Cisco Cloud Controls Framework

The Cisco Cloud Controls Framework, its narratives and audit artifacts are purely guidance. Each orga
to your needs and integrate into your own compliance regime.

Tab Descriptio

CCF V1.0 mapping of controls to the following frameworks:

- SOC 2 (A/S/C)
- SOC 2 Privacy
- ISO 27001
- ISO 27701 Processor/Controller
– ISO 27017 Provider/Customer
- ISO 22301
- ISO 27018
CCF V1.0 - BSI C5
- Fedramp Tailored
- Spanish ENS Basic/Medium/High
- ISMAP
- PCI DSS v.3.2.1
- IRAP December 2021
- EU Code of Conduct

Please refer to CCF V1.0 tab for additional details.

Control Narratives and supporting Audit Artifacts are provided for eve
provide guidance on activities and actions to execute a control. The A
CCF Narratives and Artifacts
typically is requested when reviewing the effectiveness of a control. P
additional details.
 Controls Framework (CCF) Public Release V1.0
dit artifacts are purely guidance. Each organization should review, evaluate, and tailor the framework
me.

Description

ols to the following frameworks:

troller
omer

m/High

b for additional details.

porting Audit Artifacts are provided for every control in CCF V1. The Narratives were created to help
ties and actions to execute a control. The Audit Artifacts provide a high-level understanding of what
n reviewing the effectiveness of a control. Please refer to CCF Narratives and Artifacts tab for
 Cisco Cloud Controls F
The following table contains Cisco's Cloud Controls Framework. The CCF control activities map to vario
27001:2013, ISO/IEC 27017:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC27701:2019, Esqu
Payment Card Industry Data Security Standard (PCI-DSS v3.2.1), Information System Security Manage
Cloud Code of Conduct (CoC), Third-Party Cybersecurity Compliance Certificate (CCC), and The Federa

The Cisco CCF is the result of research to determine what is needed to certify and achieve compliance
guidance, and each organization must review, evaluate, and tailor the control framework according to

Control
Domain Title Control Title
Reference

CCF V1.0 includes a full mapping of IRAP December 2021. However, for controls that are unique to IRAP and no

Audit Assurance &

Control Self-Assessments CCF 1
Compliance
Audit Assurance &
Security Policy Audit CCF 2
Compliance

Audit Assurance &

Customer Audits CCF 3
Compliance

Interface Threat
Application Security CCF 4
Assessment

Cybersecurity Legal and

Application Security CCF 5
Regulatory Requirements

Spanish Security
Application Security CCF 6
Requirements
Business Continuity &
Documented BC/DR CCF 7
Resilience

Legal & Regulatory

Business Continuity &
Requirements for CCF 8
Resilience
Continuity

Business Continuity & Business Impact

CCF 9
Resilience Assessment

Business Continuity & Business Contingency

CCF 10
Resilience Roles & Responsibilities
Business Continuity & Service Storage and
CCF 11
Resilience Processing

Business Continuity & Service Storage and

CCF 12
Resilience Processing

Business Continuity & Service Storage and

CCF 13
Resilience Processing

Business Continuity & Service Storage and

CCF 14
Resilience Processing

Business Continuity &

Multi-Location Strategy CCF 15
Resilience
Business Continuity &
Audit Record Capacity CCF 16
Resilience

Business Continuity &

Audit Logging Alert CCF 17
Resilience

Business Continuity &

Customer Data Backup CCF 18
Resilience
Business Continuity & Customer Data
CCF 19
Resilience Replication

Business Continuity &

Customer Data Backup CCF 20
Resilience

Business Continuity &

Backup Location CCF 21
Resilience

Business Continuity &

Email Backup CCF 22
Resilience
Change & Configuration
SDLC Methodology CCF 23
Management

Change & Configuration Cloud Provider Change

CCF 24
Management Monitoring

Change & Configuration Change Approval and

CCF 25
Management Testing Documentation
Change & Configuration System Change
CCF 26
Management Communication

Change & Configuration Processing Change

CCF 27
Management Notification
Change & Configuration System Configuration
CCF 28
Management Management

Change & Configuration

File Integrity Monitoring CCF 29
Management
Change & Configuration
Change Migrations CCF 30
Management

Change & Configuration Workstation Privileged

CCF 31
Management Access

Change & Configuration

Version Control CCF 32
Management
Change & Configuration Customer Data direct
CCF 33
Management change

Change & Configuration

Utility Program Control CCF 34
Management

Building Perimeter
Data Center Security CCF 35
Physical Access
 Building Fail-Safe
Data Center Security CCF 36
Mechanisms

Data Center Security Building Safeguards CCF 37

Cloud Provider
Data Center Security CCF 38
Geographical Locations
 Building Perimeter
Data Center Security CCF 39
Physical Access

Building Perimeter
Data Center Security CCF 40
Physical Access

Data Center Security Physical Access Review CCF 41

 Physical Access
Data Center Security CCF 42
Monitoring

Data Center Security Surveillance Feed Data CCF 43

Data Center Security Payment Card Data CCF 44

Data Center Security Cybersecurity Positions CCF 45

Device and Hardware

Data Center Security CCF 46
Transfer
Data Center Security Asset Onboarding CCF 47

Data Center Security Asset Maintenance CCF 48

 Safe and Secure Work
Data Center Security CCF 49
Environment

Authorized Building
Data Center Security CCF 50
Access
Data Security Customer Data
CCF 51
Management Protection

Data Security Production Asset

CCF 52
Management Inventory

Data Security
Cloud Asset Labeling CCF 53
Management
Data Security Cloud Asset and Data
CCF 54
Management Inventory

Data Security Cloud Service

CCF 55
Management Functionality

Data Security Data classification and

CCF 56
Management treatment Criteria

Data Security Sharing of Confidential

CCF 57
Management Data
Data Security Cardholder Asset
CCF 58
Management Inventory

Data Security Inventory of Wireless

CCF 59
Management Access Points

Data Security Customer Incident

CCF 60
Management System
Data Security
Data Flow Diagram CCF 61
Management

Data Security
Non-Production data CCF 62
Management

Data Security
Data Transfer CCF 63
Management
Data Security Company Retention and
CCF 64
Management Disposal Policies

Data Security Electronic Media

CCF 65
Management Handling
Data Security
Customer data removal CCF 66
Management

Data Security Customer Retention and

CCF 67
Management Disposal Policies

Data Security
SDN Procedures CCF 68
Management
 Data Security Company Retention and
CCF 69
Management Disposal Policies

Data Security
IPv6 support status CCF 70
Management

Cryptographic Key
Key Management CCF 71
Custodians

Key Management Key Management CCF 72

Key Management Public Key Certificates CCF 73

Key Management Cryptography Use CCF 74

Key Management Encrypted Media Devices CCF 75

 Cryptographic Algorithm
and Methods, Secure
Key Management Data Transmission CCF 76
Protocols, Encryption at
Rest

Cryptographic Algorithm
Key Management CCF 77
and Methods

Personal Account
Key Management CCF 78
Number
 Full Disk Encryption
Key Management CCF 79
Access

Key Management Encryption Key CCF 80

Compromised
Key Management CCF 81
Cryptographic Keys

Shared Data Encryption

Key Management CCF 82
Keys

Clear-text Cryptographic
Key Management CCF 83
Key Management
Governance and Risk Network & System
CCF 84
Management Hardening

Governance and Risk

Security Gateways CCF 85
Management

Governance and Risk Virtual Private Network

CCF 86
Management Hardware
 Security Management
Governance and Risk
System Risk Assessment CCF 87
Management
Methodology
Governance and Risk Risk Assessments and
CCF 88
Management Mitigation Strategy

Governance and Risk Risk Assessments and

CCF 89
Management Mitigation Strategy

Governance and Risk

Shared Data Types CCF 90
Management
 Roles and
Governance and Risk Responsibilities over
CCF 91
Management Security and Control
Environment
Governance and Risk Board of Directors & Sub-
CCF 92
Management Committees
Governance and Risk Audit Committee Charter
CCF 93
Management & Oversight
Governance and Risk
Legal Assessments CCF 94
Management

Roles and
Governance and Risk
Responsibilities of Cloud CCF 95
Management
Customers and Providers
Governance and Risk Statement of
CCF 96
Management Applicability

Governance and Risk

ISMS Steering Committee CCF 97
Management

Governance and Risk Information Security

CCF 98
Management Program
Governance and Risk
ISMS Boundaries CCF 99
Management

Governance and Risk Periodic Security Staff

CCF 100
Management Meetings

Governance and Risk Information Security

CCF 101
Management Budget
Governance and Risk Information Security
CCF 102
Management Policies and Review

Governance and Risk Information Security

CCF 103
Management Policies and Review

Cloud Customer
Governance and Risk
Information Security CCF 104
Management
Policy and Risk Review
 Cloud Provider
Governance and Risk
Information Security CCF 105
Management
Policy and Risk Review

Governance and Risk Information Security

CCF 106
Management Control Disclosure
Governance and Risk Policies and Standard
CCF 107
Management Review

Governance and Risk Policy and Standard

CCF 108
Management Exceptions

Governance and Risk Policies and Standards

CCF 109
Management over Metadata
Governance and Risk PCI Roles and
CCF 110
Management Responsibilities

Governance and Risk

GDPR Representative CCF 111
Management

Governance and Risk EU Code of Conduct

CCF 112
Management transparency

Policy Violation & Non

Governance and Risk
Compliance CCF 113
Management
Consequences
 Information Security Risk
Governance and Risk Assessment and
CCF 114
Management developing IT General
Control Activities

People Management Background Checks CCF 115

 Candidate Competency
People Management CCF 116
and Compatibility

National Security
People Management CCF 117
Clearance Review

Confidential Information
People Management CCF 118
Agreement
 Non-Disclosure
People Management CCF 119
Agreement

People Management Code of Conduct CCF 120

People Management Performance Review CCF 121

People Management Performance Review CCF 122

Mobile Device
People Management CCF 123
Management
 Organizational Structure
People Management CCF 124
and Reporting Lines

People Management Job Descriptions CCF 125

Security Awareness
People Management CCF 126
Training
 Training for Development
People Management CCF 127
and Growth

People Management Secure Coding Training CCF 128

Cardholder Awareness
People Management CCF 129
Training
People Management Whistleblower Policy CCF 130

Privileged Access to
Access Management CCF 131
Production
 Limited Audit Trail
Access Management CCF 132
Access

Access Management Audit Log Monitoring CCF 133

Access Management Log Ambiguity CCF 134

Access Management Vendor Accounts CCF 135

Access Management Service Provider access CCF 136

Remote Sessions and

Access Management CCF 137
logging
 Access to Production &
Access Management Multi-Factor CCF 138
Authentication

Access Management User Provisioning CCF 139

 Cloud Access
Access Management CCF 140
Management

Quarterly Access
Access Management CCF 141
Reviews

Quarterly Access Review

Access Management CCF 142
Exceptions

Access Management Unique ID Log-In CCF 143

 Password Management &
Access Management CCF 144
Configuration

Password Management &

Access Management CCF 145
Configuration

Cloud User Access

Access Management CCF 146
Management
 Unique Customer
Access Management CCF 147
Identifier and ID

User account
Access Management CCF 148
disablement

Access Management Inactivity Monitoring CCF 149

Provisioning and
Access Management Modifying Authentication CCF 150
Credentials
 Concurrent Login
Access Management CCF 151
Sessions

Inactive Session
Access Management CCF 152
Termination

U.S. Federal Government

Access Management CCF 153
Access

Authorized Session
Access Management CCF 154
Manager

Approved Information
Access Management CCF 155
Technology Products

Default Supplier
Access Management CCF 156
Passwords

Remote Activation of
Access Management Collaborative Computing CCF 157
Devices
 Access Tracking and
Access Management CCF 158
Responsibilities

Digital Electronic
Access Management CCF 159
Signature

Access Management Cardholder Data Log CCF 160

Access Management Password Hashing CCF 161

Access Management Access Policy CCF 162

 Contingent Worker
Access Management CCF 163
Termination

Full Time Worker

Access Management CCF 164
Termination
 Full Time Worker
Access Management CCF 165
Termination

Full Time Worker

Access Management CCF 166
Termination

Access Management Termination Notification CCF 167

Termination Exit
Access Management CCF 168
Interviews

Access Management Transfer Access CCF 169

Network Security
Infrastructure Security CCF 170
Monitoring
 Virtual Machine Integrity
Infrastructure Security CCF 171
Check

Virtual Machine Integrity

Infrastructure Security CCF 172
Check

Virtual Machine Integrity

Infrastructure Security CCF 173
Check

Cardholder System
Infrastructure Security CCF 174
Components

Infrastructure Security Clock Synchronization CCF 175

Infrastructure Security Access to Modify Time CCF 176

Production Firewall
Infrastructure Security CCF 177
Security

Infrastructure Security Firewall Ruleset Review CCF 178

Infrastructure Security Firewall Equipment CCF 179

Infrastructure Security Firewall DMZ CCF 180

Firewall Dynamic Packet

Infrastructure Security CCF 181
Filtering

Infrastructure Security Private IP Address CCF 182

Infrastructure Security Network Segmentation CCF 183

 Customer Network
Infrastructure Security CCF 184
Segmentation

Production Environment
Infrastructure Security CCF 185
Segmentation

Wireless Access to
Infrastructure Security CCF 186
Network
Infrastructure Security Mobile Encryption CCF 187

Infrastructure Security Portable Device Security CCF 188

Infrastructure Security Mobile Device Tampering CCF 189

Production primary
Infrastructure Security CCF 190
function

Infrastructure Security Access Point Mapping CCF 191

Denial of Service
Infrastructure Security CCF 192
Protection

Infrastructure Security Sub-system Protection CCF 193

Privacy Handling & PII Processing
CCF 194
Security Identification

Privacy Handling & Lawful Basis for

CCF 195
Security processing PII

Privacy Handling & Consent for processing

CCF 196
Security PII
Privacy Handling &
PII Privacy Assessment CCF 197
Security

Privacy Handling & PII Controller & Processor

CCF 198
Security Contract

Privacy Handling &

Processing PII Obligations CCF 199
Security
Privacy Handling & PII Legal, regulatory, and
CCF 200
Security business obligations

Privacy Handling & PII Release Request &

CCF 201
Security Documentation

Privacy Handling & Privacy & Protection of

CCF 202
Security PII

PII Withdrawal or
Privacy Handling &
objection notification to CCF 203
Security
third parties
Privacy Handling & Collection and Processing
CCF 204
Security of PII

Privacy Handling & Data Minimization and

CCF 205
Security De-Identification

Privacy Handling &

Deletion of PII CCF 206
Security

Privacy Handling &

Retention of PII CCF 207
Security

Privacy Handling & Access, Correction and

CCF 208
Security Disposal of PII

Privacy Handling &

Transfer of PII CCF 209
Security
Privacy Handling & Third party disclosure of
CCF 210
Security PII

Privacy Handling & PII Collection and

CCF 211
Security Processing

Processing of PII
Privacy Handling &
Compliance and CCF 212
Security
Obligations

Privacy Handling & Automatic Processing of

CCF 213
Security PII Requirements

Privacy Handling &

PII Accuracy CCF 214
Security

Privacy Handling &

PII Transmission CCF 215
Security
Privacy Handling &
PII Disclosures CCF 216
Security

Privacy Handling &

PII Disclosures CCF 217
Security

Privacy Handling &

PII Collection CCF 218
Security

Privacy Handling & PII Processing Roles &

CCF 219
Security Responsibilities

Privacy Handling &

Transfer of PII CCF 220
Security

Privacy Handling &

Data Protection Officer CCF 221
Security

Privacy Handling & PII Breach and

CCF 222
Security Notification
Privacy Handling & PII Marketing and
CCF 223
Security Advertising

Privacy Handling &

PII Customer Obligations CCF 224
Security

Roles and
Privacy Handling &
Responsibilities of CCF 225
Security
Processing of PII

Privacy Handling &

PII Permissions CCF 226
Security

Privacy Handling & Processing of PII

CCF 227
Security Infringement

Privacy Handling & Subcontractor processing

CCF 228
Security of PII
Privacy Handling & PII Compliance &
CCF 229
Security Obligations

PII Subcontractor
Privacy Handling &
Changes and CCF 230
Security
Replacement

Privacy Handling &

Customer Log Records CCF 231
Security

Privacy Information
Privacy Handling & Security Management
CCF 232
Security System Risk Assessment
Methodology

Privacy Handling &

Privacy Risk Assessment CCF 233
Security
Privacy Handling & Privacy Risk Assessment
CCF 234
Security Control Mitigation

Privacy Handling &

PII Restoration Tests CCF 235
Security

Security Incident Security & Privacy

CCF 236
Management Incident Response

Security Incident Security & Privacy

CCF 237
Management Incident Response

Security Incident Security Incident

CCF 238
Management Response Resources
Security Incident Security Incident & Event
CCF 239
Management Logging

Security Incident Privacy Incident & Event

CCF 240
Management Logging
Security Incident Cloud Customer Event
CCF 241
Management Logging Requirements

Security Incident Cloud Logging

CCF 242
Management Capabilities

Security Incident Intellectual Property

CCF 243
Management Rights Complaints

Security Incident Cardholder Confirmed

CCF 244
Management Events
Supply Chain Supplier Management
CCF 245
Management Program

Supply Chain
Supplier Exit Strategy CCF 246
Management
Supply Chain Supplier Management
CCF 247
Management Program

Supply Chain
Suppliers residing in KSA CCF 248
Management

Supply Chain National Cybersecurity

CCF 249
Management Authority requests
Supply Chain Security Incident
CCF 250
Management Management

Supply Chain Security Incident

CCF 251
Management Management
Supply Chain
Incident Response Plan CCF 252
Management

Supply Chain System Capacity

CCF 253
Management Monitoring
Supply Chain
Availability Monitoring CCF 254
Management

Supply Chain
Capacity Budgeting CCF 255
Management

Supply Chain Company Master Service

CCF 256
Management Agreements
Supply Chain Supplier sharing
CCF 257
Management agreements and review

Supply Chain
Terms of Service CCF 258
Management

Supply Chain Cloud Service Customer

CCF 259
Management Assets

Supply Chain
Card Data storage CCF 260
Management
Supply Chain Cardholder data
CCF 261
Management protection

Vulnerability BU Anti-Malware
CCF 262
Management Technology

Vulnerability Corporate Anti-Malware

CCF 263
Management Technology

Vulnerability
Antivirus logs CCF 264
Management

Vulnerability Antivirus mechanism

CCF 265
Management access
Vulnerability
Email Sandboxing CCF 266
Management

Vulnerability Network Vulnerability

CCF 267
Management Scans

Vulnerability
Penetration Testing CCF 268
Management
Vulnerability Security Bulletin and
CCF 269
Management Email Alerts

Cloud Provider
Vulnerability
Vulnerability CCF 270
Management
Management

Vulnerability Software Vulnerability

CCF 271
Management Scanning
Vulnerability Infrastructure &
CCF 272
Management Application patching

Vulnerability Software & Firmware

CCF 273
Management Updates
Vulnerability System Description &
CCF 274
Management Boundaries

Vulnerability External Communication

CCF 275
Management Requirements

Vulnerability
Cloud Authorities CCF 276
Management

Vulnerability License maintenance and

CCF 277
Management usage
Vulnerability
Access Notification CCF 278
Management

Vulnerability
Legal Assessments CCF 279
Management

Vulnerability
Trusted Connections CCF 280
Management

Vulnerability Publishing Information

CCF 281
Management Publicly

Vulnerability Cloud Service Legal

CCF 282
Management Jurisdictions

Vulnerability
KSA Penetration Tests CCF 283
Management
 Vulnerability Cardholder Data
CCF 284
Management Penetration Tests

Below controls are unique to IRAP and no other framework

Legal and regulatory

Application Security CCF 285
advice

Governance and Risk Chief Information

CCF 286
Management Security Officer

Governance and Risk Compromised

CCF 287
Management cryptographic equipment

Governance and Risk

IRAP Sponsor CCF 288
Management
 Privacy Handling &
Data Spillage CCF 289
Security

Video Conferencing
Infrastructure Security CCF 290
Authentication

Infrastructure Security IP Phone Login CCF 291

Infrastructure Security Fax Machine Policy CCF 292

Infrastructure Security Mobile Device Storage CCF 293

ACSC Mobile Phone

Infrastructure Security CCF 294
Platform
Infrastructure Security Mobile Phone Access CCF 295

ACSC Approved Mobile

Infrastructure Security CCF 296
Platform

Infrastructure Security Mobile Device Encryption CCF 297

Mobile Bluetooth
Infrastructure Security CCF 298
Communication

Highly classified mobile

Infrastructure Security CCF 299
Bluetooth functionality

Mobile Device Bluetooth

Infrastructure Security CCF 300
Pairing

Infrastructure Security Bluetooth Pairing Version CCF 301

Infrastructure Security Bluetooth Pairing CCF 302

Bluetooth Pairing
Infrastructure Security CCF 303
Removal

Sensitive Data
Infrastructure Security CCF 304
Communication

Infrastructure Security Sensitive Data Viewing CCF 305

Infrastructure Security Privacy Filters CCF 306

Infrastructure Security Sensitive Phone Calls CCF 307

Mobile Device
Infrastructure Security CCF 308
Supervision
Infrastructure Security Mobile Device Storage CCF 309

Infrastructure Security Mobile Sanitization CCF 310

Infrastructure Security Traveling Security risks CCF 311

Traveling with Mobile

Infrastructure Security CCF 312
Devices

Infrastructure Security Pre Travel Checklist CCF 313

Infrastructure Security Travel Precautions CCF 314

Compromised Mobile
Infrastructure Security CCF 315
Devices

Mobile Device
Infrastructure Security CCF 316
Sanitization
Infrastructure Security Mobile Device Monitoring CCF 317

Administrator
Infrastructure Security CCF 318
Workstation

Infrastructure Security Management Traffic CCF 319

Infrastructure Security Jump Server CCF 320

Extreme Risk Application

Infrastructure Security Security Vulnerability CCF 321
Patching

High Risk Application

Infrastructure Security Security Vulnerability CCF 322
Patching

Moderate/Low
Infrastructure Security Application Security CCF 323
Vulnerability Patching

Extreme Risk Operating

Infrastructure Security System Security CCF 324
Vulnerability Patching

High Risk Operating

Infrastructure Security System Security CCF 325
Vulnerability Patching

Moderate/Low Operating
Infrastructure Security System Security CCF 326
Vulnerability Patching

Infrastructure Security ICT Equipment Patching CCF 327

Infrastructure Security Web Application Header CCF 328

Web Application
Infrastructure Security CCF 329
Standard

Database Web Server

Infrastructure Security CCF 330
Separation

Database Server Network

Infrastructure Security CCF 331
Connectivity

Network Functionality of
Infrastructure Security Database Management CCF 332
System

Database Management
Infrastructure Security CCF 333
System Software

Database Management
Infrastructure Security CCF 334
System access rights

Infrastructure Security Database Query syntax CCF 335

Infrastructure Security Stored Procedure Queries CCF 336

Infrastructure Security Database Schema CCF 337

Infrastructure Security Webmail Service Access CCF 338

Email Protective
Infrastructure Security CCF 339
Markings

Authorized Email
Infrastructure Security CCF 340
Protective Markings

Maintaining Email
Infrastructure Security CCF 341
Protective Markings

Inappropriate Protective
Infrastructure Security CCF 342
Markings
Infrastructure Security Distribution of emails CCF 343

Infrastructure Security Email Gateway CCF 344

Infrastructure Security Backup Email Gateway CCF 345

Infrastructure Security Email Server Relay CCF 346

Infrastructure Security Email TLS Encryption CCF 347

Unencrypted email
Infrastructure Security CCF 348
transfer

Authorized Email
Infrastructure Security CCF 349
Services

Infrastructure Security Hard Fail SPF CCF 350

Infrastructure Security Authenticity of Emails CCF 351

Infrastructure Security Failed SPF checks CCF 352

Infrastructure Security DKIM Signatures CCF 353

Infrastructure Security Email Filtering CCF 354

Infrastructure Security Email Gateway Filtering CCF 355

VLAN Network
Infrastructure Security CCF 356
Separation
Infrastructure Security VLAN Security Domain CCF 357

Infrastructure Security VLAN Trunk Sharing CCF 358

Infrastructure Security VLAN management CCF 359

Infrastructure Security IPv6 Functionality CCF 360

Infrastructure Security IPv6 tunneling CCF 361

Infrastructure Security IPv6 addressing CCF 362

Infrastructure Security Server Separation CCF 363

Infrastructure Security Server Communication CCF 364

Anonymity Network
Infrastructure Security CCF 365
Connection
Wireless network
Infrastructure Security CCF 366
connections

