual 
requirements. 
Public information is information that has been approved for release to the general public and 
Definition 
is freely shareable both internally and externally. 

PUBLIC  ∙ NO DAMAGE would occur if Public information were to become available to parties either 
Potential  internal or external to [Company Name]. 
Impact of 
Loss  ∙ Impact would not be damaging or a risk to business operations. 

 
 
   

 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 3 of 56 
 

ANNEX 2: DATA CLASSIFICATION EXAMPLES  
 
The table below shows examples of common data instances that are already classified to simplify the process. This list is not 
inclusive  of  all  types  of  data,  but  it  establishes  a  baseline  for  what  constitutes  data  sensitivity  levels  and  will  adjust  to 
accommodate new types or changes to data sensitivity levels, when necessary. 
 
IMPORTANT: You are instructed to classify data more sensitive than this guide, if you feel that is warranted by the content. 
 

Internal Use 

Confidential 

Restricted 
Data 
Sensitive Data Elements 

Public 
Class 

Social Security Number (SSN)        X 
Employer Identification Number (EIN)        X 
     
Client or Employee Personal Data 

Driver’s License (DL) Number  X 
Financial Account Number        X 
Payment Card Number (credit or debit)        X 
Government‐Issued Identification (e.g., passport, permanent resident card, etc.)        X 
Controlled Unclassified Information (CUI)        X 
Birth Date      X   
First & Last Name    X     
Age    X     
Phone and/or Fax Number    X     
Home Address    X     
Gender    X     
Ethnicity    X     
Email Address    X     
Compensation & Benefits Data        X 
Related Data 
Employee‐

Medical Data         X 
Workers Compensation Claim Data        X 
Education Data       X   
Dependent or Beneficiary Data      X   
Business Plan (including marketing strategy)      X   
Marketing 

     
Sales & 

Financial Data Related to Revenue Generation  X 
Data

Marketing Promotions Development    X     
Internet‐Facing Websites (e.g., company website, social networks, blogs, promotions, etc.)  X       
News Releases  X       
Username & Password Pairs        X 
Infrastructure Data 

Public Key Infrastructure (PKI) Cryptographic Keys (public & private)        X 
Networking & 

Hardware or Software Tokens (multifactor authentication)        X 
System Configuration Settings      X   
Regulatory Compliance Data      X   
Internal IP Addresses      X   
Privileged Account Usernames      X   
Service Provider Account Numbers      X   
     
Financial Data  Financial Data 

Corporate Tax Return Information  X 
     
Strategic 

Legal Billings  X 
Budget‐Related Data      X   
Unannounced Merger and Acquisition Information      X   
Trade Secrets (e.g., design diagrams, competitive information, etc.)      X   
Electronic Payment Information (Wire Payment / ACH)      X   
Operating 

Paychecks      X   
Incentives or Bonuses (amounts or percentages)      X   
Stock Dividend Information      X   
Bank Account Information      X   
 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 8 of 56 
 

ANNEX 3: DATA RETENTION PERIODS  
 
The following schedule highlights suggested retention periods* for some of the major categories of data:  
* Retention periods are measured in years, after the event occurrence (e.g., termination, expiration, contract, filing, etc.) 
 
CATEGORY  TYPE OF RECORD   RETENTION PERIOD  
Amendments  Permanent 
Annual Reports  Permanent 
Articles of Incorporation  Permanent 
Board of Directors (elections, minutes, committees, etc.)  Permanent 
Bylaws  Permanent 
Capital stock & bond records  Permanent 
Charter  Permanent 
Business  Contracts & agreements  Permanent 
Records  Copyrights  Permanent 
Correspondence (General)  5 
Correspondence (Legal)  Permanent 
Partnership agreement  Permanent 
Patents  Permanent 
Service marks  Permanent 
Stock transfers  Permanent 
Trademarks  Permanent 
CATEGORY  TYPE OF RECORD   RETENTION PERIOD  
Audit report (external)  Permanent 
Audit report (internal)  3 
Balance sheets  Permanent 
Bank deposit slips, reconciliations & statements  7 
Bills of lading  3 
Budgets  3 
Cash disbursement & receipt record  7 
Checks (canceled)  3 
Credit memos  3 
Depreciation schedule  7 
Dividend register & canceled dividend checks  Permanent 
Employee expense reports  3 
Financial  Employee payroll records (W‐2, W‐4, annual earnings records, etc.)  7 
Records  Financial statements (annual)  Permanent 
Freight bills  3 
General ledger  Permanent 
Internal reports (work orders, sales reports, production reports)  3 
Inventory lists  3 
Investments (sales & purchases)  Permanent 
Profit / Loss statements  Permanent 
Purchase and sales contracts  3 
Purchase order  3 
Subsidiary ledgers (accounts receivable, accounts payable, etc.)  Permanent 
Tax returns  Permanent 
Vendor Invoices  7 
Worthless securities  7 
 
 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 10 of 56 
 

ANNEX 4: BASELINE SECURITY CATEGORIZATION GUIDELINES 
 
Assets and services are categorized by two primary attributes: (a) the potential impact they pose from misuse and (b) the data 
classification level of the data processed, stored or transmitted by the asset or process. These two attributes combine to 
establish a basis for controls that should be assigned to that system or asset. This basis is called an Assurance Level (AL). 
 