Infrastructure Security SSID change CCF 367

Infrastructure Security Static Addressing CCF 368

Infrastructure Security MAC address filtering CCF 369

Authentication of
Infrastructure Security CCF 370
Wireless Networks

Device and user

Infrastructure Security CCF 371
certificates

Infrastructure Security PMK Caching Period CCF 372

 Wireless access point
Infrastructure Security CCF 373
communication

Infrastructure Security ASD Cryptography CCF 374

Wireless access point

Infrastructure Security CCF 375
enablement

Infrastructure Security Wireless access points CCF 376

Infrastructure Security RF Shielding CCF 377

Wi-Fi Alliance
Infrastructure Security CCF 378
Certification

Infrastructure Security Cloud Service Provider CCF 379

Content Delivery
Infrastructure Security CCF 380
Networking

Online Service Domain

Infrastructure Security CCF 381
Names

Infrastructure Security HACE communication CCF 382

Security Domain
Infrastructure Security CCF 383
Connection

Connecting Network
Infrastructure Security CCF 384
Gateway
Infrastructure Security Gateway testing CCF 385

Demilitarized Zone
Infrastructure Security CCF 386
Usage

Administrator Gateway
Infrastructure Security CCF 387
Role

Security Domain
Infrastructure Security CCF 388
Stakeholders

User Gateway
Infrastructure Security CCF 389
Authentication

Infrastructure Security Cross Domain Solution CCF 390

Infrastructure Security ACSC Directions CCF 391

Infrastructure Security ACSC Consultation CCF 392

 Cross Domain network
Infrastructure Security CCF 393
path

Infrastructure Security CDS Training CCF 394

Infrastructure Security CDS security event log CCF 395

Infrastructure Security Evaluated Firewall usage CCF 396

Infrastructure Security Evaluated Firewall usage CCF 397

Infrastructure Security Evaluated Diode CCF 398

Infrastructure Security High Assurance Diode CCF 399

Infrastructure Security Evaluated Diode CCF 400

Infrastructure Security High Assurance Diode CCF 401

Infrastructure Security Evaluated Diode CCF 402

Infrastructure Security Evaluated Diode CCF 403

Infrastructure Security Server Connected Diode CCF 404

Infrastructure Security Web Proxy CCF 405

Infrastructure Security Web Content Filter CCF 406

Client-Side Active
Infrastructure Security CCF 407
Content

Infrastructure Security TLS Legal Advice CCF 408

Blacklisting and
Infrastructure Security CCF 409
Whitelisting

Infrastructure Security Data Filtering CCF 410

Infrastructure Security Content Blocking CCF 411

Dynamic Malware
Infrastructure Security CCF 412
Analysis

Infrastructure Security Content Validation CCF 413

Infrastructure Security Content Conversion CCF 414

Infrastructure Security Content Sanitization CCF 415

Infrastructure Security Content Filter Checks CCF 416

Content Controlled
Infrastructure Security CCF 417
Inspection

Infrastructure Security File Inspection CCF 418

Infrastructure Security Targeted Cyber Intrusion CCF 419

Intrusion Traffic
Infrastructure Security CCF 420
Retention

Infrastructure Security Video Calling Hardening CCF 421

Supply Chain
Evidence Integrity CCF 422
Management

Supply Chain Cloud customer and

CCF 423
Management service provider contact
Supply Chain
ACSC Reporting CCF 424
Management

Supply Chain ACSC Security

CCF 425
Management Assessment

Supply Chain IRAP Security

CCF 426
Management Assessment

Supply Chain Community or Private

CCF 427
Management Cloud Usage

Australian system
Supply Chain
processing, storing, and CCF 428
Management
communicating

Supply Chain
AUSTEO or AGAO access CCF 429
Management

Supply Chain Procurement of PP-based

CCF 430
Management products

Supply Chain
Microsoft Windows Usage CCF 431
Management

Supply Chain ACSC Hardening of

CCF 432
Management Operating Systems
Supply Chain Microsoft Operating
CCF 433
Management System Usage

Supply Chain ACSC Hardening of

CCF 434
Management Microsoft Office

Supply Chain
Web Browser Blocking CCF 435
Management

Supply Chain Unrequired Functionality

CCF 436
Management Blocking

Supply Chain
Add-On Restriction CCF 437
Management

Supply Chain
Microsoft Office Usage CCF 438
Management
 Supply Chain Out-dated applications
CCF 439
Management and operating systems

Data Security Radio Frequency

CCF 440
Management Inventory

Data Security
Unauthorized RF Devices CCF 441
Management

Data Security Bluetooth and Wireless

CCF 442
Management Keyboard Usage

Data Security Infrared Keyboards and

CCF 443
Management Ports

Data Center Security Cabling Infrastructure CCF 444

Data Center Security Fiber-Optic Cables CCF 445

Data Center Security Cable Register CCF 446

Data Center Security Floor Plan Diagram CCF 447

Data Center Security Cable Labeling CCF 448

Fiber-Optic Cable
Data Center Security CCF 449
Requirements
Data Center Security Cable Dividing Partition CCF 450

Cable Reticulation
Data Center Security CCF 451
System

Data Center Security Conduit Usage CCF 452

Tamper-Evident Seal
Data Center Security CCF 453
Usage

Data Center Security Conduit Glue CCF 454

Data Center Security Cable Configuration CCF 455

Data Center Security Cable Encasement CCF 456

Data Center Security Cable Encasement CCF 457

Flexible or Plastic
Data Center Security CCF 458
Conduit Usage

Wall outlet Box

Data Center Security CCF 459
Connectors

Cabling Box
Data Center Security CCF 460
Requirements
Data Center Security Fiber-Optic Fly Leads CCF 461

Cable Reticulation
Data Center Security CCF 462
Termination

Cable Reticulation
Data Center Security CCF 463
Termination

Cable Reticulation
Data Center Security CCF 464
Termination

Data Center Security Cable Termination CCF 465

Data Center Security Cable Termination CCF 466

Data Center Security Cable Termination CCF 467

Data Center Security Cabinet Gap CCF 468

Data Center Security Patch Panel Separation CCF 469

Patch Panel
Data Center Security CCF 470
Configuration

Penetration of Audio
Data Center Security CCF 471
Secured Space

Data Center Security Power Distribution Board CCF 472

Data Center Security Power Distribution Board CCF 473

Radio Frequency
Data Center Security CCF 474
Transmitters

Radio Frequency
Data Center Security CCF 475
Transmitters

System Deployment in
Data Center Security CCF 476
Shared Facilities

System Deployment
Data Center Security CCF 477
Overseas

System Deployment
Data Center Security CCF 478
Overseas
 Emanation Security
Data Center Security CCF 479
Threat Assessment

Data Center Security ICT Equipment Standards CCF 480

Telephone Systems
Data Center Security CCF 481
Policy
 Telephone Systems
Data Center Security CCF 482
Configuration

High Assurance ICT

Data Center Security CCF 483
Equipment

High Assurance ICT

Data Center Security CCF 484
Equipment

Data Center Security ICT Equipment Policy CCF 485

ICT Equipment
Data Center Security CCF 486
Classification

Data Center Security ICT Equipment Labeling CCF 487

ACSC Approval for

Data Center Security CCF 488
Labeling
Data Center Security ICT Equipment Handling CCF 489

Data Center Security ICT Equipment Repair CCF 490

Data Center Security Technician Escorting CCF 491

Data Center Security ICT Equipment Inspection CCF 492

Data Center Security ICT Equipment Labeling CCF 493

Data Center Security ICT Equipment Disposing CCF 494

ICT Equipment
Data Center Security CCF 495
Sanitization

ICT Equipment
Data Center Security CCF 496
Sanitization

Data Center Security Color Printer Cartridge CCF 497

Data Center Security MFD Print Drum CCF 498

Data Center Security MFD Platen Destruction CCF 499

Data Center Security Printer Jam Check CCF 500

Printer Cartridge
Data Center Security CCF 501
Destruction

Data Center Security Printer Ribbon Removal CCF 502

Data Center Security Monitor Burn-In CCF 503

Data Center Security Monitor Destruction CCF 504

Network Device Memory

Data Center Security CCF 505
Sanitization

Data Center Security Paper Tray Removal CCF 506

Rewritable Media
Data Center Security CCF 507
Sanitization

Volatile Media
Data Center Security CCF 508
Sanitization

Volatile Media
Data Center Security CCF 509
Sanitization

Device Configuration
Data Center Security CCF 510
Reset

Non-Volatile magnetic
Data Center Security CCF 511
media sanitization

ATA Secure Erase

Data Center Security CCF 512
Command
 EPROM media
Data Center Security CCF 513
sanitization

Non-Volatile flash
Data Center Security CCF 514
memory sanitization

Data Center Security Media Disposal CCF 515

Data Center Security Media Disposal CCF 516

Data Center Security Degausser Evaluation CCF 517

Data Center Security Microfilm Destruction CCF 518

Data Center Security Waste Storage CCF 519

Data Center Security Degausser Evaluation CCF 520

Data Center Security Degausser Evaluation CCF 521

Data Center Security Degausser directions CCF 522

Magnetic Media
Data Center Security CCF 523
Destruction
Data Center Security Media Destruction CCF 524

Accountable Material
Data Center Security CCF 525
Destruction

Data Center Security Destruction Outsourcing CCF 526

Top Secret Media

Data Center Security CCF 527
Destruction

Data Center Security Media Destruction CCF 528

Data Center Security Classification Removal CCF 529

Data Center Security Workstation Scanning CCF 530

People Management Contractor Identification CCF 531

Foreign National
People Management CCF 532
Identification

People Management Foreign National Access CCF 533

People Management Foreign National Access CCF 534

Access Management Foreign National Access CCF 535

Access Management Foreign National Access CCF 536

Access Management Foreign National Access CCF 537

Malicious Activity
Access Management CCF 538
Response

Access Management Access Log CCF 539

Access Management Access Restriction CCF 540

Access Management Temporary Access CCF 541

Access Management Emergency Access CCF 542

Access Management Break Glass Accounts CCF 543

Access Management Password Characteristics CCF 544

Access Management Service Account Creation CCF 545

Access Management Authentication Methods CCF 546

LAN Manager
Access Management CCF 547
Authentication
Access Management Privileged Access Group CCF 548

Access Management Credential Storage CCF 549

Access Management Hashed Passwords CCF 550

Access Management Password Change CCF 551

System Administration
Access Management CCF 552
Process

Privileged user
Access Management CCF 553
workstation

Privileged User
Access Management CCF 554
workstation access

Access Management File-Based Access CCF 555

Access Management Passphrase Storage CCF 556

Privileged User Account

Access Management CCF 557
access

Access Management Access to Systems CCF 558

Access Management VPN Connection CCF 559

Access Management Account Backup Access CCF 560

Chief Information
Access Management CCF 561
Security Officer

Access Management Access Log CCF 562

Access Management Backup Access CCF 563

Access Management Internet Facing services CCF 564

Environment
Access Management CCF 565
Virtualization

Access Management Account Disablement CCF 566

Access Management Password Characteristics CCF 567

Media Management
Key Management CCF 568
Policy

Key Management Removable Media Policy CCF 569

Key Management Media Classification CCF 570

Key Management Media Classification CCF 571

Key Management Media Encryption CCF 572

Key Management Media Usage CCF 573

Automatic Execution
Key Management CCF 574
Features

Key Management Media Writing CCF 575

Key Management Manual Data Transfer CCF 576

 Encryption Software
Key Management CCF 577
Consumer Guide

Operating System
Key Management CCF 578
Hardening

Application Control
Key Management CCF 579
Usage

Key Management Application Control Rules CCF 580

Application Control log

Key Management CCF 581
configuration

Host-based Intrusion
Key Management CCF 582
Prevention System

Key Management DMA Disabling CCF 583

Key Management Software Isolation CCF 584

 Software Isolation
Key Management CCF 585
Classification

Encryption Software
Key Management CCF 586
AACA

Key Management Encryption Software ACE CCF 587

Key Management HACE Usage CCF 588

Key Management HACE Encryption CCF 589

Key Management AACA Encryption CCF 590

AACP Encryption
Key Management CCF 591
Communication

ACE Cryptographic
Key Management CCF 592
Equipment

Key Management AACP Encryption CCF 593

Key Management AACA Encryption CCF 594

Key Management ECDH & ECDSA Usage CCF 595

Key Management DH Encryption CCF 596

Key Management DSA Configuration CCF 597

Elliptic Curve
Key Management CCF 598
Cryptography

Key Management ECDH Base Point Order CCF 599

ECDSA Digital Signature

Key Management CCF 600
Order

Key Management RSA Configuration CCF 601

Symmetric Cryptographic
Key Management CCF 602
Algorithm Use

Key Management 3DES Configuration CCF 603

Key Management AACA use CCF 604

CNSA Suite algorithms

Key Management CCF 605
and key size

Key Management AACP Usage CCF 606

Transport Layer Security

Key Management CCF 607
Communication
Key Management SSH Configuration CCF 608

SSH Daemon
Key Management CCF 609
Configuration

Key Management S/MIME configuration CCF 610

Key Management IPsec Configuration CCF 611

Key Management ACSC Compliance CCF 612

 Cryptographic Equipment
Key Management CCF 613
Storage

Key Management Area Separation CCF 614

Key Management Content Filtering CCF 615

Key Management Decryption of Data CCF 616

Key Management Peripheral Switch CCF 617

High Assurance
Key Management CCF 618
Peripheral Switch

High Assurance
Key Management CCF 619
Peripheral Switch

Key Management Peripheral Switch CCF 620

Key Management Peripheral Switch CCF 621

Exporting Data
Key Management CCF 622
Procedures

AUSTEO and AGAO Data

Key Management CCF 623
export
 Key Management Keyword Searches CCF 624

Key Management Data Transfer Logs CCF 625

Business Continuity &

Backup Restoration CCF 626
Resilience

Business Continuity &

Backup Storage CCF 627
Resilience

Business Continuity &

Event Log retention CCF 628
Resilience

Business Continuity &

DNS Log retention CCF 629
Resilience

Business Continuity &

Event Log Policy CCF 630
Resilience

Vulnerability
Vulnerability scanner CCF 631
Management

Vulnerability
Vulnerability scanner CCF 632
Management

Vulnerability
Intrusion Remediation CCF 633
Management

Vulnerability
Removable Media CCF 634
Management
Vulnerability
Media Waste CCF 635
Management

Vulnerability
Windows Defender CCF 636
Management

Vulnerability
Internet Facing services CCF 637
Management

Vulnerability
Intrusion Remediation CCF 638
Management

Vulnerability
802.11 use CCF 639
Management

Vulnerability
Media Waste CCF 640
Management

Vulnerability
PDF Software CCF 641
Management

Vulnerability
Patching and Updates CCF 642
Management

Vulnerability
Mobile Device Installation CCF 643
Management
Vulnerability Microsoft Drive Block
CCF 644
Management Rules

Vulnerability
Microsoft Office Macros CCF 645
Management

Vulnerability
Microsoft Office Macros CCF 646
Management

Vulnerability
Microsoft Office Macros CCF 647
Management
Vulnerability
Microsoft Office Macros CCF 648
Management

Vulnerability
Microsoft Office Macros CCF 649
Management

Vulnerability
Microsoft Office CCF 650
Management

Vulnerability
Internet Explorer CCF 651
Management

Vulnerability
Mobile Device Storage CCF 652
Management

Vulnerability
Execution of Drivers CCF 653
Management

Vulnerability Electrostatic Memory

CCF 654
Management Devices

Vulnerability PowerShell Script

CCF 655
Management Executions

Vulnerability
Microsoft Office Macros CCF 656
Management

Vulnerability
Data Transfer CCF 657
Management

Vulnerability
Vulnerability scanner CCF 658
Management

Vulnerability
Bill of Materials CCF 659
Management

Vulnerability
Security Txt File CCF 660
Management

Vulnerability
.NET Framework CCF 661
Management
 Cisco Cloud Controls Framework (CCF) Public Rele
Framework. The CCF control activities map to various frameworks and help meet the requirements of AICPA SO
015, ISO/IEC 27018:2019, ISO/IEC27701:2019, Esquema Nacional de Seguridad (ENS), Infosec Registered Assess
-DSS v3.2.1), Information System Security Management and Assessment Program (ISMAP), Cloud Computing Co
urity Compliance Certificate (CCC), and The Federal Risk and Authorization Management Program (FedRAMP Li-S

e what is needed to certify and achieve compliance for multiple industry accepted security compliance standard
uate, and tailor the control framework according to your needs and integrate into your own compliance regime.

Control Wording Control Type SOC 2 (A/S/C)

1. However, for controls that are unique to IRAP and no other framework, please start from row 290.

Independent Control self-assessments are performed

by control owners, at least annually, to gain reasonable
assurance that controls are in place and operating Process X
effectively. Corrective actions are taken based on
relevant findings and tracked to resolution.
At least quarterly, [the organization] reviews shall be
performed with approved documented specification to
confirm personnel are following security policies and
operational procedures pertaining to and not limited to:
• log reviews Process
• firewall rule-set reviews
• applying configuration standards to new systems
• responding to security alerts
• change management processes

If applicable, [the organization]'s documented

procedures regarding customer-requested audits shall
be defined, documented and transparently Process
communicated to the customer; and where applicable,
the mandated auditor.

Threats to the applications and application

programming interfaces and weaknesses with their
Process
design are identified and assessed based on the
defined frequency by the organization policies.

Legal and regulatory requirements regarding

cybersecurity, including privacy and civil liberties
Process
obligations, are documented and maintained by [the
organization]'s legal department on an annual basis.

When applicable, systems, products or equipment will

have their security functionalities evaluated in
accordance with European or international standards,
Technology
and whose certificates are recognized by the National
Scheme for the Evaluation and Certification of
Information Technology Security prior to being used.
A documented business continuity/disaster recovery
(BC/DR) plan is in place and tested at least annually.
Enterprise testing is done by the relevant
organizational team tasked with managing
organization's risk. Offer/Product teams perform testing
Process X
for their given Offer/Product. Any exclusions are
documented as part of the BC/DR plan. As part of the
BC/DR plan, management identifies rooms for
improvement and implements necessary actions to
improve their business continuity plan as well.

[The Organization] maintains and documents a process

to identify, have access to, and assess applicable legal
and regulatory requirements relating to the continuity
of its products and services, activities and resources.
Such legal and regulatory requirements are reviewed
Process
at least annually to ensure the continuity of its
products and services, activities and resources.
Revision histories and review periods are defined
within the documents themselves and [The
Organization]'s Policy Governance Policy.

Business impact assessment (BIA) or continuity specific

risk assessment are performed at least annually and
when significant changes within the organization occur.
Process
Results of the assessments are used to establish the
scope of the continuity plan, determine business
continuity priorities, and the recovery strategies.

Business contingency roles and responsibilities are

assigned to individuals and their contact information is People
communicated to authorized personnel.
Systems used for service, storage, processing,
monitoring of customer data, support, and disaster
recovery centers reside in KSA (Kingdom of Saudi Technology
Arabia). All information stored cannot be stored outside
of the KSA.

Systems that store and process Spanish Customer Data

reside within the EU. Systems used for electronic
identification and signature also be located within the
Technology
EU. Identification and electronic signature systems that
deal with specific categories of data (such as
biometrics), reside within the Spanish Territory.

[The organization] evaluates the data localization laws

and requests from EU. If requested, [The
Technology
Organization]'s systems that store and process EU
Data reside within the EU.

[The Organization] evaluates the data localization laws

and requests from Japan. If requested, [the
Technology
organization]'s systems that store and process Japan
Data reside within Japan.

A multi-location or region strategy for production

environments is employed to permit the resumption of
Technology
operations at other [The Organization] facilities in the
event of the loss of a facility.
[The organization] allocates audit record storage
capacity in accordance with logging storage and
retention requirements; Audit logs are retained for at Technology
least one year with one year of data immediately
available for analysis.

An alert is sent to relevant staff when the audit logging

process failed. Failures are addressed to resume Technology
system logging.

At least annually, full backups are configured for data

stores housing sensitive customer data and personal
information. Repeated Failed backups are investigated
and resolved. Backups are periodically restored to
Technology X
validate the integrity of the backup. Details of the
restoration test are logged and included over who
performed the test, a description, and restored backup,
as well as an integrity check of the restored backup.
Databases are replicated to a secondary database or
data center. Alerts are configured to notify Technology X
administrators if replication fails.

[The organization] provides the specifications of its

backup capabilities to its cloud service customers or
upon request. Where applicable, the specifications
include scope and schedule of backups, backup
methods and data formats, encryption of backup data, Process
retention periods for backup data, integrity verification
of backup data, procedures and timescale of data
restore, and location of backup data.

[The organization]'s backups are securely stored in an

Technology
alternate location from source data.

[The organization] periodically backs up emails.

Repeated failed backups are investigated and Technology
reviewed.
A formal systems development life cycle (SDLC)
methodology is in place that governs the development,
acquisition, implementation, changes (including Process X
emergency changes), and maintenance of information
systems and related technology requirements.

Cloud Service Customers review and monitor changes

made by the cloud service provider for appropriateness Process
and any potential impact to the customer's instance.

Changes to service and supporting infrastructure

components of the service are authorized, formally
Process X
documented, tested, reviewed, and approved prior to
being implemented in the production environment.
System changes are communicated to authorized
internal users via a ticketing system or any other Process X
documented process.

Customers are notified of critical changes that may

Process X
affect their processing.
A configuration management system is in place to
ensure that system configurations are deployed Technology X
consistently throughout the production environment.

A file integrity monitoring (FIM) tool is used to notify

system administrators of potential unauthorized Technology
changes to the production system.
Access to migrate changes to production is restricted
to authorized personnel. All change migrations are
Process X
tracked and notifications are sent when changes are
migrated to production.

Policies governing the appropriate use and installation

of software on [the organization] workstations are
communicated and reviewed at least annually.
Process X
Revision histories and review periods are defined
within the policies themselves and [the organization]'s
Policy Governance Policy.

Version control procedures are set up to track

dependencies of individual changes and to restore
Technology
affected system components back to their previous
state as a result of errors or identified vulnerabilities.
[The Organization] uses mechanisms to detect direct
changes to the integrity of customer data and personal
Technology
information; [the organization] takes action to resolve
confirmed unauthorized changes to data.

Cloud service provider identifies the requirements for

any utility programs used within the cloud service. Any
utility programs used follow the standard change
process, and cannot be used to override any system
controls. Any necessary utility programs that can Technology
override system controls have access limited to
authorized personnel, and all activity are reviewed for
appropriateness based on defined frequency of
organization policies.

Physical security measures are in place to restrict and

monitor for unauthorized access to the buildings which
house sensitive or critical information, information Process X
systems, or other network infrastructure. Confirmed
incidents are documented and tracked to resolution.
The supply of the data centers (e. g. water, electricity,
temperature and moisture control, telecommunications
and Internet connection) is secured, monitored,
maintained and tested at regular intervals. The data
center has been designed with automatic fail-safe
mechanisms and other redundancies. Maintenance is Technology X
performed by authorized personnel at designated
intervals and targets recommended by the suppliers.
Maintenance records are stored for the agreed upon
time intervals and then properly and permanently
destroyed thereafter.

Environmental security measures and safeguards are

in place to protect the premises or buildings that house
Process X
sensitive or critical information against environmental
threats or threats caused by humans.

The cloud service provider informs cloud service

customers of the geographical locations of the
Process
provider's organization and countries where the
provider can store the customer data.
Physical access provisioning to a [organization]'s
datacenter requires management approval and
documented specification of but not limited to:
• account type (e.g., standard, visitor, or supplier)
• access privileges granted
Process
• intended business purpose
• visitor identification method, if applicable
• temporary badge issued, if applicable
• access start date
• access duration (with end date)

Physical access to premises and buildings related to

cloud services that is no longer required in the event of
a termination or role change is revoked. If applicable,
Process
temporary badges are returned prior to exiting facility.
Access that has not been used for 2 months after
approval is automatically withdrawn.

[The organization] performs physical access account

reviews at least semi-annually; corrective action is Process X
taken where applicable.
All Physical access is managed through monitoring,
maintaining records, and escorting (for visitors). Access
Process
records (including visitor access records) to the
facilities are kept for at least a year.

Surveillance feed data is retained for at least 3 months,

Technology
unless otherwise restricted by the law.

Devices that physically capture payment card data are

Process
inspected for evidence of tampering at least quarterly.

Any positions of cybersecurity functions in [the

organization]'s Saudi Data Centers be filled with People
qualified and suitable Saudi nationals.

Devices and hardware may only be transferred to

external premises after it has been approved by
authorized committees or bodies at [the organization]. Process X
The transfer takes place securely according to the type
of the assets to be transferred.
New assets to be installed into the secure premises are
approved by authorized committees or bodies at [the
Process X
organization]. The 'on-boarding' of such assets takes
place securely according to the type of the asset.

Policies and instructions with technical and

organizational safeguards are documented,
communicated and describe the maintenance Process X
(especially remote maintenance), deletion, updating
and re-use of assets in information processing.
Policies and documentation are in place to establish a
safe and secure work environment. These policies are
reviewed at least annually and updated as necessary.
Technology X
Revision histories and review periods are defined
within the policies themselves and [the organization]'s
Policy Governance Policy.

Access to the premises or buildings including those

which house sensitive or critical information,
information systems or other network infrastructure is
secured and monitored by means of physical site
Process X
access and software authorization controls in order to
avoid unauthorized site and data access. Authorized
personnel can include employees, customers, suppliers
and contractors.
Data protection policies are in place to help ensure that
confidential, personal and sensitive customer data is
properly secured and restricted to authorized Process X
personnel. Included are policies of how CUI (Controlled
Unclassified Information) data is handled.

A formal inventory of production system assets is

Process X
maintained, and reconciled annually.

[The Organization]'s assets are labelled in accordance

with [the organization]'s standards, and have Process
designated owners.
The inventory of system assets include assets of the
cloud service provided by the cloud service provider.
Cloud service customer data and data derived from the
Process
services are explicitly identified by the cloud service
provider.

[The Organization]'s cloud service provides customers

with details around their service functionality, to allow
Process
customers the ability to classify and label the
information and associated assets.

[The organization]'s data classification criteria are

reviewed, approved by management, and
communicated to authorized personnel at least
annually; the data security management determines
Process X
the treatment of data according to its designated data
classification level. Revision histories and review
periods are defined within the documents themselves
and the [the organization]'s Policy Governance Policy.

Sharing [the organization]'s confidential (non-public)

data via messaging technologies (unless permitted by
Process
[the organization] for sharing of such data), social
media, and public websites is prohibited.
[The organization]'s asset inventory includes in-scope
Process
cardholder related systems, devices, and media.

[The Organization] maintains an inventory of

authorized wireless access points including a Technology
documented business justification.

An [organization] has a support system to manage

customer issues including system information on Process X
failures, incidents, concerns, and other complaints.
A data flow diagram is documented and maintained for
data that processed (analyzed, stored or transmitted,
etc.) within the services' applications and infrastructure
network and systems. The data flow diagram is Process X
reviewed at least annually or based on defined
frequency of organization policies and any changes are
updated in the diagram.

Data classified as Customer Data and any Personal

Data attributable to the customer is prohibited from
being used or stored in non-production systems or
environments. If Customer Data needs to be used for
staging and research environments, then customer Process X
data must be anonymized. If customer data cannot be
anonymized, customers shall be notified of such use,
and such environments be protected in accordance
with applicable policies and standards for such data.

[The Organization] only transfers Customer Personal

Data to a country outside of the European Economic
Area (EEA), if it was agreed upon as part of a Cloud Process
Service Agreement with customers. All transfers and
agreements meet GDPR requirements.
Formal retention and disposal procedures are in place
to guide the secure retention and disposal of [the Process X
organization] data.

Electronic media containing confidential information is

purged or destroyed in accordance with best practices,
Technology X
and certificates of destruction are issued for each
device destroyed.
Customer data containing confidential and personal
information is purged or removed from the application
environment (including backups and data shared with
Process X
other Offer/Product) upon customer request according
to [the organization] policy and/or contractual
obligations.

Formal retention and disposal procedures are in place

to guide the secure retention and disposal of customer Process X
and personal data.

If the cloud service offers functions for software-

defined networking (SDN), the service uses suitable
Technology
SDN procedures to ensure the confidentiality of the
cloud user data.
Hardcopy Materials containing confidential information
are purged or destroyed in accordance with [the
Process
organization] policy, such as cross-cutting, shredding,
incinerating, pulpling, etc.

The cloud service provider provides the cloud service

customer with information on the IPv6 support status Process
of the service provided by the cloud service provider.

Cryptographic key owners formally acknowledge that

they understand and accept their key owner
Process
responsibilities upon hire and at least an annual basis
thereafter.

Key management procedures are documented,

reviewed at least annually, and define the following
processes but not limited to:
-Prevent unauthorized substitution of cryptographic
keys
-Specify how to generate strong keys
-Specify how to securely distribute keys
-Requirements for cryptographic key changes for keys
that have reached the end of their crypto period
-Requirements for retirement or replacement (for
example, archiving, destruction, and/or revocation) of Process
keys as deemed necessary when the integrity of the
key has been weakened
-Store secret and private keys used to encrypt/decrypt
data
-Securely Store cryptographic keys in the fewest
possible locations

Revision histories and review periods are defined

within the documents themselves and [the
organization] Policy Governance Policy.
[The organization] issues public key certificates under
an approved certificate authority or obtains public key Technology
certificates from an approved service provider.

[The Organization] communicates to its cloud service

customers when cryptography is used to protect the
customer data and provides information and Process
cryptographic technologies to cloud service customers
to use.

Portable and removable media devices are encrypted

(as per the defined organization policies) or monitored
when in use. For NIST, FedRAMP, and CMMC, FIPS 140- Technology X
2 encryption method is used to protect data at rest and
in transit.
Approved cryptographic algorithms and methods are
used for securing assets with confidential, personal,
and sensitive data both at rest and in-transit over
Technology X
public networks. For NIST, FedRAMP, and CMMC, FIPS
140-2 Cryptography method is used to protect data at
rest and in transit.

Access to the cryptographic keystores is limited to

Process
authorized personnel.

[The Organization] restricts personal account number

(PAN) data such that only the first six and last four
Technology
digits are displayed; authorized users with a legitimate
business need may be provided the full PAN.
Where full disk encryption is used, logical access be
managed independently of operating system
Technology
authentication; decryption keys not be associated with
user accounts.

Storage of data encryption keys that encrypt or decrypt

cardholder data meet at least one of the following:
• the key-encrypting key is at least as strong as the
data encrypting key and is stored separately from the
data encrypting key
Technology
• stored within a secure cryptographic device (such as
a host security module (HSM) or
PTS-approved point-of interaction device)
• keys are stored as at least two full-length key
components or key shares

Cryptographic keys are invalidated when compromised

Process
or at the end of their defined lifecycle period.

[The Organization] changes shared data encryption

keys
- at the end of the [organization-defined lifecycle
period] Process
- when keys are compromised
- upon termination/transfer of employees with access
to the keys

If applicable, manual clear-text cryptographic key-

management operations be managed using split Process
knowledge and dual control.
Network and system hardening standards are
documented, implemented, and reviewed at least
annually. These standards are deployed to all networks
Technology X
and production systems. Revision histories and review
periods are defined within the documents themselves
and [the organization] Policy Governance Policy.

Network perimeter is controlled by security gateways.

For cross-network access, the access authorization is
Technology
based on security requirements of the cloud
customers.

When applicable, hardware devices are used for the

Technology
establishment and use of virtual private networks.
A documented Information Security Management
System Risk Assessment Methodology is in place that
includes guidance on the identification of potential
threats, rating the significance of the risks associated
with the identified threats, and mitigation strategies for
Process X
those risks, documentation and communication of
those risks, as well as possible vulnerabilities within
the cloud service provider and their impacts. Upper
management, or its designated representative(s), owns
this methodology and is responsible for its adherence.
Risk assessments are performed at least annually. As
part of this process, threats and changes
(environmental, regulatory, and technological) to
service commitments are identified and the risks are
formally assessed. The risk assessment includes risk
mitigation strategies and acceptance levels based on Process X
[the organization] risk criteria. The risk assessment
includes a consideration of the potential for fraud and
how fraud may impact the achievement of objectives.
The results of the risk assessment are reviewed by
leadership at least annually.

As part of their risk assessment, cloud service

providers review the risks associated with customer
Process
supplied software within the cloud services
Offer/Product by the provider.

As part of their risk assessment, [the organization]

determines the data types that can be shared with a Process
managed service provider.
Management has established defined roles and
responsibilities to oversee the implementation of the People X
security and control environment.
The Board of Directors provides corporate oversight,
strategic direction, and review of management for [the
organization]. The Board of Directors meets at least
quarterly and has 5 sub-committees:
• Audit Committee
People X
• Compensation and Management Development
Committee
• Nomination and Governance Committee
• Acquisition Committee
• Finance Committee
The Audit Committee is governed by a Charter, is
independent from [the organization]'s Management, is
composed of outside directors (Industry Experts), and
meets at least quarterly.

The Audit Committee oversees:

People X
•Financial Statement Quality
•Enterprise Risk Management
•Regulatory & Legal Compliance
•Internal Audit Functions
•Information Security Functions
•External Audit Functions
[The Organization] identifies geographies with legal
and regulatory risks such as embargoed countries.
Process X
[The organization] shall not operate out of, or have
administrators that reside in such geographies.

Roles and responsibilities of the cloud computing

customers and service providers are defined and
agreed on. Included in the agreement are definitions
including but not limited to data ownership,
Information Security Accountability, access People
provisioning and approval responsibilities, supplier use,
and data backup and recovery responsibilities.
Management designates stewardship to a person or
group of people to govern these agreements.
Management prepares a statement of applicability that
includes control objectives, implemented controls, and
business justification for excluded controls. Process
Management aligns the statement of applicability with
the results of the risk assessment.

The Information Security Management System (ISMS)

steering committee conducts a formal management
review of ISMS scope, risk assessment activities, Process
control implementation, and audit results at least
annually.

[The Organization] has an established security

leadership team including key stakeholders in [the
organization]'s Information Security Program; goals
People
and milestones for deployment of the information
security program are established and communicated to
[the organization].
Information Security Management System (ISMS)
boundaries are formally defined in an ISMS scoping Process
document.

At least annually, [the organization] conducts a staff

meeting to communicate and align on relevant security
Process
threats, program performance, and resource
prioritization.

Information systems security implementation and

management is included as part of the budget required Process
to support [the organization]'s security program.
Information security policies are documented and
define the information security rules and requirements
for the service environment. These policies are
reviewed at least annually to review requirements and Process X
updated as needed. Revision histories and review
periods are defined within the policies themselves and
[the organization] Policy Governance Policy.

Privacy policies are documented and define the

information privacy rules and requirements for the
service environment. These policies are reviewed
according to periodic review requirements and updated Process
as needed. Revision histories and review periods are
defined within the policies themselves and [the
organization] Policy Governance Policy.

A cloud service customers' information security policy

is defined and maintained and is consistent with the
organization's acceptable levels of information security
risks for its information and other assets.
Considerations around information being stored in the Process
cloud computing environment, access management,
maintenance, and geographical locations of cloud
service provider's organization are included in the
policy.
A cloud service providers' information policy is defined
and maintained, and addresses the provision and use
of its cloud services. Considerations around baseline
information security requirements, multi-tenancy and
Process
cloud service customer isolation, access management,
communication, lifecycle management of service
customer accounts, and communication of breaches
are included in the policy.

The cloud service provider provides information to the

cloud service customers about the information security
Process
capabilities they use. Implementation details about
security controls are disclosed as needed.
[The organization]'s policies and standards are
reviewed, approved by management, and
communicated to authorized personnel at least
Process X
annually. Revision histories and review periods are
defined within the policies and standards themselves
and [the organization] Policy Governance Policy.

A process is in place to request, review, and approve

exceptions to policies, standards, and procedures. The
assessment of the exception is risk based and the
Process
approved exceptions are reviewed at least annually or
based on defined frequency as per the organization
policies.

Policies and standards are in place to govern the

collection, retention, and usage of metadata (customer
usage data). Metadata is only collected for its intended
use (e.g. troubleshooting, customer billing, etc) and Process
only authorized staff have access to the data. Metadata
is deleted once its intended collection purpose has
been fulfilled.
Roles and responsibilities and a program charter for
the governance of PCI DSS compliance within [the
People
organization] are formally documented and
communicated by management.

If a cloud service provider is not established in a

member state of the European Union, and is in the
scope for GDPR, it might need to designate a
People
representative or controller in a member state of the
European Union as per the local regulatory
requirements.

The cloud service provider transparently communicates

to Customers their adherence to the EU Code of Process
Conduct.

[The Organization] communicates policy violations and

policy non-compliance consequences to all Process X
[organizational] personnel on a regular basis.
As part of its annual information security risk
assessment, management selects and develops
Process X
manual and IT general control activities that contribute
to the mitigation of identified risks.

New hired personnel are required to pass a background

screening check consistent with local jurisdiction as a People X
condition of their employement.
For every candidate that is hired, there is an interview
and approval process prior to the candidate receiving People X
an offer.

[The Organization] conducts screening and rescreening

of authorized personnel for roles that require national
security clearances. For national security clearances; a
reinvestigation is required during the 5th year for top
secret security clearance, the 10th year for secret People
security clearance, and 15th year for confidential
security clearance. In addition, for law enforcement
and high impact public trust level, a reinvestigation is
required during the 5th year.

As part of their onboarding process, contingent workers

are required to sign [The Organization]'s Confidential
Information Agreement: Individuals (Suppliers,
Contractors, Independent Contractors, Consultants,
and Partners), which includes the Supplier and
People X
Independent Consultant Job Practice and Behavior
Guide outlining expected behavior regarding data and
information system usage. This agreement prohibits
any disclosure of information and other data to which
the employee has been granted access.
[The Organization]'s employees are required to sign a
non-disclosure agreement (PIIA) upon hire. This
agreement prohibits any disclosure of information and
other data to which the employee has been granted
Process X
access. [The Organization]'s employees in jurisdictions
where PIIA is not applicable are required to sign
Offer/Product letters that outline clauses relevant to
non-disclosure.

[The Organization] maintains a Code of Conduct, which

describes employee responsibilities and expected
behavior regarding data and information system
Process X
usage. [The Organization] employees acknowledge
that they have read and agree to the Code of Conduct
as part of their onboarding process.
[The Organization] has established a check-in
performance management process for on-going
dialogue between managers and employees. Based on
People X
defined frequency by the organizational policies,
reminders are sent to managers to perform their
regular check-in conversation.

[The Organization] is required to enable leaders and

their team members to maintain continual
Process X
communication which facilitates 360 degree feedback
by using tools or other mechanisms.

Where applicable, authorized [The Organization]

personnel enroll mobile devices with the enterprise
Mobile Device Management (MDM) solution prior to Technology X
obtaining access to [the organization] network
resources on mobile devices.
An organization chart is documented and defines the
People X
organizational structure and reporting lines.

[The Organization] has policies regarding the posting of

job descriptions for employees supporting the service
and include authorities and responsibilities for the Process X
design, development, implementation, operation,
maintenance, and monitoring of the system.

At least annually, [The Organization] provides

resources for Information security awareness training
People X
to enable [the organization] organizations to assign
and track security awareness completion.
Training is provided to employees to support their
Process X
continued development and growth.

[The Organization]'s software engineers are required to

complete training based on secure coding techniques
Process
at based on the defined frequency by the organization
policies.

Where applicable, [the organization] personnel that

interact with cardholder data systems receive
awareness training to be aware of attempted
tampering or replacement of devices. Training needs to
include the following at a bare minimum:
• verify the identity of third- party persons claiming to
be repair or maintenance personnel, prior to granting
them access to modify or troubleshoot devices.
Process
• do not install, replace, or return devices without
verification
• be aware of suspicious behavior around devices (e.g.,
attempts by unknown persons to unplug or open
devices)
• report suspicious behavior and indications of device
tampering or substitution to authorized personnel (e.g.,
to a manager or security officer)
A formalized whistleblower policy is established as part
of the Code of Conduct and an anonymous
Process X
communication channel is in place for employees to
report potential security issues or fraud concerns.

Privileged access to in-scope system components and

production environments is restricted to authorized Process X
and appropriate users only.
Audit trails are secured through principles of least
Process X
privilege to prevent unauthorized access or altering.

[The Organization] monitors and flags tampering to the

audit logging and monitoring tools in the production Technology
environment.
Log data generated allows an unambiguous
identification of user accesses at the tenant level to
Technology
support (forensic) analysis in the event of a security
incident.

Vendor accounts used for remote access are enabled

only during the time period needed, disabled when not Process
in use, and monitored while in use.

Where applicable, service providers with remote access

to customer premises (e.g., for support of POS systems
Process
or servers) use a unique authentication credential
(such as a password/phrase) for each customer.

Remote access sessions are logged and event logs are

Technology
retained for review when required.
Access to production systems is restricted to
authorized employees with a valid multi-factor (MFA)
Technology X
token over an encrypted [virtual private network (VPN)]
connection.

Logical access provisioning to information systems

Process X
requires approval from appropriate personnel.
[The Organization] allows its cloud service customers
to manage access to the customer's instance of the Process
cloud service, cloud service functions, and data.

Periodic access reviews are conducted by management

for the in-scope system components to ensure that
access is restricted appropriately. Tickets are created Process X
to remove or modify access as necessary in a timely
manner.

Inappropriate access identified as part of quarterly user

Process
access reviews be remediated within 7 days.

Authentication to in-scope systems require unique ID

Technology X
credentials.
Passwords for in-scope system components are
Technology X
configured according to [The Organization]'s policy.

Passwords for the corporate active directory is

Technology X
configured according to [The Organization]'s policy.

[The Organization] provides secure authentication

mechanisms (i.e. password/vpn/etc.) for customers to
Process
access their own instances of [The Organization]'s
cloud services.
[The Organization] requires unique identifiers for user
Technology X
accounts and prevents identifier reuse.

User accounts are disabled after they have not been

used for a period of two months or after a predefined
Technology
number of failed login attempts. Locked user accounts
are automatically removed after six months.

[The Organization] uses tools, such as inactivity

monitoring, to help ensure that sessions with cloud
customers are managed, to protect against attacks Technology
that can affect [The Organization]'s service
commitments.

Authorized personnel verify the identity of users before

provisioning and modifying authentication credentials Process
on their behalf.
Information systems are configured to limit concurrent
login sessions and the inactive user interface is not Technology
displayed when the session is terminated.

Information systems are configured to terminate

inactive sessions after a set amount of time, or when Technology
the user terminates the session.

Systems leveraged by the U.S. Federal Government

present a login screen that displays the following
language:
• users are accessing a U.S. Government information
system
• system usage may be monitored, recorded, and Technology
subject to audit
• unauthorized use of the system is prohibited and
subject to criminal and civil penalties
• use of the system indicates consent to monitoring
and recording

Privileged logical access to trusted data environments

is enabled through an authorized session manager;
Technology
session user activity is recorded and tunneling to
untrusted data environments is restricted.

[The Organization] employs only information

technology products on the FIPS 201-approved
products list for Personal Identity Verification (PIV) Technology
capability implemented within organizational
information systems.

Supplier supplied default passwords are changed prior

to device installation on [The Organization]'s network
Technology
or immediately after software or operating system
installation.

Where applicable, collaborative computing devices

used at [the organization] are configured to restrict
Technology
remote activation and provide an explicit indication
that they are in use.
All successful login accesses and failed attempts are
logged. Upon login success, users are notified of their Technology
security obligations immediately upon gaining access.

Digital signatures include timestamps, use industry

standard encryption programs, and are validated to Technology
confirm authenticity.

Where applicable, [the organization] logs the following

activity but not limited to the below for cardholder data
environments:
• individual user access to cardholder data
• administrative actions
• access to logging servers
• failed logins
• modifications to authentication mechanisms and user
privileges
• initialization, stopping, or pausing of the audit logs
• creation and deletion of system-level objects Technology
• security events
• logs of all system components that store, process,
transmit, or could impact the security of cardholder
data (CHD) and/or sensitive authentication data (SAD)
• logs of all critical system components
• logs of all servers and system components that
perform security functions (e.g., firewalls, intrusion-
detection systems/intrusion-prevention systems
(IDS/IPS), authentication servers, ecommerce
redirection servers, etc.)

[The Organization] uses secure methods and

algorithms for saving, displaying, and processing
Technology
passwords such as hashing functions, and ensures they
are obscured and not displayed in plain text.

Access control policies are in place and reviewed

annually to help manage access to information,
applications, and production environments. Revision
Process
histories and review periods are defined within the
policies and standards themselves and [The
Organization] Policy Governance Policy.
Contingent workers are terminated timely from their
Process X
contract end date or termination date.

Upon termination, full-time employee access is revoked

Process X
for employees in a timely manner.
Upon termination, management is notified to collect
[The Organization] property from terminated
Process
employees, and all [The Organization] owned assets
are returned within 30 business days.

Upon termination, all privileged access held by a

Process
terminated employee is revoked within 48 hours.

The People Resources system sends a notification to

relevant personnel in the event of a termination of an Technology
employee.

Upon employee termination, management conducts

Process
exit interviews for the terminated employee.

Upon notification of an employee reassignment or

transfer, management reviews the employee's access
Process
for appropriateness. Access that is no longer required
is revoked and documented.

An intrusion detection system (IDS) or intrusion

prevention system (IPS) are used to provide continuous
Technology X
monitoring of [The Organization]'s Corporate network
and early detection of potential security breaches.
Where applicable, the information system performs an
integrity check of virtual machine images at startup,
restart, shutdown and abort transitional states. The Technology
system alerts administrators of any potential
discrepancies during integrity verification.

Networks used by [the organization] to migrate or

create virtual machines are logically separated from Technology
other networks.

If virtual machines or containers are provided to

customers, the cloud service provider is required to
ensure:
- Customers can restrict the selection of images of
virtual machines or containers according to their
Technology
specifications
- Informs the customer of any changes made to
previous virtual machine or container versions.
- Images are hardened according to generally accepted
industry standards.

Where applicable, System components that store

cardholder data (such as a database), including
payment card collection devices are stored in an
Technology
internal network zone, segregated from the DMZ and
other untrusted networks. Access is strictly limited to
authorized personnel.

[The organization] components are configured to use

Universal Time Coordinated (UTC) and the clocks are
synchronized with an external time source. [The
organization] further provides cloud service customers, Technology X
when applicable, information about how the customer
can synchronize local clocks with the cloud service
clock if applicable.
Access to modify time data is restricted to authorized
Technology
personnel.

Firewalls [or security groups] are used and configured

to prevent unauthorized access to the production Technology X
environment.

Firewall rulesets and security groups are reviewed by

management at least annually. Change tickets are
Process X
created to track any firewall modifications as a result of
the review.
Firewall systems consist of two or more layers.
Technology
Redundant firewall systems are installed.

Firewalls configure and utilize a DMZ to limit inbound

and outbound traffic to only system components that
Technology
provide authorized publicly accessible services,
protocols, and ports.

Firewalls enable dynamic packet filtering on the

Technology
network.

[The Organization] does not disclose private IP

addresses and routing information to unauthorized Technology
parties.

The network is segmented to prevent unauthorized

Technology X
access.
Customer environments are segregated such that
Technology
customers only have access to their own environments.

Production environments are segregated from non-

production environments such as development and Technology
test environments.

[The Organization] restricts access to network services

via wireless access points to authenticated users and
Technology
services; approved wireless encryption protocols are
required for wireless connections.
Mobile devices (i.e., laptops, smartphones, tablets) that
are used to access data from internal resources are Technology
encrypted.

Where applicable, portable and mobile devices are

configured to ensure unnecessary hardware
Technology
capabilities and functionalities are disabled, and
management defined security features are enabled.

Mobile devices (i.e., laptops, smartphones, tablets) are

equipped with violation detectors that notify relevant
parties of any tampering that has occurred to the Technology
device. Any identified tampering is identified and
followed up upon until resolution.

Only one primary function per server is implemented

within the production environment; the information
Technology
system maintains a separate execution domain for
each executing process.

At least quarterly, [The Organization] performs an

access point mapping exercise to identify and remove Process
unauthorized wireless access points.

[The organization] has deployed technology to protect

Technology
against or limits the effects denial of service attacks.

Sub-systems used for publishing [organization] public

announcements or information are protected against
threats to which they might be exposed, including but
not limited to unauthorized alteration, alternative Technology
routing, "cross site scripting" attacks, URL and
customer information manipulation, code injection, and
user impersonation.
[The organization] identifies, documents, and complies
to the specific purposes for which the PII will be Process
processed.

[The organization] determines, documents and

complies with the relevant lawful basis for the Process
processing of PII for the identified purposes.

When Consent is the lawful basis for the processing of

PII, [the organization] will determine, document, and
implement a process by which it can demonstrate and
record if, when and how consent for the processing of
Process
PII was obtained from PII principals, as well as
determine, document, and implement a process to
remove consent per the data subject's or their proxy's
request.
[The organization] is required to undergo a privacy
assessment whenever new PII, new processing of PII or
changes to existing processing of PII is planned. In
addition, the assessment shall reviewed, updated and
Process
verified before a product is released for production, or
annually if no changes in PII, its processing
environment, or controls have occurred since the last
assessment.

[The organization] has written contract with any PII

processors or controllers that it uses, and shall ensure
that their contracts address the implementation of the
appropriate controls. The controls include but are not
limited to:
A) for notice regarding
the processing of their PII or changes to the processing
of their PII (including changes in sub-processors, if any)
B) to modify or withdraw their consent (if consent if the
lawful basis for processing the PII)
Process
C) objection of the processing of their PII
D) restriction of the processing of their PII
E) to access, correct and/or erase their PII
F) retrieve in a secure manner any PII or user-
generated content they have provided [The
organization] in human and machine-readable formats
G) to provide in a secure manner a copy of the PII that
is processed
H) to handle and respond to legitimate requests from
PII principals

[The organization] determines and securely maintain

the necessary records in support of its obligations for Process
the processing of PII.
[The organization] determines and documents their
legal, regulatory and business obligations to PII
principals (data subjects) related to the processing of
their PII and provide the means to meet these
obligations. These controls include but are not limited
to:
A) for notice regarding the
processing of their PII or changes to the processing of
their PII (including changes in sub-processors, if any)
B) to modify or withdraw their consent (if consent is
the lawful basis for processing the PII)
Process
C) objection of the processing of their PII
D) restriction of the processing of their PII
E) to access, correct and/or erase their PII
F) retrieve in a secure manner their PII they have
provided [the organization] in human and machine-
readable formats
G) to provide in a secure manner a copy of the PII that
is processed
H) to handle and respond to legitimate requests from
PII principals for PII and provide the means to meet
these obligations.