DATA SENSITIVITY 
This is straightforward where the data sensitivity rating represents the highest data classification of the data processed, stored 
or transmitted by the asset or process 
 
SAFETY & CRITICALITY 
The Safety & Criticality (SC) rating reflects two aspects of the “importance” of the asset or process: 
 On one hand, SC simply represents the importance of the asset relative to the achievement of the company’s goals and 
objectives (e.g., business critical, mission critical, or non‐critical). 
 On the other hand, SC represents the potential for harm that misuse of the asset or service could cause to [Company 
Name], its clients, its partners, or the general public.  
 
The three (3) SC ratings are: 
 SC‐1: Mission Critical. This category involves systems, services and data that is determined to be vital to the operations 
or mission effectiveness of [Company Name]: 
o Includes systems, services or data with the potential to significantly impact the brand, revenue or customers. 
o Any business interruption would have a significant impact on [Company Name]’s mission.  
 Cannot go down without having a significant impact on [Company Name]’s mission.  
 The  consequences  of  loss  of  integrity  or  availability  of  a  SC‐1  system  are  unacceptable  and  could 
include the immediate and sustained loss of mission effectiveness.  
o Requires the most stringent protection measures that exceed leading practices to ensure adequate security.  
o Safety aspects of SC‐1 systems, services and data could lead to: 
 Catastrophic hardware failure;  
 Unauthorized physical access to premises; and/or 
 Physical injury to users. 
 SC‐2: Business Critical. This category involves systems, services and data that are determined to be important to the 
support of [Company Name]’s business operations: 
o Includes systems, services or data with the potential to moderately impact the brand, revenue or customers. 
o Affected systems, services or data can go down for up to twenty‐four (24) hours (e.g., one (1) business day) 
without having a significant impact on [Company Name]’s mission.  
 Loss of availability is difficult to deal with and can only be tolerated for a short time.  
 The  consequences  could  include  delay  or  degradation  in  providing  important  support  services  or 
commodities that may seriously impact mission effectiveness or the ability to operate.  
 The consequences of loss of integrity are unacceptable.  
o Requires protection measures equal to or beyond leading practices to ensure adequate security.  
o Safety aspects of SC‐2 systems could lead to: 
 Loss of privacy; and/or 
 Unwanted harassment. 
 SC‐3: Non‐Critical. This category involves systems, services and data that are necessary for the conduct of day‐to‐day 
operations, but are not business critical in the short‐term: 
o Includes systems, services or data with little or potential to impact the brand, revenue or customers. 
o Affected systems, services or data can go down for up to seventy‐two (72) hours (e.g., three (3) business days) 
without having a significant impact on [Company Name]’s mission.  
 The consequences of loss of integrity or availability can be tolerated or overcome without significant 
impacts on mission effectiveness.  
 The consequences could include the delay or degradation of services or routine activities.  
o Requires protection measures that are commensurate with leading practices to ensure adequate security.  
o Safety aspects of SC‐3 systems could lead to: 
 Inconvenience;  
 Frustration; and/or 
 Embarrassment. 
 
 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 12 of 56 
 

 
 
Where the data sensitivity and SC levels meet are considered the Assurance Levels (AL). The AL represents the “level of effort” 
that is needed to properly ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of the asset or process.  
 
Asset  Data Sensitivity 
Categorization  INTERNAL 
RESTRICTED  CONFIDENTIAL  PUBLIC 
Matrix  USE 

SC‐1 
Enhanced  Enhanced  Enhanced  Enhanced 
Mission Critical 
Safety &  
Criticality 

SC‐2 
Enhanced  Enhanced  Basic  Basic 
Business Critical 

SC‐3 
Enhanced  Basic  Basic  Basic 
Non‐Critical 
Figure 1: Asset Categorization Risk Matrix 
 
 
BASIC ASSURANCE REQUIREMENTS  
 The minimum level of controls is defined as industry‐recognized leading practices (e.g., PCI DSS, NIST 800‐53, ISO 27002, 
etc.). 
 For security controls in Basic assurance projects or initiatives, the focus is on the digital security controls being in place 
with  the  expectation  that  no  obvious  errors  exist  and  that  as  flaws  are  discovered  they  are  addressed  in  a  timely 
manner.  
 
ENHANCED ASSURANCE REQUIREMENTS  
 The minimum level of controls is defined as exceeding industry‐recognized leading practices (e.g., DLP, FIM, DAM, etc.). 
 For security controls in Enhanced Assurance projects, it is essentially the Standard Assurance level that is expanded to 
require  more  robust  Cybersecurity  capabilities  that  are  commensurate  with  the  value  of  the  project  to  [Company 
Name].  
 
   

 
  Cybersecurity & Data Protection Program (CDPP) – Supplemental Documentation  Page 13 of 56