[The organization] determines and documents the

information to be provided to Customer/Controller
and/or PII principals regarding the processing of their
PII and the timing of such a provision and creates a
Process
customer ready document detailing this information
prior to the offering being released and makes it
available or be prepared to make it available upon
request once [the organization] has been released.

Privacy and protection of personally identifiable

information is ensured as required in relevant Process
legislation and regulation where applicable.

[The organization] informs third parties with whom PII

has been shared of any modification, withdrawal or
objections pertaining to the shared PII, and implement
appropriate policies, procedures and/or mechanisms to Process
do so. [The organization] documents the third parties
confirming receipt of updating records and use of data
per the communication.
[The organization] limits the collection and processing
of PII to the minimum that is adequate, relevant, Process
proportional and necessary for the identified purposes.

[The organization] defines and documents data

minimization objectives and what mechanisms (such as
de-identification) are used to meet those objectives.
Process
Collection and processing of PII is limited to the
minimum that is adequate, relevant, proportional and
necessary for the identified purposes.

[The organization] either deletes PII or renders it in a

form which does not permit identification or re-
identification of PII principals, as soon as the original PII
Process
is no longer necessary for the identified purpose(s).
This includes temporary files created as a result of
processing PII.

[The organization] does not retain PII for longer than is

necessary for the purposes for which the PII is Process
processed.

[The organization] has documented policies,

procedures and/or mechanisms for the access, correct, Process
and disposal of PII.

[The organization] identifies and documents the

relevant basis for transfers of PII between jurisdictions,
Process
external entities (i.e., third-parties), and internal
entities.
[The organization] records all requests, all transfers
and all disclosures of PII to and from third parties,
including what PII has been disclosed, to whom and at
what time, for what purpose, and will contractually Process
ensure cooperation with/from those parties to support
future requests related to obligations to the PII
principals.

[The organization] ensures that PII processed on behalf

of a customer are only processed for the purposes
Process
expressed in the documented instructions of the
customer/controller.

[The organization] determines and maintains the

necessary records in support of demonstrating
compliance with its obligations (as specified in the Process
applicable contract) for the processing of PII carried out
on behalf of a customer/controller.

[The organization] identifies decisions made by any

automated processing of PII that can have a legal or
similarly significant effect, so offering can get
Customer/Controller's instruction on how to handle Process
processing of PII to meet legal, contractual, policy, and
regulatory requirements associated with automatic
decision.

[The organization] documents and validates that PII is

as accurate, complete and up-to-date as is necessary
Process
for the purposes for which it is processed, throughout
the life-cycle of the PII.

[The organization] subjects PII transmitted (e.g. sent to

another organization) over a data-transmission network
Technology
to appropriate controls designed to ensure that the
data reaches its intended destination.
[The organization] notifies customers of any legally
Process
binding requests for disclosure of customer data or PII.

[The organization] rejects any requests for PII

disclosures that are not legally binding, and consults
the corresponding customer before making any PII
Process
disclosures and accepting any contractually agreed
requests for PII disclosures that are authorized by the
corresponding customer.

[The Organization] notifies users whether personal

information is collected from sources other than the
Process
user, and validates the information was collected fairly
and lawfully from reliable sources.

[The organization] determines respective roles and

responsibilities for the processing of PII (including PII
protection and security requirements) with any joint PII
People
controller and ensures that their contracts with any
processor or joint PII controllers address the
implementation of the appropriate controls.

[The Organization] specifies and documents the

countries to which PII can possibly be transferred when
Process
[The Organization] as the processor/controller is
processing PII.

[The Organization] has a dedicated independent data

protection officer who is responsible for following but
not limited to:
- Reports to management all issues relating to PII
- Act as a point of contact for supervisory authorities
People
- Inform top-level management and employees of the
organization of their obligations regarding processing
PII
- Review and provide advice on privacy impact
assessments conducted by organization.

Relevant Parties are notified in a timely basis when

breaches of PII occur (with details of the breach,
consequences of the breach, and resolution taken to
Process
resolve the breach), or of any PII transfers between
jurisdictions and of any intended changes in this
regard.
[The organization] does not use Pll processed under a
contract for the purposes of marketing and advertising
without establishing that prior permission was obtained
Process
from the appropriate Pll principal. [The organization]
does not make providing such consent a condition for
receiving the service.

[The organization] ensures, where relevant, that the

contract to process PII addresses [the organization] 's
role in meeting the customer/controller's obligations of
purpose, minimization, proportionality, security, etc, to
Process
meet their contracts with their users and regulations
where the data is processes (taking into account the
nature of processing and the information available to
[The organization]).

[The organization] determines respective roles and

responsibilities for the processing of PII (including PII
protection and security requirements) including when it
is acting on behalf of itself (and does not require
instruction from the Customer/Controller), when it is
People
acting as proxy for the Customer/Controller (and does
not require additional permission or instruction) and it
requires instruction and permission from the Customer
and ensure [The organization] resources are
appropriately trained.

[The organization] does not use PII processed under a

contract for the purposes other than providing the
contracted services without proper permission from the
Process
Controller and the PII principals. [The organization]
does not make providing such permission a condition
for receiving the service.

[The organization] informs the customer/controller if, in

its opinion, a processing instruction received from the
Process
customer/controller infringes applicable legislation
and/or regulation.

[The organization] discloses to the customer/controller,

no less than 30 days before, any use of
third-parties/subcontractors to process PII to the Process
customer/controller before use and provides a method
for the customer/controller to object to any changes.
[The organization] provides the customer/controller
with the appropriate information and access to
necessary controls and mechanism such that the Technology
customer can demonstrate compliance with their
obligations.

[The organization], in the case of having general

written authorization, informs the customer/controller
of any intended changes concerning the addition or
Process
replacement of subcontractors to process PII, thereby
giving the customer/controller the opportunity to object
to such changes.

Procedures are in place for customers to request

access to their own log records. Upon request, [the
Process
organization] provides access to the respective log
records.

A documented Privacy Information Security

Management System Risk Assessment Methodology is
in place that includes guidance on the identification of
potential threats related to the processing of PII, rating
the significance of the risks associated with the
identified threats, and mitigation strategies for those Process
risks, documentation and communication of those
risks, as well as possible vulnerabilities within the cloud
service provider and their impacts. Upper
management, or its designated representative(s), owns
this methodology and is responsible for its adherence.

Privacy Risk assessments are performed at least

annually. As part of this process, threats and changes
(environmental, regulatory, and technological) to
service commitments are identified and the risks are
formally assessed. The privacy risk assessment Process
includes risk mitigation strategies and acceptance
levels based on [the organization] risk criteria. The
privacy risk assessment includes a consideration of
risks related to the processing of PII.
As part of its annual privacy risk assessment,
management selects and develops control activities Process
that contribute to the mitigation of identified risks.

[The organization] performs PII restoration tests at

least annually. Details of the restoration test are
logged and include details over who performed the Process
test, a description of the restored PII, as well as an
integrity check of the restored PII.

Security incident response policies and procedures are

documented and communicated to authorized Process X
personnel.

Privacy and human rights incident response policies

and procedures are documented and communicated to Process
authorized personnel.

[The Organization] provides incident response

resources that Offer/Product advice and assistance on
Process
handling and reporting security incidents for all [the
organization] employees to use.
All events related to security, confidentiality, and
availability are logged, tracked, and evaluated on an
Process X
on-going basis to determine whether they could have
resulted in a failure to meet security commitments.

All events related to privacy and human rights are

logged, tracked, and evaluated on an on-going basis to
determine whether they could have resulted in a failure Process
to meet privacy and human rights commitments.
Events are also reviewed for analysis and trends.
As a cloud service customer, [the organization] has
defined its requirements for event logging and verify Process
that the cloud service meets those requirements.

[The organization] has provided logging capabilities to

Technology
its cloud service customers upon request.

[The Organization] establishes a process for

responding to intellectual property rights complaints.
Revision histories and review periods are defined Process
within the policies and standards themselves and [the
organization] Policy Governance Policy.

[The Organization] records the following information

for confirmed events in the cardholder data
environment:
• user identification
• type of event
Technology
• date and time
• event success or failure indication
• origination of the event
• identification of affected data, system component, or
resource
A supplier management program is in place.
Components of this program include but are not limited
to:
- Maintaining a list of critical third-party suppliers. Process X
- Requirements for third-party suppliers to maintain
their own security and privacy practices and
procedures.

For high dependency suppliers, exit strategies and/or

Process
alternative supplier relationships are established.
At least annually, management reviews controls within
third party assurance reports to ensure that they meet
organizational requirements; if control gaps, significant
changes, or reported incidents are identified in the Process X
assurance reports, management takes action to
address the impact the disclosed gaps have on the
organization.

Contracts and agreements with third-party IT

outsourced suppliers include that cybersecurity
managed services centers for monitoring and Process
operations be completely present inside the Kingdom
of Saudi Arabia.

[The Organization] evaluates all National Cybersecurity

Authority requests to remove software or services
provided by third-party providers for appropriateness, Process
and will remove the software or service upon validation
of the request.
All incidents related to security, availability, and
confidentiality are logged, tracked, resolved, evaluated
and communicated to affected parties by management Process X
until [The Organization] has recovered from the
incidents.

All incidents related to privacy are logged, tracked,

resolved, given level of severity, evaluated and
communicated to affected parties by management Process
until [The Organization] has recovered from the
incidents.
[The Organization] has established an incident
response plan that is tested at least annually to assess Process X
the effectiveness of the incident response program.

System capacity is evaluated continuously and system

changes are implemented to help ensure processing Technology X
capacity can meet demand.
Critical systems are monitored in accordance to
predefined availability criteria and alerts are sent to Technology X
authorized personnel.

Budgets for infrastructure capacity are established

based on analysis of historical business activity and
growth projections; purchases are made against the Process
established budget and plans are updated at least
annually.

Master Purchase Agreements (including Master

Services Agreements/MSAs, Enterprise Agreements,
etc.) agreed to between [The Organization] and
customers includes [The Organization]'s commitments Process X
to their customers with respect to the relevant
product(s) and service(s) comprising the [The
Organization].
Formal Legal Approved information sharing
agreements are in place with related critical suppliers.
Process X
These agreements include confidentiality commitments
applicable to that entity.

Consent is obtained for [The Organization] Terms of

Service (ToS) prior to collecting customer or personal Process X
information.

Assets of the cloud service customer that are on the

cloud service provider's premise are removed, and
returned if necessary, in a timely manner upon
Process
termination of the cloud service agreement. Return of
assets is documented and information regarding the
returned assets is provided to the customers.

[The Organization] does not store full track credit card

data, credit card authentication information, credit card
verification code, or credit personal identification Process
number (PIN) which [The Organization] processes for
payment.
Where applicable, [The organization] that manage,
store, or transmit cardholder data on behalf of the
customer provide written acknowledgement to Process
customers of their responsibility to protect cardholder
data and the cardholder data environment.

Where applicable, [The Organization] has managed

antivirus deployments and ensures the following:
• signature definitions are updated
• full scans are performed monthly and real-time scans Technology X
are enabled
• alerts are reviewed and resolved by authorized
personnel

Anti-malware technology is deployed for environments

commonly susceptible to malicious attack and is
Technology X
configured to be updated routinely, logged, and
installed on all employee workstations.

[The Organization]'s antivirus deployments generate

audit logs which are retained at least annually with the Technology
data immediately available for analysis.

Antivirus mechanisms cannot be disabled or altered by

Technology
users unless specifically authorized by management.
[The Organization] utilizes sandboxing to detect or
Technology
block potentially malicious emails.

Internal and external network vulnerability scans are

performed at least monthly. Identified vulnerabilities
Technology X
are assigned for remediation and monitored for
closure.

Penetration testing is performed at least annually. All

discovered vulnerabilities be triaged for criticality and
assigned for remediation compliant to the internal S- Process X
Rating and SLAs as defined in the internal Standard S-
Rating Classification.
[The organization] subscribes to relevant security
bulletins and email alerts and uses them to monitor the Process
impact of emerging technologies and security.

The cloud service provider provides information about

the management of technical vulnerabilities that can Process
impact customers.

Existing and emerging software vulnerabilities are

detected at least monthly, and a vulnerability scan is
included upon every code release. Any vulnerabilities Process
identified are assigned a risk rating and reviewed and
remediated accordingly.
Infrastructure supporting the service, and applications
are patched upon availability as a part of routine
maintenance and as a result of identified vulnerabilities
and supplier supplied patches to help ensure that Technology X
applications and infrastructure network and system
components supporting the service are hardened
against security threats.

[The organization] installs security-relevant software

and firmware updates per [The Organization] policy;
Technology
and incorporates flaw remediation into [The
Organization]'s configuration management process.
[The Organization] has prepared a description of the
system and its boundaries and has provided this Process X
description to internal and external authorized users.

[The Organization] defines external communication

requirements for incidents, including:
• information about external party dependencies
• criteria for notification to external parties as required
by [the organization] policy in the event of a security
Process
breach
• contact information for authorities (e.g., law
enforcement, regulatory bodies, etc.)
• provisions for updating and communicating external
communication requirement changes

The cloud service customer identifies authorities

relevant to the combined operation of the cloud service People
customer and cloud service provider.

[The Organization] maintains software license

contracts and monitors its compliance with usage Process
restrictions.
[The Organization] informs its cloud service customers
within 72 hrs. whenever [The Organization]'s internal
or external staff read or write to cloud customers' data
Process
during processing, storage or transmission. The
information regarding the access is sufficiently detailed
to enable the client to assess the risks of the access.

Investigation requests from government agencies are

subjected to legal assessments by subject matter
experts to determine if the requests have applicable Process
and legal basis, and if [the organization] is required to
comply with the requests.

All trusted connections are documented and approved

by authorized personnel; management ensures the
following documentation is in place prior to approval:
Process
• agreement with supplier
• security requirements
• nature of transmitted information

[The Organization] protects its public information

system presence with the following processes: only
authorized and trained individuals may post public
information, content is reviewed prior to publishing, Process
information on public systems is reviewed periodically,
and non-public information is removed from public
systems upon discovery.

The cloud service provider informs the cloud service

customer of the legal jurisdictions governing the cloud Process
service.

[The Organization] services operating in Saudi (KSA)

are required to conduct penetration tests on their Process
environments at least semi-annually.
 [The Organization] conducts penetration tests against
cardholder data environments (CDE) and includes the
following requirements:
• testing covers the entire (CDE) perimeter and critical
data systems
• testing verifies that CDE perimeter segmentation is
operational
• testing is performed from both inside and outside the
CDE network
• testing validates segmentation and scope reduction
controls (e.g., tokenization processes)
Process
• network layer penetration tests include components
that support network functions as well as operating
systems
• testing is performed with consideration of threats
verified on an on-going basis from external alerts,
directives, and advisories.
• testing is performed with consideration of
vulnerabilities reported through [The Organization]'s
incident process on an on-going basis
• risk ratings are assigned to discovered vulnerabilities,
which are tracked through remediation

rk
Legal and regulatory advice is sought regarding the
development and implementation of a trusted insider Process
program.

[The Organization] has a dedicated Chief Information

Security Officer (CISO) who is responsible for providing
guidance and overseeing the cyber security program at
[The Organization]. The CISO coordinates cyber People
security and business alignment through a cyber
security steering committee or advisory board, and
meets formally on a regular basis.

If applicable, the compromise or suspected

compromise of cryptographic equipment or associated
keying material is reported to an organization's Chief
Information Security Officer, or one of their delegates, Process
as soon as possible after it occurs. Keying material is
changed when compromised or suspected of being
compromised.

[The organization] pursuing IRAP are responsible for

Process
identifying a sponsor.
Customer and Personal Information is monitored for
data spillage. In the event of a data spill, the event is
Process
assessed for impact and the data is immediately
removed, or access to the data is restricted.

Authentication and authorization for use of IP Phones

and video conferencing follow the following;

• Video conferencing or IP telephone traffic have

encrypted and non-replayable authentication scheme.
• Authentication and authorization is in place for all call
related activities such as individual logins for IP
Phones, call setup, changing settings, and accessing Technology
voicemail.
• IP phones are configured to authenticate to call
controller upon registration. Auto-registration, along
with all other unused and prohibited functionalities are
disabled.
• Unauthorized devices are blocked by default.

Individual logins are implemented for IP phones used

Technology
for SECRET or TOP SECRET conversations.
A fax machine and multi-function device (MFD) policy is
in implemented and includes the following
requirements:

• Separate fax machines and MFDs are used for

sending classified information.
• Messages are encrypted to an appropriate level
depending on information sensitivity.
• The sender of a fax message makes arrangements
for the receiver to collect the fax message as soon as
possible after it is sent and for the receiver to notify
the sender if the fax message does not arrive in an
Technology
agreed amount of time.
• A direct connection from an MFD to a digital
telephone system is not enabled unless the digital
telephone system is authorized to operate at the same
sensitivity or classification as the network to which the
MFD is connected.
• MFDs connected to networks are not used to copy
documents above the sensitivity or classification of the
connected network.
• Fax machines and MFDs are located in areas where
their use can be observed.

Mobile devices do not process, store or communicate

SECRET or TOP SECRET data until approved for use by Technology
the ACSC.

If applicable, personnel accessing OFFICIAL and

PROTECTED systems or data using a privately-owned
mobile device use an ACSC approved platform, a
Technology
security configuration in accordance with ACSC
guidance, and have enforced separation of work data
from any personal data.
Privately-owned mobile devices are prohibited from
accessing systems or data before being configured
with the appropriate security standards. Privately-
owned mobile devices do not access SECRET and TOP Technology
SECRET systems or data. Legal advice is sought prior
to allowing privately-owned mobile devices to access
systems or data.

Personnel accessing official or classified systems or

data using an organization-owned mobile device use an
Technology
ACSC approved platform with a security configuration
in accordance with ACSC guidance.

All data on mobile devices is encrypted. Technology

The range of Bluetooth communications between

mobile devices and other Bluetooth devices is
Technology
restricted to less than 10 meters by using class 2 or
class 3 Bluetooth devices.

Bluetooth functionality is not enabled on SECRET and

Technology
TOP SECRET mobile devices.

Mobile devices are configured to remain

undiscoverable to other Bluetooth devices except Technology
during Bluetooth pairing.

If applicable, Bluetooth pairing is performed using

Secure Connections, preferably with Numeric Technology
Comparison if supported.

If applicable, Bluetooth pairing is performed in a

manner such that connections are only made between Technology
intended Bluetooth devices.

If applicable, Bluetooth pairings are removed from

mobile devices when there is no longer a requirement Technology
for their use.

Paging, Multimedia Message Service, Short Message

Service and messaging apps are prohibited to Technology
communicate sensitive or classified data.

Sensitive or classified data is not viewed or

communicated in public locations unless care is taken
Process
to reduce the chance of the screen of a mobile device
being observed.

Privacy filters are applied to the screens of SECRET and

Technology
TOP SECRET mobile devices.

Sensitive or classified phone calls are not conducted in

public locations unless care is taken to reduce the Process
chance of conversations being overheard.

Mobile devices are kept under continual direct

Process
supervision when being actively used.
Mobile devices are carried or stored in a secured state
Process
when not being actively used.

A mobile device emergency sanitization process, and

supporting mobile device emergency sanitization Process
procedures, is developed and implemented.

Personnel are advised of privacy and security risks

Process
when travelling overseas with mobile devices.

If travelling overseas with mobile devices to

high/extreme risk countries, personnel are:
• issued with newly provisioned accounts and devices
from a pool of dedicated travel devices which are used
solely for work-related activities Process
• advised on how to apply and inspect tamper seals to
key areas of devices
• advised to avoid taking any personal devices,
especially if rooted or jailbroken.

Before travelling overseas with mobile devices,

personnel take the following actions:
• record all details of the devices being taken, such as
product types, serial numbers and International Mobile
Equipment Identity numbers
• update all applications and operating systems
• remove all non-essential accounts, applications and Process
data
• apply security configuration settings, such as lock
screens
• configure remote locate and wipe functionality
• enable encryption, including for any media used
• backup all important data and configuration settings.
Personnel take the following precautions when
travelling overseas with mobile devices:
• never leaving devices or media unattended for any
period of time, including by placing them in checked-in
luggage or leaving them in hotel safes
• never storing credentials with devices that they grant
access to, such as in laptop bags
• never lending devices to untrusted people, even if
briefly
• never allowing untrusted people to connect other
devices or media to their devices, including for
charging
• never using designated charging stations, wall outlet
charging ports or chargers supplied by untrusted
people
• avoiding connecting devices to open or untrusted Wi- Process
Fi networks
• using an approved Virtual Private Network to encrypt
all device communications
• using encrypted mobile applications for
communications instead of using foreign
telecommunication networks
• disabling any communications capabilities of devices
when not in use, such as cellular data, wireless,
Bluetooth and Near Field Communication
• avoiding reuse of media once used with other parties’
devices or systems
• ensuring any media used for data transfers are
thoroughly checked for malicious code beforehand
• never using any gifted devices, especially media,
when travelling or upon returning from travelling.

Personnel report the potential compromise of mobile

devices, media or credentials to their organization as
soon as possible, especially if they:
• provide credentials, decrypt devices or have devices
Process
taken out of sight by foreign government officials
• have devices or media stolen that are later returned
• lose devices or media that are later found
• observe unusual behavior of devices.

Upon returning from travelling overseas with mobile

devices, personnel take the following actions:
• sanitize and reset devices, including all media used
with them
Process
• decommission any physical credentials that left their
possession during their travel
• report if significant doubt exists as to the integrity of
any devices following their travel.
If returning from travelling overseas with mobile
devices to high/extreme risk countries, personnel take
the following additional actions:
• reset user credentials used with devices, including
Process
those used for remote access to their organization's
systems
• monitor accounts for any indicators of compromise,
such as failed login attempts.

Administrator workstations are placed into a separate

Technology
network zone to user workstations.

Management traffic is only allowed to originate from

network zones that are used to administer systems and Technology
applications.

Jump servers are used for administrative activities and

are prevented from communicating to assets and Technology
traffic not related to the administrative activities.

Security vulnerabilities in applications and drivers

assessed as extreme risk are patched, updated or
mitigated within 48 hours of the security vulnerabilities Process
being identified by vendors, independent third parties,
system managers or users.

Security vulnerabilities in applications and drivers

assessed as high risk are patched, updated or
mitigated within two weeks of the security vulnerability Process
being identified by vendors, independent third parties,
system managers or users.

Security vulnerabilities in applications and drivers

assessed as moderate or low risk are patched, updated
or mitigated within one month of the security Process
vulnerability being identified by vendors, independent
third parties, system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as extreme risk are patched,
updated or mitigated within 48 hours of the security Process
vulnerabilities being identified by vendors, independent
third parties, system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as high risk are patched, updated or
mitigated within two weeks of the security vulnerability Process
being identified by vendors, independent third parties,
system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as moderate or low risk are
patched, updated or mitigated within one month of the Process
security vulnerability being identified by vendors,
independent third parties, system managers or users.

If applicable, high assurance ICT equipment is only

patched with patches approved by the ACSC using Process
methods and timeframes prescribed by the ACSC.
If applicable, web applications implement Content-
Security-Policy, HSTS and X-Frame-Options response Technology
headers.

If applicable, the OWASP Application Security

Verification Standard is followed when developing web Process
applications.

Database servers and web servers are functionally

Technology
separated, physically or virtually.

If applicable, database servers that require network

connectivity are placed on a different network segment Technology
to an organization’s workstations.

If only local access to a database is required,

networking functionality of database management
Technology
system (DBMS) software is disabled or directed to
listen solely to the localhost interface.

If applicable, a Database Management System (DBMS)

software is installed and configured according to
vendor guidance. All temporary files for installation are Technology
removed after installation complete, and all unneeded
features are disabled.

If applicable, DBMS software runs as a separate

account that follows least privileges concept for access
Technology
rights. The DBMS software not have to ability to read
local files from the server.

All queries to databases from web applications are

Technology
filtered for legitimate content and correct syntax.

Parameterized queries or stored procedures are used

for database interaction instead of dynamically Technology
generated queries.

Web applications are designed to provide as little error

information as possible to users about database Technology
schemas.

Access to non-approved webmail services is blocked. Technology

Protective markings are applied to all emails containing

highly sensitive information. Protective markings be Process
applied manually and not through and automatic tool.

Protective marking tools do not allow users to select

protective markings that a system has not been Technology
authorized to process, store or communicate.

Protective marking tools do not allow users replying to

or forwarding an email to select a protective marking Technology
that is lower than previously used for the email.

Email servers are configured to block, log and report

emails with inappropriate protective markings. The Technology
sender and recipient of blocked emails are notified.
If applicable, emails containing AUSTEO, AGAO or REL
data are only sent to named recipients and not to
Process
groups or distribution lists unless the nationality of all
members of the distribution lists can be confirmed.

Email is routed through a centralized email gateway.

When users send email from outside their network, an
authenticated and encrypted channel is configured to Technology
allow email to be routed via a centralized email
gateway.
Where backup or alternative email gateways are in
place, they are maintained at the same standard as the Technology
primary email gateway.

Email servers only relay emails destined for or

Technology
originating from their domains.

Opportunistic TLS encryption, as defined in IETF RFC

3207, is enabled on email servers that make incoming
Technology
or outgoing email connections over public network
infrastructure.

MTA-STS, as defined in IETF RFC 8461, is enabled to

prevent the transfer of unencrypted emails between Technology
complying servers.

SPF (Sender Policy Framework) is used to specify

authorized email services (or lack thereof) for all Technology
domains.

A hard fail SPF record is used when specifying email

Technology
servers.
SPF is used to verify the authenticity of incoming
Technology
emails.
Incoming emails that fail SPF checks are blocked or
Technology
marked in a manner that is visible to the recipients.

DKIM (Domain Keys Identified Mail) signatures are

enabled on emails originating from an organization's
domains and received emails are verified. Email
distribution list software used by external senders is
configured such that it does not break the validity of Technology
the sender’s DKIM signature. DMARC (Domain-based
Message Authentication, Reporting and Conformance)
records are configured for all domains such that emails
are rejected if they fail SPF or DKIM checks.

Email content filtering controls are implemented for

Technology
email bodies and attachments.

Emails arriving via an external connection where the

source address uses an internal domain name are Technology
blocked at the email gateway.

VLANs (Virtual Local Area Networks) are not used to

separate network traffic between organization's
Technology
networks and public network infrastructure, or
networks belonging to different security domains.
If applicable, Network devices managing VLANs
terminate VLANs belonging to different security Technology
domains on separate physical network interfaces.

If applicable, Network devices managing VLANs

belonging to different security domains do not share Technology
VLAN trunks.

Network devices managing VLANs are administered

Technology
from the most trusted security domain.

If applicable, IPv6 functionality is disabled for dual

stack-network devices and ICT equipment unless it is
Technology
being used. Network security devices that support IPv6
are used on Dual-stack networks.

If applicable, unless explicitly required, IPv6 tunneling

is disabled on all network devices and ICT equipment.
Technology
IPv6 tunneling is blocked by network security devices
at externally-connected network boundaries.

If applicable, dynamically assigned IPv6 addresses are

configured with Dynamic Host Configuration Protocol
Technology
version 6 in a stateful manner with lease data stored in
a centralized logging facility.

Servers maintain effective functional separation with

Technology
other servers allowing them to operate independently.
Servers minimize communications with other servers at
Technology
both the network and file system level.
Inbound network connections and outbound network
Technology
connections to anonymity networks are blocked.
The administrative interface on wireless access points
Technology
is disabled for wireless network connections.

If applicable, default SSID (Service Set Identifiers) of

wireless access points are changed and are enabled on
Technology
all wireless networks. The SSID of a non-public network
not be associated with the organization.

Static addressing is not used for assigning IP addresses

Technology
on wireless networks.

MAC (Media Access Control) address filtering is not

used to restrict which devices can connect to wireless Technology
networks.

802.1X authentication with EAP-TLS, using X.509

certificates, is used for mutual authentication; with all
Technology
other EAP methods disabled on supplications and
authentication servers.

Both device and user certificates are required for

accessing wireless networks. Device and user
certificates are not stored on the same device and are Technology
issued on smart cards with access PINs. User or device
certificates are protected by encryption.
If applicable, the PMK (Pairwise Master Key) caching
period is not set to greater than 1440 minutes (24 Technology
hours).
Communications between wireless access points and a
RADIUS server are encapsulated with an additional
Technology
layer of encryption using RADIUS over Internet Protocol
Security or RADIUS over Transport Layer Security.
WPA3-Enterprise 192-bit mode is used to protect the
confidentiality and integrity of all wireless network Technology
traffic.
Wireless access points enable the use of the 802.11w
Technology
amendment to protect management frames.

Instead of deploying a small number of wireless access

points that broadcast on high power, a greater number
Technology
of wireless access points that use less broadcast power
are deployed to achieve the desired footprint.

The effective range of wireless communications outside

an organization's area of control is limited by
Technology
implementing RF shielding on facilities in which
SECRET or TOP SECRET wireless networks are used.

All wireless access points are Wi-Fi Alliance certified. Technology

A cloud service provider is used for hosting online

Technology
services.

When using environments that require high availability,

Content Delivery Networks that cache websites are
used and the IP address of the webserver under the
Technology
organization's control is avoided. The origin server is
restricted to the CDN and an authorized management
network.

Domain names for online services are protected via

registrar locking and confirming domain registration Technology
details are correct.

HACE (High Assurance Cryptographic Equipment) is

used to protect SECRET and TOP SECRET data when
communicated over insufficiently secure networks, Technology
outside of appropriately secure areas or via public
network infrastructure.

All connections between security domains implement

mechanisms to inspect and filter data flows for the
Technology
transport and higher layers as defined in the OSI
model.

All gateways connecting networks in different security

domains are operated such that they:
• log network traffic permitted through the gateway
• log network traffic attempting to leave the gateway
• are configured to save event logs to a secure logging Technology
facility
• provide real-time alerts for any cyber security
incidents, attempted intrusions and unusual usage
patterns.
Gateways are subject to rigorous testing, performed at
irregular intervals no more than six months apart, to Process
determine the strength of security controls.

Demilitarized zones are used to broker access to

services accessed by external entities, and
mechanisms are applied to mediate internal and Process
external access to less-trusted services hosted in these
demilitarized zones.

System administrator roles for gateway administration

are created. Gateway administrators be formally
trained to manage gateways.

- All system administrators of gateways are cleared to

access the highest level of data communicated or
processed by the gateway.
- All system administrators of gateways that process
Australian Eyes Only (AUSTEO) or Australian
People
Government Access Only (AGAO) data are Australian
nationals.
- Roles for the administration of gateways are
separated.
- For gateways between networks in different security
domains, a formal arrangement exists whereby any
shared components are managed by the system
managers of the highest security domain or by a
mutually agreed third party.

Once connectivity is established, system owners

become stakeholders, and are defined, for all People
connected security domains.

Users and services that access the network through a

gateway be authenticated. Only authenticated users
that are authorized can use the gateway. All ICT
(Information and Computer Technology) equipment Technology
accessing networks through gateways are
authenticated too. Multi-factor authentication is used to
access gateways.

If applicable, when connecting a SECRET or TOP

SECRET network to any other network from a different
Technology
security domain, a cross domain solution (CDS) is
implemented.

If applicable, when designing and deploying a CDS, the

ACSC is notified and consulted; and directions provided
Process
by the ACSC (Australian Cyber Security Centre) are
complied with.

If applicable, when introducing additional connectivity

to a CDS, such as adding a new gateway to a common
network, the ACSC is consulted on the impact to the Process
security of the CDS; and directions provided by the
ACSC are complied with.
If applicable, a CDS between a highly classified
network and any other network implements;
- isolated upward and downward network paths
- protocol breaks at each layer of the OSI model Technology
- content filtering and separate independent security-
enforcing components for upward and downward data
flows

If applicable, Users are trained on the secure use of a

People
CDS before access to the CDS is granted.

If applicable, a representative sample of security

events generated by a CDS, relating to the
enforcement of data transfer policies, is taken at least
Process
every 3 months and assessed against the security
policies that the CDS is responsible for enforcing
between security domains.

In addition to the firewall between networks of different

security domains, an evaluated firewall is used
Technology
between an AUSTEO or AGAO network and a foreign
network.

In addition to the firewall between networks of different

security domains, an evaluated firewall is used
Technology
between an AUSTEO or AGAO network and another
Australian controlled network.

If applicable, an evaluated diode is used for controlling

the data flow of unidirectional gateways between
Technology
organizations' networks and public network
infrastructure.

If applicable, an evaluated diode used for controlling

the data flow of a unidirectional gateway between a
Technology
SECRET or TOP SECRET network and public network
infrastructure completes a high assurance evaluation.

If applicable, an evaluated diode is used for controlling

the data flow of unidirectional gateways between Technology
networks.

If applicable, an evaluated diode used for controlling

the data flow of a unidirectional gateway between a
Technology
SECRET or TOP SECRET network and any other network
completes a high assurance evaluation.

An evaluated diode is used between an AUSTEO or

AGAO network and a foreign network at the same Technology
classification.

An evaluated diode is used between an AUSTEO or

AGAO network and another Australian controlled Technology
network at the same classification.

A diode (or server connected to the diode) deployed to

control data flow in unidirectional gateways monitors Technology
the volume of the data being transferred.
All web access (including internal servers) is conducted
through a web proxy. Web proxies authenticates users
and provides logging that includes:
• address (uniform resource locator)
Technology
• time/date
• user
• amount of data uploaded and downloaded
• internal and external IP addresses.

A web content filter is used to filter potentially harmful

web-based content. Web content filtering controls are Technology
applied to outbound web traffic where appropriate.

Client-side active content, such as Java, is restricted to

Technology
a list of allowed websites.
Legal advice is sought regarding the inspection of TLS
Process
traffic by internet gateways.

Blacklisting and whitelisting methods are used for web

content filters. Methods include;
- A list of allowed websites, using either domain name
or IP address, is implemented for all Hypertext Transfer
Protocol (HTTP) and HTTPS traffic communicated
through internet gateways.
- If a list of allowed websites is not implemented, a list
of allowed website categories is implemented instead
and a list of blocked websites is implemented instead. Technology
- If a list of blocked websites is implemented, the list is
updated on a daily basis to ensure that it remains
effective.
- Attempts to access a website through its IP address
instead of through its domain name are blocked.
- Dynamic domains and other domains where domain
names can be registered anonymously for free are
blocked.

If applicable, when importing data into a security

domain, the data is filtered by a content filter designed
for that purpose. Content filters deployed in a CDS
Technology
(common data sets) are subject to rigorous security
assessment to ensure they mitigate content-based
threats and cannot be bypassed.

All suspicious, malicious and active content is blocked

from entering a security domain. Suspicious content is
Process
blocked until reviewed and approved for transfer by a
trusted source other than the originator.

Email and web content entering a security domain is

automatically run in a dynamic malware analysis Technology
sandbox to detect suspicious behavior.

Content validation is performed on all data passing

through a content filter with content which fails content Technology
validation blocked.
Content conversion is performed for all ingress or
Technology
egress data transiting a security domain boundary.

Content sanitization is performed on suitable file types

if content conversion is not appropriate for data Process
transiting a security domain boundary.

The contents from archive/container files are extracted

Process
and subjected to content filter checks.

Controlled inspection of archive/container files is

performed to ensure that content filter performance or Process
availability is not adversely affected.

Files that cannot be inspected are blocked and

Technology
generate an alert or notification.

If applicable, system owner consultation and legal

advice is sought before allowing a targeted cyber
Process
intrusion activity to continue on a system for the
purpose of collecting further data or evidence.

In the event of a successful targeted cyber intrusion,

full network traffic is captured for at least seven days
Technology
and analyzed to determine whether the adversary has
been successfully removed from the system.

Video and calling infrastructure be hardened and

abide by the following requirements;

• Video conferencing or IP telephone traffic follow

through a gateway with video-aware and/or voice-
aware firewall
• Video conferencing and IP telephony calls are
established using a secure session initiation protocol.
• Video conferencing and IP telephony traffic is
separated physically or logically from other data traffic. Technology
Workstations that use video and IP phone traffic use
VLANs or similar mechanisms to maintain separation
between video conferencing, IP telephony and other
data traffic.
• If IP phones are used in public areas, their ability to
access data networks, voicemail and directory services
are prevented.
• Video conferencing and IP telephony calls are
conducted using a secure real-time transport protocol.

Investigators are responsible for maintaining the

Process
integrity of evidence gathered during an investigation.

Cloud customers and service providers maintain 24x7

contact details for each other in order to report cyber
security incidents. Contact details include additional People
out-of-band contact details for use when normal
communication channels fail.
All Cyber Security Incidents are reported to the
Process
Australian Cyber Security Centre (ACSC).

Commercial and government gateway services

selected by the Australian Cyber Security Centre
(ACSC) undergo a joint security assessment by ACSC Process
and Infosec Registered Assessors Program (IRAP)
assessors at least every 24 months.

Cloud service providers and their cloud services

undergo a security assessment by an IRAP assessor at Process
least every 24 months.

Only community or private clouds are used for

Technology
outsourced SECRET and TOP SECRET cloud services.

Systems processing, storing or communicating

Australian, AUSTEO or AGAO data remain at all times in
a data center residing in Australia, under the control of People
an Australian national working for or on behalf of the
Australian Government.

Access to AUSTEO or AGAO data can only be accessed

from systems under the sole control of the Australian
Process
Government that are located within facilities
authorized by the Australian Government.

If procuring an evaluated product, a product that has

completed a PP-based evaluation is selected in
Process
preference to one that has completed an EAL-based
evaluation.

When developing a Microsoft Windows SOE (Standard

Operating Environment), the 64-bit version of the Technology
operating system is used.

ACSC and vendor guidance is implemented to assist in

Process
hardening the configuration of operating systems.
The use of Microsoft operating systems and Microsoft
supported applications abide by the following best
practices;

• If supported, the latest version of Microsoft’s EMET is

implemented on workstations and servers and
configured with both operating system mitigation
measures and application-specific mitigation measures.
• If supported, Microsoft’s exploit protection
functionality is implemented on workstations and
Technology
servers.
• PowerShell version be higher than 2.0 and is
configured to Constrained Language Mode.
• PowerShell is configured to use module logging,
script block logging and transcription functionality.
• PowerShell script block logs are protected by
Protected Event Logging functionality.
• If supported, Microsoft’s Attack Surface Reduction
rules are implemented.

ACSC and vendor guidance is implemented to assist in

hardening the configuration of Microsoft Office, web Process
browsers and PDF viewers.

Web browsers are configured to block or disable Java,

Flash, and web advertisements. Technology

Any unrequired functionality in Microsoft Office, web

Technology
browsers and PDF viewers is disabled.

The use of Microsoft Office, web browser and PDF

viewer add-ons is restricted to organization approved Technology
add-ons.

Microsoft Office products installed on workstation

follow the following best practice configurations;

• Microsoft Office is configured to prevent activation of

Object Linking, Embedding packages, and is configured
to disable Flash content.
• Only privileged users responsible for validating that
Technology
Microsoft Office macros are free of malicious code can
write to and modify content within Trusted Locations.
• Microsoft Office macros in documents originating
from the internet are blocked.
• Microsoft Office macro security settings cannot be
changed by users.
Applications and operating systems that are no longer
supported are updated or replaced with vendor-
Technology
supported versions.

If applicable, a formal inventory for authorized RF

(radio frequency) and IR (Infrared) devices in SECRET
and TOP SECRET areas is maintained and regularly Process
audited. Unauthorized RF devices are not allowed to
be brought into SECRET and TOP SECRET areas.

If applicable, Security measures are used to detect and

respond to unauthorized RF devices in SECRET and TOP Process
SECRET areas.

If applicable, Bluetooth and wireless keyboards are not

Technology
used unless in an RF screened building.

If applicable, when using infrared keyboards, the

following activities are prevented:
• infrared ports are positioned to prevent line of sight
and reflected communications travelling into an
unsecured space.
Technology
• multiple infrared keyboards for different systems
being used in the same area
• other infrared devices being used in the same area
• infrared keyboards operating in areas with
unprotected windows.

If applicable, cabling infrastructure is installed in

accordance with relevant Australian Standards, as
Process
directed by the Australian Communications and Media
Authority.

If applicable, fiber-optic cables are used for cabling

Process
infrastructure instead of copper cables.

If applicable, a cable register is maintained and

regularly audited. The register contains the following
for each cable:
• cable identifier
• cable colour
• sensitivity/classification
• source
• destination Process
• location
• seal numbers (if applicable).

Note: Building management cables be labelled with

their purpose in black writing on a yellow background
at least 2.5cm x 1cm large. These labels be attached
every 5 meter interval.
If applicable, floor plan diagrams are maintained and
regularly audited. Floor plan diagrams contain the
following:
• cable paths (including ingress and egress points
between floors)
Process
• cable reticulation system and conduit paths
• floor concentration boxes
• wall outlet boxes
• network cabinets.

If applicable, Cables are labelled at inspection points

with the following requirements:

• Foreign system's cables installed in Australian

facilities are labelled.
• Top Secret level information system's cables are Red
and are fully inspectable for their entire length. Labels
for TOP SECRET conduits are a minimum size of 2.5 cm
x 1 cm, attached at five-metre intervals and marked as
‘TS RUN’.
• Secret level information system's cables are Salmon
Pink and are fully inspectable for their entire length.
• All other information system's cables (Official level Process
and Protected level Information Systems) are color
coated using any color other than Red (Top Secret) and
Salmon Pink (Secret).
• Non-conforming cable colors are banded with
appropriate cable colors and are labeled at inspection
points.
• Building management cables be labelled with their
purpose in black writing on a yellow background at
least 2.5cm x 1cm large. These labels be attached
every 5 meter interval.
• Cables in non-shared government buildings are
inspectable every 5 meters.

If applicable, fiber optic cables abide by the following

requirements;
• Fibers in the sheath only carry a single cable group
based on the information protection level of the
Process
information system. (Top Secret, Secret, Official, and
Protected)
• For Fiber cables containing subunits, each subunit
only carries cables from a single cable group.
If applicable, cable groups sharing a common cable
reticulation system have a dividing partition or a visible Process
gap between the cable groups.

If applicable, in shared facilities, cables are run in an

Process
enclosed cable reticulation system.

If applicable, in shared facilities, conduits or the front

covers of ducts, cable trays in floors and ceilings, and Process
associated fittings are clear plastic.

If applicable, in shared facilities, uniquely identifiable

SCEC endorsed tamper-evident seals are used to seal
Process
all removable covers on TOP SECRET cable reticulation
systems.

If applicable, in shared facilities, a visible smear of

conduit glue is used to seal all plastic conduit joints
Process
and TOP SECRET conduit runs connected by threaded
lock nuts.

If applicable, in shared facilities, TOP SECRET cables

Process
are not run in party walls.
If applicable, in shared government facilities, where
wall penetrations exit a TOP SECRET area into a lower
classified space, TOP SECRET cables are encased in
Process
conduit with all gaps between the TOP SECRET conduit
and the wall filled with an appropriate sealing
compound.

If applicable, in shared non-government facilities,

where wall penetrations exit into a lower classified
space, cables are encased in conduit with all gaps Process
between the conduit and the wall filled with an
appropriate sealing compound.

If applicable, cables from cable trays to wall outlet

Process
boxes are run in flexible or plastic conduit.

If applicable, wall outlet boxes have connectors on

opposite sides of the wall outlet box if the cable group Process
contains cables belonging to different systems.

If applicable, cabling boxes follow the following

requirements;

• Different cables groups do not share a wall outlet

box.
• Wall outlet boxes denote the systems, cable
Process
identifiers and wall outlet box identifier.
• OFFICIAL and PROTECTED wall outlet boxes are
colored neither salmon pink nor red.
• Wall outlet box covers are clear plastic.
• SECRET wall outlet boxes are colored salmon pink.
• TOP SECRET wall outlet boxes are colored red.
If TOP SECRET fiber-optic fly leads exceeding five
meters in length are used to connect wall outlet boxes
to ICT equipment, they are run in a protective and Process
easily inspected pathway that is clearly labelled at the
ICT equipment end with the wall outlet box’s identifier.

If applicable, cable reticulation systems leading into

cabinets are terminated as close as possible to the Process
cabinet.

If applicable, in TOP SECRET areas, cable reticulation

systems leading into cabinets in a secure
Process
communications or server room are terminated as
close as possible to the cabinet.

If applicable, in TOP SECRET areas, cable reticulation

systems leading into cabinets not in a secure
Process
communications or server room are terminated at the
boundary of the cabinet.

If applicable, cables are terminated in individual

cabinets; or for small systems, one cabinet with a Process
division plate to delineate cable groups.

If applicable, TOP SECRET cables are terminated in an

Process
individual TOP SECRET cabinet.
If applicable, different cable groups do not terminate
Process
on the same patch panel.
If applicable, there is a visible gap between TOP
Process
SECRET cabinets and cabinets of lower classifications.

If applicable, TOP SECRET and non-TOP SECRET patch

panels are physically separated by installing them in Process
separate cabinets.

Where spatial constraints demand patch panels of

lower classifications than TOP SECRET be located in the
same cabinet as a TOP SECRET patch panel:
• a physical barrier in the cabinet is provided to
separate patch panels Process
• only personnel holding a Positive Vetting security
clearance have access to the cabinet
• approval from the TOP SECRET system’s authorizing
officer is obtained prior to installation.

When penetrating a TOP SECRET audio secured room,

ASIO (Australian Security Intelligence Organization) is
Process
consulted and all directions provided are complied
with.
If applicable, a power distribution board with a feed
from an Uninterruptible Power Supply is used to power Technology
all TOP SECRET ICT equipment.
If applicable, in TOP SECRET areas of shared non-
government facilities, a power distribution board with a
Technology
feed from an Uninterruptible Power Supply is used to
power all TOP SECRET ICT equipment.

If applicable, system owners deploying SECRET or TOP

SECRET systems with Radio Frequency (RF)
transmitters inside or co-located with their facility
contact the ACSC for an emanation security threat Process
assessment and implement any additional installation
criteria derived from the emanation security threat
assessment.

If applicable, system owners deploying OFFICIAL or

PROTECTED systems with RF transmitters that will be
co-located with SECRET or TOP SECRET systems
contact the ACSC for an emanation security threat Process
assessment and implement any additional installation
criteria derived from the emanation security threat
assessment.

If applicable, system owners deploying SECRET or TOP

SECRET systems in shared facilities contact the ACSC
for an emanation security threat assessment and Process
implement any additional installation criteria derived
from the emanation security threat assessment.

If applicable, system owners deploying systems

overseas contact the ACSC for emanation security
threat advice and implement any additional installation Process
criteria derived from the emanation security threat
advice.

If applicable, System owners deploying systems or

military platforms overseas contact the ACSC for an
emanation security threat assessment and implement Process
any additional installation criteria derived from the
emanation security threat assessment.
An emanation security threat assessment is sought as
early as possible in a project’s life cycle as emanation Process
security controls can have significant cost implications.

If applicable, ICT (Information and Computer

Technology) equipment meets industry and
Technology
government standards relating to electromagnetic
interference/electromagnetic compatibility.

A Telephone Systems policy exists and covers the

following requirements;

• Personnel are made aware of the sensitivity of

information that they may discuss, along with their
classification levels.
• Personnel are made aware of security risks of non-
secure lines.
Process
• Telephone lines that permit different levels of
conversation have a visual indicator.
• Telephone systems used for sensitive or classified
conversations encrypt all traffic that passes over
external systems.
• Cordless telephone systems are not used for
sensitive or classified conversations.
• Traditional analog phones are used in public areas.
Telephone systems are configured to meet the
following requirements based on the classification of
information able to discuss;

• Speakerphones are not used in Top Secret unless the

telephone system is located in a room rated as audio
secure only personnel involved in discussions are
present in the room.
• In TOP SECRET areas, push-to-talk handsets or push-
to-talk headsets are used on all telephones that are not
authorized for the transmission of TOP SECRET
information.
• In SECRET and TOP SECRET areas, push-to-talk
Technology
handsets or push-to-talk headsets are used to meet
any off-hook audio protection requirements.
• Off-hook audio protection features are used on
telephone systems in areas where background
conversations may exceed the sensitivity or
classification that the telephone system is authorized
for communicating.
• IP phone and video conferencing workstations match
the data classification level of their area.
• Microphones (including headsets and USB handsets)
and webcams are not used with non-SECRET
workstations in SECRET areas or non-TOP SECRET
workstations in TOP SECRET areas.

When procuring high assurance ICT equipment, the

ACSC is contacted for any equipment-specific delivery Process
procedures.

High assurance ICT equipment is installed, configured,

administered and operated in accordance with
guidance produced by the ACSC. High assurance ICT is Process
only operated in an evaluated configuration.

An ICT equipment management policy is developed

Process
and implemented.

ICT equipment is classified based on the highest

sensitivity or classification of data that it is approved Process
for processing, storing or communicating.

ICT Equipment, and media, be labelled with protective

markings reflecting its sensitivity or classification. Process

The Australian Cyber Security Centre (ACSC)’s approval

is sought before applying labels to external surfaces of Process
high assurance ICT equipment.
ICT equipment is handled in a manner suitable for its
Process
sensitivity or classification.

The ACSC’s approval is sought before undertaking any

maintenance or repairs to high assurance ICT Process
equipment.

If an uncleared technician is used to undertake

maintenance or repairs of ICT equipment, the
technician is escorted by someone who:
• is appropriately cleared and briefed
• takes due care to ensure that data is not disclosed
People
• takes all responsible measures to ensure the integrity
of the ICT equipment
• has the authority to direct the technician
• is sufficiently familiar with the ICT equipment to
understand the work being performed.

Following maintenance or repair activities for ICT

equipment, the ICT equipment is inspected to confirm
Process
it retains its approved software configuration and that
no unauthorized modifications have taken place.

Labels and markings indicating the owner, sensitivity,

classification or any other marking that can associate
Process
the ICT equipment with its original use, are removed
prior to disposal.

When disposing of ICT equipment that has been

designed or modified to meet emanation security
Process
standards, the ACSC is contacted for requirements
relating to its secure disposal.

ICT equipment, including associated media, that is

located overseas and has processed or stored AUSTEO Process
or AGAO data is sanitized in situ.

ICT equipment, including associated media, that is

located overseas and has processed, stored, or
Process
communicated AUSTEO or AGAO data that cannot be
sanitized in situ is returned to Australia for destruction.

At least three pages of random text with no blank

areas are printed on each color printer cartridge or Process
MFD print drum.

MFD print drums and image transfer rollers are

inspected and destroyed if there is remnant toner
Process
which cannot be removed or if a print is visible on the
image transfer roller.

Printer and MFD platens are inspected and destroyed if

Process
any text or images are retained on the platen.
Printers, MFDs, and fax machines are checked to
ensure no pages are trapped in the paper path due to a Process
paper jam.

When unable to sanitize printer cartridges or MFD print

drums, they are destroyed as per electrostatic memory Process
devices.

Printer ribbons in printers and MFDs are removed and

Process
destroyed.

Televisions and computer monitors with minor burn-in

or image persistence are sanitized by displaying a solid
Process
white image on the screen for an extended period of
time.

Televisions and computer monitors that cannot be

Process
sanitized are destroyed.

Memory in network devices is sanitized using the

following processes, in order of preference:
• following device-specific guidance in evaluation
documentation provided by the ACSC Process
• following vendor sanitization guidance
• loading a dummy configuration file, performing a
factory reset and then reinstalling firmware.

The paper tray of the fax machine is removed, and a

fax message with a minimum length of four pages is
Process
transmitted, before the paper tray is re-installed to
allow a fax summary page to be printed.

When transferring data manually between two systems

belonging to different security domains, rewritable Process
media is sanitized after each data transfer.

If applicable, volatile media is sanitized by removing

Process
power from the media for at least 10 minutes.

If applicable, SECRET and TOP SECRET volatile media is

sanitized by overwriting it at least once in its entirety
Process
with a random pattern followed by a read back for
verification.

If applicable, the host-protected area and device

configuration overlay table of non-volatile magnetic Process
hard drives is reset prior to sanitization.
If applicable, non-volatile magnetic media is sanitized
by overwriting the media at least once (or three times
if pre-2001 or under 15 Gigabytes) in its entirety with a Process
random pattern followed by a read back for
verification.
The ATA secure erase command is used, in addition to
block overwriting software, to ensure the growth
Technology
defects table of non-volatile magnetic hard drives is
overwritten.
If applicable, non-volatile EPROM media is sanitized by
applying three times the manufacturer’s specified
ultraviolet erasure time and then overwriting it at least
once in its entirety with a random pattern followed by a
Process
read back for verification. Non-volatile EEPROM media
is sanitized by overwriting it at least once in its entirety
with a random pattern followed by a read back for
verification.

Non-volatile flash memory media is sanitized by

overwriting the media at least twice in its entirety with
Process
a random pattern followed by a read back for
verification.

The following media types are destroyed prior to

disposal:
• microfiche and microfilm
• optical discs/semiconductor memory (using either
furnace/incinerator, hammer mill, disintegrator,
Technology
grinder/sander or cutting destruction methods.)
• programmable read-only memory
• read-only memory
• other types of media that cannot be sanitized
• faulty media that cannot be successfully sanitized.

SCEC or ASIO approved equipment is used when

Process
destroying media.

If using degaussers to destroy media, degaussers

evaluated by the United States’ National Security Process
Agency are used.

If applicable, equipment that is capable of reducing

microform to a fine powder, with resultant particles not
showing more than five consecutive characters per Process
particle upon microscopic inspection, is used to destroy
microfiche and microfilm.

Media destroyed using either a hammer mill,

disintegrator, grinder/sander or cutting destruction
Process
method result in media waste particles no larger than 9
mm.
Magnetic media is destroyed using a degausser with a
suitable magnetic field strength and magnetic Technology
orientation.
A degausser capable of the magnetic orientation
(longitudinal or perpendicular) of the magnetic media Technology
is used.

Any product-specific directions provided by degausser

Process
manufacturers are followed.

If applicable, following destruction of magnetic media

(floppy disks, hard disks, tapes) using degausser
destruction methods, the magnetic media is physically
damaged by deforming the internal platters by any Process
means prior to disposal using either
furnace/incinerator, hammer mill, disintegrator, or
cutting destruction methods.
If applicable, the destruction of media is performed
under the supervision of at least one person cleared to
Process
the sensitivity or classification of the media being
destroyed.
If applicable, the destruction of accountable material is
performed under the supervision of at least two
Process
personnel cleared to the sensitivity or classification of
the media being destroyed.

If applicable, when outsourcing the destruction of

media to an external destruction service, a National
Association for Information Destruction AAA certified Process
destruction service with endorsements, as specified in
ASIO’s PSC-167, is used.

The destruction of media storing accountable material

Process
is not outsourced.

Following sanitization, destruction or declassification, a

formal administrative decision is made to release Process
media, or its waste, into the public domain.

Labels and markings indicating the sensitivity,

classification, owner or any other marking that can
Process
associate media with its original use, are removed prior
to disposal.

Standard operating environments are used for all

workstations and are scanned for malicious content
Process
and configurations before use. These environments are
reviewed and updated at least annually.

Personnel who are contractors are identified as such. People

Where a system processes, stores or communicates

AUSTEO, AGAO or REL data, personnel who are foreign
People
nationals are identified as such, including by their
specific nationality.

Foreign nationals, including seconded foreign

nationals, do not have access to systems that process,
store or communicate AUSTEO or REL data unless Process
effective security controls are in place to ensure such
data is not accessible to them.

Foreign nationals, excluding seconded foreign

nationals, do not have access to systems that process,
store or communicate AGAO data unless effective Process
security controls are in place to ensure such data is not
accessible to them.

Foreign nationals, excluding seconded foreign

nationals, do not have privileged access to systems, People
applications and data repositories.
Foreign nationals, including seconded foreign
nationals, do not have privileged access to systems
People
that process, store or communicate AUSTEO or REL
data.
Foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems People
that process, store or communicate AGAO data.

Upon identifying malicious activities, access to

systems, applications and data repositories are Process
removed or suspended within 24 hours.

A secure record is maintained for the life of each

system covering:
• all personnel authorized to access the system, and
their user identification
• who provided authorization for access
• when access was granted
Technology
• the level of access that was granted
• when access, and the level of access, was last
reviewed
• when the level of access was changed, and to what
extent (if applicable)
• when access was withdrawn (if applicable).

When personnel are granted temporary access to a

system, effective security controls are put in place to
Process
restrict their access to only data required for them to
undertake their duties.

Temporary access is not granted to systems that

process, store or communicate caveated or sensitive Process
compartmented information.

If applicable, a method of emergency access to

systems is documented and tested at least once when
Process
initially implemented, and each time fundamental
information technology infrastructure changes occur.

Break glass accounts are only used when normal

authentication processes cannot be used and only for
specific authorized activities. Use of the break glass
account is monitored and audited to confirm that
access was appropriate. Once access is no longer Process
required, the access credentials for the break glass
account are updated to prevent unauthorized access.
Once credentials are changed, the break glass account
access is tested.

Passwords used for multi-factor authentication on TOP

Technology
SECRET systems are a minimum of 10 characters.
Service accounts are created as group Managed
Process
Service Accounts.
Authentication methods susceptible to replay attacks
Technology
are disabled.
LAN Manager and NT LAN Manager authentication
Technology
methods are disabled.
Privileged accounts are members of the Protected
People
Users security group.
Credentials are stored separately from systems to
Technology
which they grant access.
Stored passwords/passphrases are protected by
Technology
ensuring they are hashed, salted and stretched.

Passwords/passphrases are changed if:

• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network Process
• they are discovered being transferred in the clear
across a network
• membership of a shared account changes
• they have not been changed in the past 12 months.

A system administration process, with supporting

system administration procedures, is developed and Process
implemented.
Privileged users use separate privileged and
unprivileged operating environments for performing Technology
tasks.
Privileged users are assigned an unprivileged
administration account for authenticating to their Technology
dedicated administrator workstations.

File-based access controls are applied to database

Technology
files.

Passphrases stored in databases are hashed with a

uniquely salted Australian Signals Directorate Technology
Approved Cryptographic Algorithm.

Privileged users are assigned a dedicated privileged

account to be used solely for tasks requiring privileged Technology
access.

Access to systems, data repositories, and applications

Technology
is automatically disabled after 45 days of inactivity.

When accessing an organization's network via a VPN

Technology
connection, split tunnelling is disabled.
Unprivileged accounts, and privileged accounts
(excluding backup administrators) cannot modify,
Process
delete, or access other account or their own account's
backups.
Trusted sources for SECRET and TOP SECRET systems
are limited to people and services that have been
Process
authorized as such by an organization's Chief
Information Security Officer.

Access changes and changes to privileged accounts

Technology
and groups are logged.

Backup administrators (excluding backup break glass

accounts), are prevented from modifying or deleting Technology
backups.
Privileged service accounts are prevented from
Technology
accessing the internet, email and web services.
Privileged operating environments are not virtualized
Technology
within unprivileged operating environments.

Privileged access to systems, data repositories, and

applications is automatically disabled after 12 months Technology
unless revalidated.

Passphrases used for single-factor authentication have

the following requirements:
- minimum of 14 characters with complexity, ideally as
4 random words.
Technology
- on SECRET systems are at least 5 random words with
a total minimum length of 17 characters.
- on TOP SECRET systems are at least 6 random words
with a total minimum length of 20 characters.

A media management policy is developed and

Process
implemented.
A removable media usage policy is developed and
Process
implemented.

Any media connected to a system with a higher

sensitivity or classification than the media is
reclassified to the higher sensitivity or classification,
Process
unless the media is read-only or the system has a
mechanism through which read-only access can be
ensured.

In order to reclassify media to a lower sensitivity or

classification, the media is sanitised (unless the media
is read-only) and a formal administrative decision (in Process
consultation with data owners) is made to reclassify
the media.

All data stored on media is encrypted. Process

Media is only used with systems that are authorized to

process, store or communicate the sensitivity or Technology
classification of the media.

Any automatic execution features for media are

Technology
disabled in the operating system of systems.

Removable media is prevented from being written to

via the use of device access control software if there is Technology
no business requirement for its use.

When transferring data manually between two systems

belonging to different security domains, write-once
media is used unless the destination system has a Process
mechanism through which read-only access can be
ensured.
Where a consumer guide for evaluated encryption
software exists, the sanitization and post-sanitization
requirements stated in the consumer guide are Process
followed.

Operating system hardening practices are performed.

Practices include;

• Unused operating system accounts are disabled.

• Standard user roles do not have elevated privileges
to modify security functionality or execute Powershell
and other scripting tools.
Process
• Scripting tools and code execution is disabled for
applications installed on all workstations and servers
unless authorized.
• Local administrator accounts are disabled.
• Unique domain accounts with local administrator
access are used to make workstation and server
changes.

If applicable, application controls are implemented and

follow the following best practices;

• Application controls are implemented using

Process
cryptographic hash rules, publisher certificate rules or
path rules and are validated at least annually.
• Users (other than privileged users) are not exempt
and cannot change or remove application controls.

If applicable, when implementing application control

using publisher certificate rules, both publisher names Technology
and product names are used.
If applicable, application control is configured to
generate event logs for failed execution attempts,
including the name of the blocked file, the date/time Technology
stamp and the username of the user attempting to
execute the file.

A Host-based Intrusion Prevention System is installed

on all workstations and high value servers such as
Technology
authentication servers, Domain Name System (DNS)
servers, web servers, file servers and email servers.

External interfaces of workstations and servers that

Technology
allow DMA are disabled.

If applicable, when using a software-based isolation

mechanism to share a physical server’s hardware, the
configuration of the isolation mechanism is hardened
Technology
by removing unneeded functionality and restricting
access to the administrative interface used to manage
the isolation mechanism.
If applicable, when using a software-based isolation
mechanism to share a physical server’s hardware for
SECRET or TOP SECRET workloads, the physical server
Technology
and all computing environments running on the
physical server are of the same classification and
within the same security domain.

If applicable, encryption software that implements an

ASD Approved Cryptographic Algorithm (AACA) is used
if an organization wishes to reduce the physical Technology
storage or handling requirements for ICT equipment or
media that contains sensitive data.

If applicable, encryption software that has completed a

Common Criteria evaluation against a Protection Profile
Technology
is used when encrypting media that contains OFFICIAL:
Sensitive or PROTECTED data.

HACE (High Assurance Cryptographic Equipment) is

used when encrypting media that contains SECRET or Technology
TOP SECRET data.

HACE used for data at rest implements full disk

encryption, or partial encryption where access controls Technology
will only allow writing to the encrypted partition.

In addition to any encryption already in place, an AACA

is used to encrypt AUSTEO and AGAO data when at Technology
rest on a system.

Cryptographic equipment or encryption software that

implements an ASD Approved Cryptographic Protocol
(AACP) is used to communicate sensitive data over Technology
public network infrastructure and through unsecured
spaces.

Cryptographic equipment or encryption software that

has completed a Common Criteria evaluation against a
Protection Profile is used to protect OFFICIAL: Sensitive
Technology
or PROTECTED data when communicated over
insufficiently secure networks, outside of appropriately
secure areas or via public network infrastructure.

In addition to any encryption already in place, an AACP

is used to protect AUSTEO and AGAO data when Process
communicated across network infrastructure.

Only AACAs (ASD Approved Cryptographic Algorithm)

or high assurance cryptographic algorithms are used Technology
by cryptographic equipment and software.

If applicable, ECDH and ECDSA are used in preference

Technology
to DH and DSA.

If applicable, when using DH for agreeing on encryption

session keys;
- a modulus of at least 2048 bits is used. Technology
- a modulus and associated parameters are selected
according to NIST SP 800-56A Rev. 3.
If applicable, when using DSA for digital signatures;
- a modulus of at least 2048 bits is used.
Technology
- a modulus and associated parameters are generated
according to FIPS 186-4.

If applicable, when using elliptic curve cryptography, a

Technology
curve from FIPS 186-4 is used.

If appliable, when using ECDH for agreeing on

encryption session keys, a base point order and key Technology
size of at least 224 bits is used.

If applicable, when using ECDSA for digital signatures,

a base point order and key size of at least 224 bits is Technology
used.

When using RSA for digital signatures and session

keys, a modul of at least 2048 buts is used and a key
Technology
pair for passing encrypted session keys that is different
from the key pair used for digital signatures is used.

Symmetric cryptographic algorithms are not used in

Technology
Electronic Codebook Mode.

If applicable, 3DES is used with three distinct keys. Technology

If applicable, AACAs used by HACE are implemented in

an ASD approved configuration, with preference given Technology
to CNSA Suite algorithms and key sizes.

If applicable, preference is given to using the CNSA

Technology
Suite algorithms and key sizes.

Only AACPs or high assurance cryptographic protocols

Technology
are used by cryptographic equipment and software.

If applicable, when using Transport Layer Security,

communication systems follow the following
requirements;

- The latest version of TLS is used.

- AES in Galois Counter Mode is used for symmetric
encryption.
- Only server-initiated secure renegotiation is used.
- DH or ECDH is used for key establishment. The Technology
ephemeral variant is used and anonymous DH is not
used.
- SHA-2-based certificates are used.
- Cipher suites are configured to use SHA-2 as part of
the Message Authentication Code and Pseudo-Random
Function.
- PFS is used for TLS connections. TLS compression is
disabled.
The use of SSH have SSH version 1 disabled and have
public key-based authentication for connections. When
SSH-agent or other similar key caching programs are
used, it is only on workstations and servers with screen Technology
locks, key caches are set to expire within four hours of
inactivity, and agent credential forwarding is enabled
only when SSH traversal is required.

If applicable, the configuration settings in the following

table are implemented for the SSH daemon:
• only listen on the required interfaces (ListenAddress
xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than
60 seconds (LoginGraceTime 60)
• disable host-based authentication
(HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts Technology
yes)
• disable the ability to login directly as root
(PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords
no)
• disable connection forwarding (AllowTCPForwarding
no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).

If applicable, versions of Secure/Multipurpose Internet

Technology
Mail Extension (S/MIME) earlier than 3.0 are not used.

If applicable, IPsec configuration and usage abide by

these requirements;

- Tunnel mode is used for IPsec connections; however,

if using transport mode, an IP tunnel is used. PFS is
used for all IPsec connections.
- The ESP protocol is used for IPsec connections.
- IKE is used for key exchange when establishing an
IPsec connection. If using ISAKMP in IKE version 1,
aggressive mode is disabled. Technology
- A security association lifetime of less than four hours,
or 14400 seconds, is used.
- HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is
used as a HMAC algorithm.
- The largest modulus size possible for all relevant
components in the network is used when conducting a
key exchange.
- The use of XAuth is disabled for IPsec connections
using IKE version 1.

All communications security and equipment-specific

doctrine produced by the ACSC for the management Process
and use of HACE is complied with.
If applicable, cryptographic equipment is stored in a
room that meets the requirements for a server room
Process
based on the sensitivity or classification of the data the
cryptographic equipment processes.
Areas in which HACE is used are separated from other
areas and designated as a cryptographic controlled Process
area.
A list of allowed content types is implemented. The
integrity of content is verified where applicable and
Technology
blocked if verification fails. If data is signed, the
signature is validated before the data is exported.

All encrypted content, traffic and data is decrypted and

Technology
inspected to allow content filtering.
If applicable, an evaluated peripheral switch is used
Technology
when sharing peripherals between systems.

An evaluated peripheral switch used for sharing

peripherals between SECRET or TOP SECRET systems
Technology
and any non-SECRET or TOP SECRET systems
completes a high assurance evaluation.

If applicable, an evaluated peripheral switch used for

sharing peripherals between SECRET and TOP SECRET
systems, or between SECRET or TOP SECRET systems Technology
belonging to different security domains, preferably
completes a high assurance evaluation.

If applicable, an evaluated peripheral switch is used

when sharing peripherals between official systems, or
Technology
classified systems at the same classification, that
belong to different security domains.

If applicable, an evaluated peripheral switch is used

when accessing a system containing AUSTEO or AGAO
Technology
data and a system of the same classification that is not
authorized to process the same caveat.

When exporting data from a SECRET to TOP SECRET

system, the following activities are undertaken:

• protective marking checks

Process
• data format checks and logging
• monitoring to detect overuse/unusual usage patterns
• limitations on data types and sizes
• keyword searches on all textual data.

A process, and supporting procedures, is developed

and implemented to prevent AUSTEO and AGAO data
Process
in both textual and non-textual formats from being
exported to foreign systems.
When exporting data from an AUSTEO or AGAO
system, keyword searches are undertaken on all
textual data and any identified data is quarantined Process
until reviewed and approved for release by a trusted
source other than the originator.

Data transfer logs are used to record all data imports

and exports from systems. Transfer logs are fully and Technology
partially audited at least monthly.

Partial restoration of backups are tested on a quarterly

basis, and full restoration of backups are tested
initially, and each time a fundamental information Process
technology infrastructure change occurs.

Backups are stored offline or in a non-writable manner

and are stored at a multiple geographically-dispersed
Technology
locations.

Event logs are retained for a minimum of 7 years in

accordance with the National Archives of Australia’s
Process
Administrative Functions Disposal Authority Express
Version 2 publication.

DNS and proxy logs are retained for at least 18

Process
months.

Policies governing event logs are communicated and

reviewed periodically. Revision histories and review
Process
periods are defined within the policies themselves and
[The Organization]'s Policy Governance Policy.

A vulnerability scanner is used at least fortnightly to

identify missing patches or updates for security Technology
vulnerabilities in other applications.

A vulnerability scanner is used at least weekly to

identify missing patches or updates for security
vulnerabilities in office productivity suites, web
Technology
browsers and their extensions, email clients, PDF
software, operating systems of workstations and
servers and network devices, and security products.

When identified, all intrusion remediation activities are

conducted in a coordinated manner during the same Technology
planned outage.

Unauthorized removable media and devices are

prevented from being connected to workstations and
servers via the use of device access control software or Technology
by disabling external communication interfaces in
operating systems.
The resulting media waste particles from the
destruction of TOP SECRET media is stored and
handled as OFFICIAL if less than or equal to 3 mm, or Technology
SECRET if greater than 3 mm and less than or equal to
9 mm.

Windows Defender Credential Guard and Windows

Technology
Defender Remote Credential Guard are enabled.

Where applicable, internet-facing services, office

productivity suites, web browsers and their extensions,
email clients, PDF software, Adobe Flash Player, and Technology
security products that are no longer supported by
vendors are removed.

When identified, planning and coordination of intrusion

remediation activities are conducted on a separate Technology
system to that which has been compromised.

The use of FT (802.11r) is disabled unless

authenticator-to-authenticator communications are Technology
secured by an ASD Approved Cryptographic Protocol.

The resulting media waste particles from the

destruction of SECRET media is stored and handled as
OFFICIAL if less than or equal to 3 mm, PROTECTED if
Technology
greater than 3 mm and less than or equal to 6 mm, or
SECRET if greater than 6 mm and less than or equal to
9 mm.

PDF software is blocked from creating child processes. Technology

Patches, updates or vendor mitigations for security

vulnerabilities in internet-facing services, office
productivity suites, web browsers, extensions, email
clients, PDF software, operating systems of
workstations and internet facing services, and security Technology
products are applied within two weeks of release, or
within 48 hours if an exploit exists. Patches, updates or
vendor mitigations for security vulnerabilities in other
applications are applied within one month.

Mobile devices prevent personnel from installing or

uninstalling non-approved applications once Technology
provisioned.
Microsoft’s ‘recommended driver block rules’ are
Technology
implemented.

Microsoft Office macros digitally signed by an

untrusted publisher cannot be enabled via the Message
Technology
Bar or Backstage View. A list of trusted publishers is
validated on an annual basis.

Microsoft Office macros can only be executed by

authorized users with valid business requirement and
only macros that are running from a trusted location Technology
and issued by a trusted publishers are allowed to
execute.
Microsoft Office macros are blocked from making
Technology
Win32 API calls.
Microsoft Office macro event logs are logs are centrally
stored and protected from unauthorized modification
Technology
and deletion, monitored for signs of compromise, and
actioned when cyber security events are detected.

Microsoft Office macro antivirus scanning is enabled. Technology

Microsoft Office is blocked from creating child

processes, creating executable content, and injecting Technology
code into other processes.

Internet Explorer 11 is prohibited from being used. Technology

If unable to carry or store mobile devices in a secured

state, they are physically transferred in a security
Process
briefcase or an approved multi-use satchel, pouch or
transit bag.

Execution of drivers, executables, software libraries,

scripts, installers, compiled HTML, HTML applications
Technology
and control panel applets is limited to an organization-
approved set

Electrostatic memory devices are destroyed using

either furnace/incinerator, hammer mill, disintegrator Process
or grinder/sander destruction methods.

Blocked PowerShell script executions are logged, and

event logs are centrally stored and protected from
unauthorized modification and deletion, monitored for Technology
signs of compromise, and actioned when cyber security
events are detected.

Allowed and blocked Microsoft Office macro executions

Technology
are logged.

All data transferred from a SECRET or TOP SECRET

system to any other system is reviewed and approved Process
by a trusted source.

A vulnerability scanner is used at least daily to identify

missing patches or updates for security vulnerabilities
Technology
in internet-facing services and the corresponding
operating systems.

A software bill of materials is produced and made

Process
available to consumers of software.

A ‘security.txt’ file is hosted for all internet-facing

organizational domains to assist in the responsible
Technology
disclosure of security vulnerabilities in organizations'
products and services.

.NET Framework 3.5 (includes .NET 2.0 and 3.0) is

Technology
disabled or removed.
 ) Public Release V1.0
requirements of AICPA SOC 2 Trust Services Criteria, ISO/IEC
Infosec Registered Assessors Program (IRAP December 2020),
MAP), Cloud Computing Compliance Controls Catalogue (C5), EU
ent Program (FedRAMP Li-SAAS).

urity compliance standards SaaS products. The CCF is purely

r own compliance regime.

ISO 27701 ISO 27701

SOC 2 Privacy ISO 27001
Processor Controller

w 290.

X X X X
X X X
X X X X
X X
X X X X
X X X X
X X X X

X X X X
X X X X

X X X X
X X X X
X X X X

X X X X
X X X X
X X X X

X X X X
 X

X X X X
X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X X
X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X
 X X

X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X

X X X
X X X
X X X X

X X X
X X X X
X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X

X X X X
X X X X

X X X X

X X X X
X X X X
X X X X

X X X X
X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X

X X
X X X X
X X X X

X X X X
 X X X

X X X X
X X X X
X X X X

X X X X
X X X X
X X
X X X

X X X

X X X
 X X X

X X X

X X
X X X

X X X

X X

X X X
X X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X X

X X X

X X

X X X
X X

X X

X X

X X

X X

X X X
X X

X X

X X

X X

X X X

X X
X X X

X X

X X X

X X

X X
 X X

X X X

X X X X

X X X
X X X X

X X X
X X X X
X X X X
X X X X

X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X
X X X
X X X X
X X X X

X X X
X
 Applicable Criteria

ISO 27017 ISO 27017

ISO 22301 ISO 27018 BSI C5
Provider Customer

X X X X X
X X X

X X X X X
X X X X X

X X

X X
 X

X X X X
X X X X X
X X X X X

X X X
X X X X X

X X

X X X X X
X X X X X

X X X X X
X X X X

X X X X
X X X X X

X X X X

X
X X X X X
X X X X X

X X X X X

X X
 X

X X X X X
X X X X X
X X X X X

X X X X X
X X X X X

X X X X
X X X X X

X X X X X

X X
X X

X X

X X X X X
X X X X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X X

X
 X

X X X X X
X X X X

X X X

X X X X X
X X X X X

X
X X X X X

X
X X X X X
X X X X X
X X X X X
X X X X
X X X X X
X X X X X

X X X X
X X X X X

X X X X X

X
X X X X X

X
X X X X X

X X

X X
X X

X X
X X X X

X
X X X X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X

X X X X

X X X X
X X X X

X X X X

X X X X X
X X X X X
X X X X X

X X X X X
X X X X X

X X
X X
X X X X X

X X X X X
X X X

X X X X X

X X X X X
X X X X X

X X X X X

X X X
X X X X X

X X

X
X
X X X X X

X X X X X
X X X X X

X X X X X
X X X

X X X X X
X X X X X

X X X X X
X X X X X
X X X X

X
X X X
X X X

X X X

X
X X X X X

X X

X
X X

X X
X X X X X

X X

X X

X
 X

X X

X X X X

X
X X

X X

X X

X
 X

X X X

X
X

X X

X X

X X
 X

X X X X X

X X
X X X X X

X X
 X X X

X X X
X X X X X

X
X X X X X
X X X X X

X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X

X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X

X X X X
X X X X X

X X X X
X X X X X

X X X

X X

X X X X
 X

X
e Criteria

Fedramp Spanish ENS Spanish ENS Spanish ENS

ISMAP
Tailored Basic Medium High

X X X X X
X X X X X

X X X X

X X
X X X X

X X

X X
X X X

X X X
X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X

X X X X X
X X X

X X X
X X X X

X X X X
X X X X X

X X X X X

X X X X X
 X

X X X X X
X X X X X

X X X X X

X
X X X X X

X X

X X X X X
X

X X X X X
X X X X X

X X X X X
 X X X X

X X X X X
 X X X X

X X X X X

X X X X X
 X

X X X X X
X X X X X
X X

X X X X
X X X X X

X X X X X
X X X X X

X X X X X
 X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X X

X
X X X X X
X X X X X

X
X X X X X
X X X X X
X X X X X
X X X X X

X
 X X X X

X X X X X

X X X X X
X X X X X

X X X X X

X X
X X X X X

X X X X
X

X
X X X X X

X X X X

X X X X
X X X X X
X X X X X

X X X X
X X X X X

X X X X X
X X X X X

X X X X X
 X X X X

X X X X

X X X X X
 X X X X

X X X X

X X X X X
X X X X X

X X
X X X X

X X X X X
X X X X X

X X X
X
X X X X X

X X X X X
 X

X X X X X

X X X X X
X X X X X

X X X X X

X
X X X X X

X X X X X

X X X X

X X X X X
X X

X X X

X X X X

X X X X X

X
X X X X

X X X X

X
X X X X X

X X X X X
X X

X X

X X

X X X X X
X X

X X X
X X X X X

X X X X X
 X

X X X X X
X X X X X

X X X X X

X X
X X X

X X X X X

X X X X
X X X X

X X X X
X X X X

X
X

X
X X X X

X X X X

X X X
X X X X
X X
X X X X
X

X
X X X X X

X X X X

X X X X
X X X X X

X X X X
X

X
X X X X X

X
X X X X X
X X X X X

X
X X X X X

X X X X
X X X X

X X X
X X X X X

X X X X

X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X X X
X X X X X

X X X
X X

X X X X X

X X X X
 X

X X

X
 EU Code of
PCI DSS v3.2.1 Saudi CCC IRAP
Conduct

X X X X
X

X X

X X
X X X X

X
X

X X
X X X

X X X X
 X X

X X

X
X X X X

X X X

X X X X
X

X X
X X X X

X X X
X X X X

X X X X

X X X
X

X X X X
X X X

X X X

X
X X X

X X X

X X X X
X X X

X X X X
X X X

X X X
 X X

X X X X
X X X X

X X X X

X X X
 X X

X X X X

X
X

X X
X X X

X X X X

X
X X X X

X X X X
X X X

X X X
X

X X X X
X X X X

X X

X X X X
X X X X

X X

X
X

X
X X X X

X X X
X X X
X X X X

X
X X X X
X X
X X
X X X X

X X X
 X

X X X

X X
 X X

X X X
X X X X

X X
X X X

X X
X X X X

X X X
X

X X
 X X X

X X X X
 X X X

X X X X
 X X X

X X X X
X X

X X X
 X

X X

X X X X
X X X X

X X X X

X
 X X

X X X X
X X X X

X X X
X X X

X X
X X X X

X X X X
X X X X

X X X X
X X X X

X X X X

X
X X X

X X X

X X X

X X X
 X

X X X

X X

X X
 X X

X
X X X X

X X X X
X X X

X X

X X

X X X

X X X X
 X X X

X X

X X X X
X

X X X X

X X X X
X

X X X X
X X

X X X

X X X X
X X X

X X

X X X

X
 X

X X
X

X X

X
X X

X
X X

X X

X X
X

X
 X

X X

X X X
X

X
 X

X X

X
 X

X X X X

X X

X X X
X X X X

X
 X

X
X X X X

X X X
X X X X

X
X X X X

X
X X X X

X X
 X X

X X X
X X X X

X X

X
X

X X X X

X X X X

X X

X
 X

X X X X

X X X X
X X X

X X

X X X X
X X X X

X X X X
X X X X

X X X X

X
 X X

X X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
X

X
 Applicable SOC TSC SOC TSC SOC TSC
Framework Common Criteria Availability Confidentiality

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI, CC1.5,
Saudi CCC, CC2.1,
EU Code of Conduct, CC2.2,
IRAP CC2.3,
CC3.1,
CC3.2,
CC4.1,
CC5.1,
CC5.2,
CC5.3
PCI

EU Code of Conduct

ISO 27017 Provider &

Customer,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct,
IRAP

ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
IRAP

Spanish ENS Medium & High

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC3.2,
Spanish ENS Medium, & CC7.4, A1.2,
High, CC7.5, A1.3
ISMAP, CC9.1
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 22301
BS1 C5,
Fedramp Tailored,
ISMAP,
Saudi CCC

ISO 22301
BS1 C5,
Fedramp Tailored,
Saudi CCC

Fedramp Tailored,
Spanish ENS High,
Saudi CCC
Saudi CCC

Spanish ENS Basic, Medium,

& High

BSI C5

ISMAP

ISO 27701 Processor &

Controller,
ISO 27017 Provider &
Customer,
ISO 22301
BS1 C5,
Spanish ENS Medium, &
High,
ISMAP,
Saudi CCC,
IRAP
Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP

IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC7.4,
Spanish ENS Basic, Medium, A1.2,
CC7.5,
& High, A1.3
CC9.1
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC7.4,
A1.2,
Fedramp Tailored, CC7.5,
A1.3
Spanish ENS Basic, Medium, CC9.1
& High,
ISMAP,
Saudi CCC,
IRAP

ISO 27017 Provider,

ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct,,
IRAP

PCI

Saudi CCC
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC2.1,
Spanish ENS Basic, Medium, CC6.8,
& High, CC7.1,
ISMAP, CC8.1
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Customer,

BS1 C5,
Spanish ENS Medium, &
High,
ISMAP,
PCI,
Saudi CCC,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC2.1,
BS1 C5, CC6.8,
Fedramp Tailored, CC7.1,
Spanish ENS Basic, Medium, CC8.1
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Medium, &
High,
CC2.2,
ISMAP,
CC2.3
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC2.2,
A1.1
Spanish ENS Medium, & CC2.3
High,
ISMAP,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Medium, & CC3.4,
High, CC7.2
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Provider &

Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, &
High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC2.1,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.8,
& High, CC7.1,
ISMAP, CC8.1
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC2.1,
Fedramp Tailored, CC5.3,
Spanish ENS Basic, Medium, CC6.1,
& High, CC6.8,
ISMAP, CC7.1,
PCI, CC8.1
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP
PCI

ISMAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.4,
& High, CC6.5
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.4, A1.2
Spanish ENS Basic, Medium, CC6.5
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.4, A1.2
Spanish ENS Basic, Medium, CC6.5
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Provider

BS1 C5,
ISMAP,
IRAP
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
Fedramp Tailored,
PCI,
Saudi CCC,
IRAP

PCI

PCI

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, A1.2
CC6.5
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.3,
A1.2
Spanish ENS Basic, Medium, CC6.4,
& High, CC6.5
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.4, A1.2
Spanish ENS Basic, Medium, CC6.5
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High, CC5.3
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.1,
& High, CC6.4,
ISMAP, CC6.5
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, C1.1,
& High, CC5.3
C1.2
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.1,
& High, CC6.5
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Customer,

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP
ISO 27017 Provider,
BS1 C5,
ISMAP,
Saudi CCC,
IRAP

ISO 27017 Provider,

BS1 C5,
ISMAP,
Saudi CCC,

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC2.2,
C1.1
& High, CC2.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI
PCI

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC2.2,
& High, CC2.3,
ISMAP, CC3.2,
Saudi CCC, CC6.8,
EU Code of Conduct, CC7.4,
CC7.5
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC2.2,
Fedramp Tailored, CC6.1
ISMAP,
PCI,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, CC6.1,
& High, CC6.3, C1.1
ISMAP, CC6.7
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC5.3,
C1.1
& High, CC6.5
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.5 C1.2
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP, C1.1,
CC6.7
PCI, C1.2
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC5.3,
Spanish ENS Basic, Medium, C1.1
CC6.5
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

BS1 C5
ISO 27018,
Spanish ENS Medium, &
High,
PCI

ISMAP

PCI

ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider &
Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27701 Processor &

Controller,
ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.7
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP CC6.1,
CC6.5,
CC6.6, C1.1
CC6.7,
CC6.8

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC

PCI
PCI

PCI

PCI

PCI

PCI
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

CC5.3

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Spanish ENS High

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct, CC3.1,
IRAP CC3.2,
CC3.3,
CC3.4,
CC5.1,
CC5.2,
CC5.3,
CC9.1
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP, CC2.1,
PCI, CC2.3,
Saudi CCC, CC3.1,
EU Code of Conduct, CC3.2,
IRAP CC3.3,
CC3.4,
CC4.1,
CC4.2,
CC5.1,
CC5.2,
CC5.3,
CC7.2,
CC9.1

ISMAP

PCI
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC, CC1.3,
EU Code of Conduct, CC2.2,
IRAP CC3.1,
CC3.2,
CC3.4,
CC4.1,
CC4.2,
CC5.1,
CC5.2
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC, CC1.1,
EU Code of Conduct CC1.2,
CC1.3,
CC1.4,
CC1.5,
CC2.2,
CC2.3,
CC3.1,
CC3.4,
CC4.1,
CC4.2,
CC5.2
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct
CC1.1,
CC1.2,
CC1.3,
CC1.4,
CC2.3,
CC3.1,
CC3.4
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC, CC1.3,
EU Code of Conduct, CC2.2,
IRAP CC3.1,
CC3.2,
CC3.4,
CC4.1,
CC4.2,
CC5.1,
CC5.2

ISO 27017 Provider &

Customer,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
IRAP
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct,
IRAP

ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

Fedramp Tailored,
ISMAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
CC2.2

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
Saudi CCC

ISO 27017 Customer,

BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
IRAP
ISO 27017 Provider,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Provider,

BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
CC1.1,
CC1.4,
CC1.5,
CC5.3,
CC7.4

BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI

BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
PCI

EU Code of Conduct

EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
CC1.1,
Fedramp Tailored,
CC1.5
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC, CC1.2,
EU Code of Conduct, CC3.1,
IRAP CC3.2,
CC3.4,
CC4.1,
CC4.2,
CC5.1,
CC5.2,
CC5.3,
CC9.1

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & CC1.1,
High, CC1.4
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC1.4,
Spanish ENS Basic, Medium, CC5.3
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

Fedramp Tailored,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC1.1,
Spanish ENS Basic, Medium, CC1.5,
& High, CC2.2
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC1.1,
Spanish ENS Basic, Medium, CC1.5,
& High, CC2.2
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC1.1,
Spanish ENS Basic, Medium, CC1.5,
& High, CC2.2
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC1.4,
Spanish ENS Basic, Medium, CC1.5,
& High, CC5.3
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, CC1.4,
& High CC1.5,
CC5.3

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.7
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC1.3
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC1.3,
Fedramp Tailored, CC1.4,
Spanish ENS Medium, & CC1.5,
High, CC2.2
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High, CC1.4,
ISMAP, CC2.2
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC1.4,
Spanish ENS Basic, Medium, CC1.5,
& High, CC5.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
CC2.2,
Fedramp Tailored,
CC2.3
Spanish ENS Medium, &
High,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3,
ISMAP, CC6.6
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP
ISO 27018,
BS1 C5,
ISMAP,
PCI,
Saudi CCC,
IRAP

PCI

PCI

Saudi CCC
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP, CC6.1,
PCI, CC6.2,
Saudi CCC, CC6.3,
EU Code of Conduct, CC6.6
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High, CC6.1,
ISMAP, CC6.2,
PCI, CC6.3
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3,
ISMAP, CC6.6
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3,
ISMAP, CC6.6
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3,
ISMAP, CC6.6
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27701 Processor &

Controller,
ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.7 C1.1
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP
Fedramp Tailored,
Spanish ENS High,
Saudi CCC

Fedramp Tailored,
Spanish ENS Medium, &
High,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored

Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
Saudi CCC,
IRAP

Fedramp Tailored

ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
IRAP

Fedramp Tailored
Spanish ENS Basic, Medium,
& High,
ISMAP,
IRAP

Spanish ENS Basic, Medium,

& High,
ISMAP

PCI

Saudi CCC

ISMAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.1,
Spanish ENS Basic, Medium, CC6.2,
& High, CC6.3
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.1,
& High, CC6.2,
ISMAP, CC6.3
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Saudi CCC,
IRAP

Fedramp Tailored,
IRAP

Fedramp Tailored,
ISMAP,
Saudi CCC,
EU Code of Conduct

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC6.6,
Spanish ENS Basic, Medium, CC7.2,
& High, CC7.3,
ISMAP, CC7.4
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider &
Customer,
BS1 C5,
Fedramp Tailored,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
ISMAP,
Saudi CCC

BS1 C5,
ISMAP,
Saudi CCC,
IRAP

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS High, CC2.1
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
CC6.6,
PCI,
CC6.7
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
CC6.6,
& High,
CC6.7
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
Spanish ENS High

PCI

PCI

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.1
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored,
PCI,
Saudi CCC

Spanish ENS High

PCI

PCI

ISO 27017 Provider &

Customer,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

Spanish ENS Basic, Medium,

& High,
ISMAP,
Saudi CCC
SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 27018,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 27018,
Spanish ENS Basic, Medium,
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 Privacy,
ISO 27701 Controller,
ISO 27018,
ISMAP,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
EU Code of Conduct

ISO 27701 Processor &

Controller,
ISO 27018,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium,
& High,
ISMAP

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct

ISO 27701 Controller,

ISO 27701 Processor,
ISO 27018,
SOC (Privacy)

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
Spanish ENS Basic, Medium,
& High,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
Saudi CCC,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct

SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27001

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor,
ISO 27018,
BS1 C5,
EU Code of Conduct

SOC 2 Privacy

ISO 27701 Processor &

Controller,
ISO 27018,
EU Code of Conduct

ISO 27701 Processor &

Controller,
ISO 27018,
EU Code of Conduct,
IRAP

ISO 27701 Processor &

Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
Spanish ENS Medium, &
High,
PCI,
Saudi CCC,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor,
ISO 27018

ISO 27701 Processor &

Controller,
ISO 27018,
EU Code of Conduct

ISO 27701 Processor &

Controller,
ISO 27017 Provider &
Customer,
ISO 27018,
Spanish ENS Basic, Medium,
& High,
ISMAP,
EU Code of Conduct

ISO 27701 Processor &

Controller,
ISO 27018,

SOC 2 Privacy,
ISO 27701 Processor &
Controller

ISO 27701 Processor &

Controller,
ISO 27018,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
ISMAP,
EU Code of Conduct

ISO 27701 Processor &

Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP

ISO 27701 Processor &

Controller,
ISO 27018,
BS1 C5,
Saudi CCC

ISO 27701 Processor &

Controller,
ISO 27018,
BS1 C5
ISO 27701 Processor &
Controller,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301 CC2.2,
ISO 27018, CC3.2,
BS1 C5, CC6.8,
Fedramp Tailored, CC7.1,
Spanish ENS Basic, Medium, CC7.2,
& High, CC7.3,
ISMAP, CC7.4,
PCI, CC7.5,
Saudi CCC, CC9.1
EU Code of Conduct,
IRAP

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
Saudi CCC,
EU Code of Conduct

Fedramp Tailored,
Spanish ENS Medium, &
High,
ISMAP,
PCI,
Saudi CCC,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP, CC7.1,
PCI, CC7.2,
Saudi CCC, CC7.3,
EU Code of Conduct, CC7.4,
IRAP CC7.5,
CC9.1

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
Saudi CCC
ISO 27017 Customer,
ISO 27018,
BS1 C5,
ISMAP,
IRAP

ISO 27017 Provider,

ISO 27018,
BS1 C5,
ISMAP

ISMAP

PCI
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct, CC1.3,
IRAP CC2.3,
CC3.4,
A1.2, C1.1,
CC6.1,
A1.3 C1.2
CC6.4,
CC6.5,
CC9.2

BS1 C5,
Spanish ENS High,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct, CC1.3,
IRAP CC2.3,
CC3.4,
A1.2, C1.1,
CC6.1,
A1.3 C1.2
CC6.4,
CC6.5,
CC9.2

Saudi CCC

Saudi CCC
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
CC7.1,
Saudi CCC,
CC7.2,
EU Code of Conduct,
CC7.3,
IRAP
CC7.4,
CC7.5,
CC9.1

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27018,
Fedramp Tailored,
EU Code of Conduct,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301 CC2.2,
ISO 27018, CC3.2,
BS1 C5, CC6.8,
Fedramp Tailored, CC7.1,
Spanish ENS Basic, Medium, CC7.2,
& High, CC7.3,
ISMAP, CC7.4,
PCI, CC7.5,
Saudi CCC, CC9.1
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC3.2 A1.1
Spanish ENS Medium, &
High,
ISMAP,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored, CC3.2 A1.1
Spanish ENS Medium, &
High,
ISMAP,
EU Code of Conduct,
IRAP

Fedramp Tailored

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
CC2.2,
Spanish ENS Medium, &
CC2.3
High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High, CC1.1,
ISMAP, CC2.3, C1.1,
PCI, CC3.4, C1.2
Saudi CCC, CC9.2
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC2.2,
Spanish ENS Basic, Medium, CC2.3
& High,
ISMAP,
Saudi CCC,
EU Code of Conduct

ISO 27017 Customer,

ISO 27017 Provider,
ISMAP

PCI
PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018, CC3.2,
BS1 C5, CC6.1,
Fedramp Tailored, CC6.7,
Spanish ENS Basic, Medium, CC6.8,
& High, CC7.1,
ISMAP, CC7.2,
PCI, CC7.3,
Saudi CCC, CC7.4
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC6.7,
Fedramp Tailored, CC6.8,
Spanish ENS Basic, Medium, CC7.1,
& High, CC7.2,
ISMAP, CC7.3,
PCI, CC7.4
Saudi CCC,
EU Code of Conduct,
IRAP

PCI
IRAP

PCI
Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP, CC2.1,
PCI, CC2.3,
Saudi CCC, CC3.2,
EU Code of Conduct, CC4.1,
IRAP CC6.8,
CC7.1,
CC7.2,
CC7.3,
CC7.4

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5, CC3.2,
Fedramp Tailored, CC7.1,
Spanish ENS Basic, Medium, CC7.2,
& High, CC7.3,
ISMAP, CC7.4
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

ISO 27017 Provider,

BS1 C5,
ISMAP,
Saudi CCC,
IRAP

SOC 2 Privacy,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, CC6.6,
& High, CC6.8,
ISMAP, CC7.1,
PCI, CC7.2,
Saudi CCC, CC7.3,
EU Code of Conduct, CC7.4
IRAP

ISO 27017 Provider &

Customer,
ISO 27018,
BS1 C5,
Spanish ENS Medium, &
High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct, CC2.2,
IRAP CC2.3,
CC6.1

SOC 2 Privacy,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Customer,

BS1 C5,
ISMAP

ISO 27001,
ISO 27701 Processor &
Controller,
ISO 27017 Provider &
Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium,
& High,
Saudi CCC
BS1 C5,
ISMAP,
Saudi CCC,
IRAP

BS1 C5,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27018,
Fedramp Tailored,
ISMAP,
PCI

Fedramp Tailored

ISMAP

Saudi CCC
PCI

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
SOC TSC (A, S, C) must be met Note: These ISO certificat
as well to obtain SOC TSC compliance for these ISO Stan
Privacy
ISO 27001 ISO 27002 Cloud Service
SOC TSC Privacy ISMS Annex A Customers
Ref Ref ISO 27017 Ref

Clause A.12.7.1,
6.1.1(e), A.18.1.1,
Clause 6.1.2, A.18.2.1,
Clause 6.1.3, A.18.2.2,
Clause 7.1, A.18.2.3
Clause 8.3,
Clause 9.1,
Clause 9.2,
Clause 9.3(c),
Clause 10.1,
Clause 10.2
 A.12.2.1,
A.12.5.1,
A.12.6.1,
A.13.1.1,
A.14.1.3,
A.14.2.8

A.18.1.1
A.11.2.3,
A.12.2.1,
A.12.3.1,
A.17.1.1,
A.17.1.2,
A.17.1.3

CLD.12.1.5
A.17.1.2,
A.17.2.1
A.12.2.1,
A.12.3.1,
A.17.2.1
A.12.2.1,
A.12.3.1,
A.17.1.2,
A.17.1.3,
A.17.2.1
 A.12.1.1,
A.14.1.1,
A.14.2.1,
A.14.2.2,
A.14.2.3,
A.14.2.4,
A.14.2.5,
A.14.2.6,
A.14.2.8,
A.14.2.9

A.12.1.2

Clause 8.1 A.6.1.2,

A.9.4.4,
A.9.4.5,
A.12.1.2,
A.12.4.3,
A.12.5.1,
A.12.6.2,
A.14.1.1,
A.14.2.1,
A.14.2.2,
A.14.2.3,
A.14.2.4,
A.14.2.5,
A.14.2.6,
A.14.2.7,
A.14.2.8,
A.14.2.9
 A.12.1.2,
A.14.2.2

Clause 7.4 A.12.1.2,

A.12.2.1,
A.13.2.1,
A.14.1.2,
A.14.1.3,
A.14.2.2,
A.15.1.1,
A.16.1.7
A.12.5.1,
A.12.6.2

A.9.4.4,
A.9.4.5,
A.12.1.2,
A.12.2.1,
A.12.5.1,
A.12.6.2,
A.14.2.1,
A.14.2.2,
A.14.2.3,
A.14.2.4,
A.14.2.5,
A.15.2.6
A.6.1.2,
A.9.1.2,
A.9.2.3,
A.9.4.4,
A.9.4.5,
A.12.1.2,
A.12.1.4,
A.14.1.1,
A.14.2.1,
A.14.2.2,
A.14.2.3,
A.14.2.4,
A.14.2.5,
A.14.2.6

A.6.1.2,
A.9.1.2,
A.9.2.3,
A.9.4.4,
A.12.1.4,
A.12.5.1,
A.12.6.2
A.6.2.2,
A.11.1.1,
A.11.1.2,
A.11.1.3,
A.11.1.5,
A.11.1.6,
A.13.1.1,
A.13.1.2
A.11.1.4,
A.11.2.1,
A.11.2.2,
A.11.2.3,
A.11.2.4

A.11.1.4,
A.11.2.1,
A.11.2.2,
A.11.2.3,
A.11.2.4
A.7.3.1,
A.9.1.1,
A.9.1.2,
A.9.2.1,
A.9.2.2,
A.9.2.3,
A.9.2.5,
A.9.2.6,
A.9.4.1
A.8.1.2,
A.8.2.3,
A.8.3.1,
A.8.3.2,
A.8.3.3,
A.11.2.5,
A.11.2.6,
A.11.2.7
A.8.2.1,
A.8.2.2,
A.8.2.3

A.5.1.1,
A.5.1.2,
A.6.2.2,
A.8.1.2,
A.8.1.4,
A.8.2.3,
A.8.3.2,
A.11.2.5,
A.11.2.6,
A.11.2.7,
A.11.2.8,
A.13.2.1,
A.13.2.3
A.5.1.1,
A.5.1.2,
A.6.2.2,
A.11.1.5

A.6.2.2,
A.11.1.2,
A.11.1.3,
A.11.1.5,
A.11.1.6
A.5.1.1,
A.8.2.1,
A.8.2.2,
A.8.2.3,
A.11.2.9,
A.14.3.1,
A.18.1.3

A.8.1.1,
A.8.1.2,
A.8.2.1,
A.8.2.2

A.8.2.2
A.8.2.1,
A.8.2.2,
A.8.2.3,
A.18.1.3,
A.18.1.4
Clause 4.3 A.6.1.4,
A.16.1.1,
A.16.1.2,
A.16.1.4,
A.16.1.5,
A.16.1.7
A.14.1.2

A.12.1.4,
A.14.2.5,
A.14.2.6,
A.14.3.1
A.8.3.2,
A.11.2.7

A.8.3.2,
A.11.2.7
A.8.3.2,
A.11.2.7,
A.18.1.4

A.8.3.2,
A.11.2.7
A.10.1.1,
A.10.1.2,
A.18.1.3,
A.18.1.5
 A.10.1.1,
A.18.1.3

A.6.2.1,
A.6.2.2,
A.8.3.1,
A.18.1.3
A.6.2.2,
A.8.1.2,
A.8.2.3,
A.8.3.1,
A.10.1.1,
A.10.1.2,
A.13.1.2,
A.13.2.1,
A.13.2.3,
A.14.1.2,
A.14.1.3,
A.15.1.2,
A.18.1.3,
A.18.1.4,
A.18.1.5
A.13.1.1
Clause 4.1, A.6.1.1,
Clause 4.2, A.6.1.4,
Clause 4.3, A.6.1.5,
Clause 5.1, A.12.6.1,
Clause 5.2, A.14.1.1,
Clause 6.1.1, A.14.1.2,
Clause 6.1.2, A.15.1.1,
Clause 6.1.3, A.15.1.2,
Clause 6.2, A.16.1.4,
Clause 7.4, A.16.1.5,
Clause 7.5.1, A.17.1.1,
Clause 7.5.2, A.17.1.2,
Clause 8.1, A.17.1.3
Clause 8.2,
Clause 8.3,
Clause 9.1,
Clause 9.3,
Clause 10.1,
Clause 10.2
Clause 6.1.2, A.6.1.1,
Clause 6.1.3, A.6.1.4,
Clause 6.2, A.6.1.5,
Clause 8.1, A.12.6.1,
Clause 8.2, A.14.1.1,
Clause 8.3, A.14.1.2,
Clause 9.1, A.15.1.1,
Clause 9.3, A.15.1.2,
Clause 10.1, A.16.1.4,
Clause 10.2 A.16.1.5,
A.17.1.1,
A.17.1.2,
A.17.1.3
Clause 4.3, A.6.1.1,
Clause 5.1(c), A.18.2.1,
Clause 5.2, A.18.2.2,
Clause 5.3, A.18.2.3
Clause 6.1.1,
Clause 7.5.1,
Clause 7.5.2
Clause 5.1, A.6.1.1,
Clause 5.2, A.6.1.4
Clause 5.3,
Clause 6.1.1,
Clause 6.2,
Clause 7.1,
Clause 7.2,
Clause 7.5.1,
Clause 7.5.2,
Clause 8.1,
Clause 9.3
Clause 5.1, A.6.1.1,
Clause 5.2, A.6.1.4,
Clause 5.3, A.12.7.1,
Clause 6.1.1, A.14.1.2,
Clause 6.2, A.18.2.1,
Clause 7.1, A.18.2.2,
Clause 7.5.1, A.18.2.3
Clause 7.5.2,
Clause 8.1,
Clause 9.2,
Clause 9.3
Clause 4.3, A.6.1.1,
Clause 5.1(c), A.18.2.1,
Clause 5.2, A.18.2.2,
Clause 5.3, A.18.2.3
Clause 6.1.1,
Clause 7.5.1,
Clause 7.5.2

A.6.1.1
Clause
6.1.3(a),
Clause
6.1.3(b),
Clause
6.1.3(c),
Clause
6.1.3(d)

Clause 9.3
Clause
6.1.3(a),
Clause
6.1.3(b),
Clause
6.1.3(c),
Clause
6.1.3(d)
 Clause 4.1, A.5.1.1,
Clause 4.2, A.5.1.2,
Clause 4.3, A.6.1.1,
Clause 4.4, A.11.2.9
Clause 5.2,
Clause 7.5.3

P1.1,
P2.1,
P3.1,
P4.1,
P4.2,
P4.3,
P6.1,
P6.7,
P8.1

A.5.1.1
Clause 4.1, A.5.1.1,
Clause 4.3, A.5.1.2
Clause 4.4,
Clause 5.1,
Clause 7.3,
Clause 7.4,
Clause 7.5.1,
Clause 7.5.2
Clause 7.3(c), A.7.2.1,
Clause 7.5.3 A.7.2.3,
A.11.2.8
Clause 5.1, A.6.1.1,
Clause 6.1.1, A.6.1.5,
Clause 6.1.2, A.12.7.1,
Clause 6.1.3, A.14.1.1,
Clause 6.2, A.16.1.4,
Clause 7.5.2, A.16.1.5,
Clause 8.1, A.16.1.6,
Clause 8.2, A.17.1.1,
Clause 8.3, A.17.1.2,
Clause 9.1, A.17.1.3,
Clause 9.2, A.18.2.1,
Clause 9.3, A.18.2.2,
Clause 10.1, A.18.2.3
Clause 10.2

Clause 7.2 A.7.1.1,

A.18.1.1
Clause 7.2 A.7.2.1

A.7.1.2,
A.7.2.1,
A.8.1.3,
A.11.2.8,
A.13.2.4,
A.14.2.7,
A.15.1.2,
A.15.1.3,
A.16.1.2,
A.18.1.1,
A.18.1.2
A.7.1.2,
A.7.2.1,
A.8.1.3,
A.11.2.8,
A.13.2.4,
A.15.1.2,
A.15.1.3,
A.18.1.2

A.7.1.2,
A.7.2.1,
A.8.1.3,
A.11.2.8,
A.16.1.2,
A.18.1.2
Clause 5.1, A.7.2.2
Clause 7.2

Clause 5.1, A.7.2.2

Clause 7.2

A.6.2.1,
A.6.2.2,
A.9.2.4
Clause 5.1, A.6.1.1,
Clause 5.2, A.6.1.3,
Clause 5.3, A.16.1.2
Clause 6.1.1

Clause 5.3 A.6.1.2

Clause 5.1(d), A.7.2.1,

Clause 7.2, A.7.2.2,
Clause 7.3(b), A.12.2.1,
Clause 7.3(c) A.15.1.1,
A.18.1.2
A.7.2.1,
A.7.2.2
A.7.2.1,
A.14.1.2,
A.16.1.2,
A.16.1.3

A.9.1.2,
A.9.2.3,
A.9.2.5,
A.9.3.1,
A.9.4.1,
A.9.4.4,
A.9.4.5,
A.12.4.3
A.12.4.2,
A.12.4.3,
A.14.1.1,
A.16.1.1,
A.16.1.7
A.6.2.2,
A.9.1.2,
A.9.2.3,
A.9.2.4,
A.9.3.1,
A.9.4.1,
A.9.4.2,
A.9.4.3,
A.10.1.1,
A.10.1.2,
A.11.2.6,
A.11.2.8,
A.13.1.1,
A.13.1.2,
A.13.1.3

A.6.1.2,
A.9.1.1,
A.9.1.2,
A.9.2.1,
A.9.2.2,
A.9.2.3,
A.9.2.6,
A.9.4.1,
A.13.1.3,
A.14.1.1
A.7.3.1,
A.9.1.1,
A.9.1.2,
A.9.2.1,
A.9.2.2,
A.9.2.3,
A.9.2.5,
A.9.2.6,
A.9.4.1

A.9.2.4,
A.9.3.1,
A.9.4.1,
A.9.4.2,
A.9.4.3
A.9.1.2,
A.9.2.3,
A.9.2.4,
A.9.3.1,
A.9.4.1,
A.9.4.2,
A.9.4.3,
A.10.1.1,
A.10.1.2,
A.11.2.6,
A.11.2.8,
A.13.1.1,
A.13.1.2,
A.13.1.3

A.9.1.2,
A.9.2.3,
A.9.2.4,
A.9.3.1,
A.9.4.1,
A.9.4.2,
A.9.4.3,
A.10.1.1,
A.10.1.2,
A.11.2.6,
A.11.2.8,
A.13.1.1,
A.13.1.2,
A.13.1.3
A.9.4.1,
A.9.4.2
A.7.3.1,
A.8.1.4,
A.9.2.1,
A.9.2.6

A.7.3.1,
A.8.1.4,
A.9.2.1,
A.9.2.6
A.8.1.4

A.12.6.1,
A.13.1.1,
A.14.1.1,
A.16.1.1
 A.12.5.1,
A.12.6.2,
CLD.9.5.2

A.12.4.4
A.9.2.3,
A.9.4.5,
A.12.1.1,
A.13.1.1,
A.13.1.2,
A.14.2.6

A.13.1.1,
A.13.1.2
A.9.2.3,
A.12.1.1,
A.12.1.4,
A.13.1.1,
A.13.1.2,
A.13.1.3
A.13.1.3
A.12.6.1,
A.14.1.1
P4.1,
P6.2

A.8.1.3

P4.1,
P6.2,
P7.1,
P8.1

A.18.1.4

P2.1,
P3.1,
P3.2,
P4.1
 Clause 6.1.2, A.18.1.4
Clause 6.1.3

P1.1,
P4.2,
P4.3,
P5.1,
P5.2,
P6.1,
P6.2,
P6.4,
P6.5,
P6.7,
P8.1

P6.2
P1.1,
P2.1,
P6.2

P1.1,
P2.1,
P4.2,
P4.3,
P5.1,
P5.2,
P6.2,
P6.7,
P8.1

P4.2,
P4.3,
P6.1,
P8.1
P3.1, A.18.1.4
P4.1,
P4.2,
P4.3,
P7.1

P4.2,
P4.3,
P7.1

P4.2,
P4.3,
P7.1

P4.2,
P7.1

P1.1,
P4.2,
P4.3,
P5.1,
P5.2,
P7.1

P6.1,
P6.2,
P6.7,
P8.1
P1.1,
P5.1,
P5.2,
P6.1,
P6.2,
P6.4,
P6.5,
P6.6,
P6.7,
P8.1

P7.1

P5.1, A.18.1.4
P5.2,
P6.2,
P6.7,
P8.1

P1.1

P7.1

P5.1
P2.1,
P5.1,
P5.2,
P7.1

P5.1,
P5.2,
P7.1

P1.1,
P2.1,
P3.1,
P4.1,
P8.1

P6.3,
P6.6,
P6.7,
P8.1
P1.1,
P2.1,
P3.1

A.18.1.4

P6.6
P8.1

P5.1,
P5.2,
P8.1
P4.2

Clause 7.4, A.6.1.3,

Clause 7.5.3 A.6.1.5,
A.14.1.3,
A.16.1.1,
A.16.1.2,
A.16.1.3,
A.16.1.6

P6.3,
P6.5
 A.6.1.3,
A.10.1.1,
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.14.1.1,
A.16.1.4,
A.16.1.5,
A.16.1.6,
A.16.1.7

P6.3,
P6.5,
P8.1
A.12.4.1
Clause 6.1.2, A.6.1.3,
Clause 6.1.3, A.7.2.1,
Clause 7.4, A.9.2.6,
Clause 8.1 A.13.2.1,
A.13.2.2,
A.13.2.3,
A.14.2.7,
A.15.1.1,
A.15.1.2,
A.15.1.3,
A.15.2.1,
A.15.2.2,
A.18.1.2
Clause 6.1.2, A.6.1.3,
Clause 6.1.3, A.7.2.1,
Clause 7.4, A.9.2.6,
Clause 8.1 A.13.2.1,
A.13.2.2,
A.13.2.3,
A.14.2.7,
A.15.1.1,
A.15.1.2,
A.15.1.3,
A.15.2.1,
A.15.2.2,
A.18.1.2
 Clause 6.1.2, A.6.1.5,
Clause 7.4, A.10.1.1,
Clause 8.1 A.12.4.1,
A.16.1.1,
A.16.1.2,
A.16.1.3,
A.16.1.4,
A.16.1.5,
A.16.1.6,
A.16.1.7,
A.17.1.1

P6.3,
P6.5,
P8.1
A.6.1.5,
A.16.1.1

A.6.1.5,
A.12.1.3,
A.17.1.1,
A.17.1.2,
A.17.1.3,
A.17.2.1
A.6.1.5,
A.12.1.3,
A.17.1.1,
A.17.1.2,
A.17.1.3,
A.17.2.1

A.13.2.1,
A.13.2.2,
A.13.2.3
Clause 4.2 A.7.1.2,
A.13.2.1,
A.13.2.2,
A.13.2.3,
A.13.2.4,
A.14.2.7,
A.15.1.1,
A.15.1.2,
A.15.1.3,
A.15.2.1,
A.15.2.2,
A.18.1.2

A.15.1.2,
A.15.2.1,
A.18.1.1,
A.18.1.2,
A.18.1.4

CLD.8.1.5
A.12.2.1,
A.12.4.1

A.12.1.1,
A.12.2.1,
A.12.4.1
Clause 6.1.3, A.6.1.5,
Clause 8.1, A.12.1.1,
Clause 8.2, A.12.2.1,
Clause 8.3, A.12.6.1,
Clause 9.1, A.13.1.1,
Clause 10.2 A.14.1.1,
A.14.2.1,
A.14.2.8,
A.18.2.3

A.6.1.4,
A.6.1.5,
A.12.2.1,
A.12.6.1,
A.18.2.3
 A.6.1.4,
A.12.6.1,
A.14.1.1

P6.3

A.12.1.1,
A.12.2.1,
A.12.6.1,
A.14.2.1,
A.14.2.8,
A.18.2.3
A.12.6.1,
A.13.1.1

A.9.4.4,
A.12.1.1,
A.12.6.1
 Clause 4.1, A.9.1.2,
Clause 4.2, A.9.2.3,
Clause 4.3, A.14.1.2
Clause 5.2,
Clause 6.2,
Clause 7.4,
Clause 7.5.1,
Clause 8.1,
Clause 9.1,
Clause 9.3

P6.6

A.6.1.3

A.18.1.2
P8.1
 These ISO certifications build on ISO 27001/27002 standards. To meet
ce for these ISO Standards, all of ISO 27001/27002 standard controls must
be achieved as well.
Cloud Service PII Processor
PII Controller ISO 22301
Providers ISO 27018 Ref ISO 27701
ISO 27701 Ref Ref
ISO 27017 Ref Ref
A.12.2.1,
A.12.5.1,
A.12.6.1,
A.13.1.1,
A.14.1.3,
A.14.2.8
4.2.2,
4.3.1,
6.1.1

6.1.1,
6.1.2,
8.2.1,
8.2.2,
8.2.3,
8.3.1,
8.3.2,
8.3.3,
8.3.4,
10.2
A.17.1.2,
6.9.3.1 6.9.3.1 8.3.5
A.17.2.1
 12.3.1,
12.3.1
A.11.3
CLD.12.1.5
A.9.4.4,
A.9.4.5,
A.12.1.2,
A.12.2.1,
A.12.5.1, 9.4.4,
A.12.6.2, 9.4.5,
A.14.2.1, 12.1.2
A.14.2.2,
A.14.2.3,
A.14.2.4,
A.14.2.5,
A.15.2.6
6.1.3
8.1.1

8.2.2
A.11.7
A.10.1.1, 10.1.1
A.18.1.3 18.1

6.7.1.1 6.7.1.1

10.1.1 10.1.1
CLD.12.4.5
CLD.6.3.1
 A.6.1.1, 12.3.1,
CLD.6.3.1 A.8.1
7.2.2
CLD.13.1.4

6.1, 6.1,
6.8.2.9 6.8.2.9

5.1.1
 5.1.1,
CLD.9.5.1,
CLD.12.1.5,
CLD.13.1.4

14.1.1,
CLD.12.4.5
CLD.12.1.5,
CLD.13.1.4
12.4.1,
12.4.2
12.4.1
 9.2,
9.4.1
9.4.2
 6.6.4.2 6.6.4.2

9.2,
9.2.1
9.4.2
9.2.1
9.2.1
CLD.8.1.5
 A.12.5.1,
A.12.6.2,
CLD.9.5.2,
CLD.13.1.4
 6.9.4.1 6.9.4.1

A.13.1.3,
A.11.13
CLD.9.5.1
A.12.6.1,
A.14.1.1
 5.2.1, 5.2.1,
A.8.1.3 5.1.1 7.2.1, 7.2.1,
7.3.8 7.3.8

5.2.1, 5.2.1,
7.2.2, 7.2.2,
7.3.3, 7.3.3,
7.3.8, 7.3.8,

5.1.1,
A.18.1.4 12.3.1,
A.2.1

5.2.1, 5.2.1,
6.15.1.1, 6.15.1.1
7.2.3,
7.2.4
A.2.1
 5.2.1, 5.2.1,
5.2.4, 5.2.4,
6.2.1.1, 6.2.1.1,
6.9.4.1, 6.9.4.1,
6.10.2.4, 6.10.2.4,
6.12.1.2, 6.12.1.2,
6.15.1.1, 6.15.1.1,
7.2.2, 8.2.2,
7.2.4, 8.5.7
7.2.6,
6.1.1, 7.3.4,
18.2.1, 7.3.6,
A.2.1, 7.3.8
A.3.1,
A.8.1,
A.11.11,
A.11.12

7.2.8,
7.3.3,
7.3.10
A.2.1,
A.6.2
 5.2.1, 5.2.1,
7.3.1, 8.2.1,
7.3.2, 8.3.1
7.3.3,
7.3.10

5.1.1,
A.2.1,
A.3.1,
A.6.1

6.7.1.1, 6.7.1.1,
6.15.2.1, 6.15.2.1
7.3.2,
7.3.3,
7.3.9

18.2.1,
A.2.1,
A.3.1

5.2.1, 5.2.1,
6.2.1.1, 6.2.1.1,
7.5.1 8.3.1
A.2.1

5.2.4, 5.2.4,
6.10.2.1, 6.10.2.1,
6.12.1.2, 6.12.1.2
7.3.5,
A.6.2,
7.3.7
A.8.1
 6.11.2.1, 6.11.2.1,
6.15.2.3, 6.15.2.3
7.4.4,
7.5.3

A.5.1

6.9.4.2, 6.9.4.2,
12.1.4, 6.11.2.5, 6.11.2.5,
12.4.2, 7.3.8, 8.3.1,
A.5.1, 7.4.5, 8.4.1,
A.10.3, 7.4.6 8.4.2
A.11.13

6.9.4.2, 6.9.4.2,
12.1.4, 6.11.2.5, 6.11.2.5
12.4.2, 7.4.2,
A.10.3 7.4.7

6.8.2.7, 6.8.2.7,
6.9.4.2, 6.9.4.2,
6.11.2.5, 6.11.2.5,
7.3.6, 8.4.2
5.1.1, 7.3.8,
11.2.7, 7.4.8
A.10.3

5.2.2, 5.2.2,
6.5.3.3, 6.5.3.3,
13.2.1, 6.10.2.1, 6.10.2.1,
A.6.2, 6.12.1.2, 6.12.1.2,
A.8.1, 7.4.9, 8.2.6,
A.10.3, 7.5.1 8.4.2,
A.11.4 8.5.1
 5.2.2, 5.2.2,
6.2.1.1, 6.2.1.1,
6.5.3.3, 6.5.3.3,
6.10.2.1, 6.10.2.1,
13.2.1,
6.12.1.2, 6.12.1.2,
A.3.1,
7.5.3, 8.5.1,
A.6.2,
7.5.4 8.5.3,
A.8.1,
8.5.5,
A.10.3,
8.5.6
A.11.4

5.2.3, 5.2.3,
6.8.2.9, 6.8.2.9,
A.3.1, 7.4.1, 8.2.2,
A.5.1, 7.4.2 8.2.6
A.11.11

5.2.3, 5.2.3,
6.2.1.1, 6.2.1.1,
6.9.4.1, 6.9.4.1,
6.15.1.1, 6.15.1.1
7.3.10
A.3.1,
A.11.11

7.4.3

7.4.3 8.4.3

A.11.6,
A.12.2
 8.5.4

A.6.1,
A.11.11

8.5.5

A.3.1,
A.6.1,
A.11.11

5.2.2, 5.2.2,
5.2.3, 5.2.3,
5.4.1.3, 5.4.1.3,
6.1.1, 6.2.1.1, 6.2.1.1,
9.2, 6.9.4.1, 6.9.4.1,
A.3.1, 6.15.1.1, 6.15.1.1,
A.11.11, 6.15.2.1, 6.15.2.1
A.11.12 7.2.6,
7.2.7

7.5.2 8.5.2
13.2.1,
A.8.1,
A.10.3,
A.11.4,
A.12.1

6.3.1.1 6.3.1.1

6.1.1

6.13.1.5 6.13.1.5,
8.2.1,
8.5.1

9.2.1,
16.1.1,
A.10.1
 8.2.3

A.3.1,
A.3.2,

5.2.1, 5.2.1,
5.2.3, 5.2.3,
6.2.1.1, 6.2.1.1,
18.2.1, 6.6.2.1, 6.6.2.1,
A.2.1, 6.6.2.2, 6.6.2.2,
A.3.1, 6.15.2.1, 6.15.2.1,
A.10.1, 7.2.7 8.2.1
A.11.11

5.2.1, 5.2.1,
5.2.3, 5.2.3,
6.3.1.1, 6.3.1.1,
6.4.2.2, 6.4.2.2,
7.2.7 7.2.7
A.3.1,
A.18.1.4
A.11.11

6.2.1.1, 6.2.1.1,
6.10.2.1, 6.10.2.1,
6.15.1.1, 6.15.1.1,
A.3.1, 7.4.2 8.2.2
A.11.11

6.2.1.1, 6.2.1.1,
6.3.1.1 6.3.1.1,
8.2.1,
8.2.4

5.2.2, 5.2.2,
6.2.1.1, 6.2.1.1,
6.9.3.1 6.9.3.1,
12.3.1, 8.5.6,
A.8.1, 8.5.7
A.11.12
 5.4.1.3, 5.4.1.3,
6.15.2.1 6.15.2.1,
8.2.5

5.1.1,
9.2,
A.2.1,
A.3.1,
A.11.11

6.2.1.1, 6.2.1.1,
7.3.5, 8.5.1,
7.3.7 8.5.7,
8.5.8
12.3.1,
A.3.1,
A.8.1

6.9.4.1 6.9.4.1

18.2.1

5.4.1.2, 5.4.1.2,
6.1, 6.1,
6.11.2.1 6.11.2.1

12.1.4

5.4.1.2, 5.4.1.2,
6.1, 6.1,
6.11.2.1 6.11.2.1

12.1.4
 5.4.1.3, 5.4.1.3,
6.1 6.1

6.9.3.1 6.9.3.1

12.3.1,
A.11.3

6.4.2.2, 6.4.2.2,
6.13.1.5 6.13.1.5

16.1.1,
A.10.1
 6.9.4.1 6.9.4.1

12.4.1
 12.4.1

12.4.1,
12.4.1
CLD.12.4.5
 6.4.2.2, 6.4.2.2,
6.9.4.1, 6.9.4.1,
6.13.1.1, 6.13.1.1,
6.13.1.4 6.13.1.4

6.1.1,
16.1.1,
A.10.1
CLD.8.1.5
A.6.1.4,
A.12.6.1,
A.14.1.1

6.1.4 8.4.3.1

12.6.1

6.15.2.3 6.15.2.3

A.12.1.1,
A.12.2.1,
6.1.5,
A.12.6.1,
12.1.1,
A.14.2.1,
18.2.3
A.14.2.8,
A.18.2.3
A.9.4.4,
9.4.4,
A.12.1.1,
12.1.1
A.12.6.1
 8.4.1,
8.4.3.1,
8.4.3.2

6.1.2,
6.1.3,
A.10.1
5.1.1
 Spanish ENS Basic Requirements must be met
as well to obtain Spanish ENS Medium and
High
FedRAMP Spanish ENS
BSI C5 Spanish ENS Medium
Tailored BASIC
Ref Control Ref
Control Ref Control Ref

OIS-01, AU-1, org.2,

SP-01, CA-2, org.3,
SP-02, CA-2 (1), op.mon.2
SP-03, CA-5,
SSO-04, CA-7
COM-02,
COM-03
DEV-01, CA-2, op.pl.2, op.exp.3
DEV-05 CA-2 (1), op.exp.6
IA-6,
RA-5,
SI-3

COM-01, org.1
INQ-01

mp.si.5
PS-01, CP-1, op.cont.1,
OPS-06, CP-2, mp.eq.9
OPS-08, CP-4,
BCM-01, CP-10
BCM-02,
BCM-03,
BCM-04

BCM-01, CP-1,
BCM-02, CP-2,
BCM-03, CP-3
BCM-04,
COM-01

SP-01, CA-2,
PS-01, CA-2 (1),
OPS-08, CM-4,
BCM-01, CP-1,
BCM-02, CP-2,
BCM-03, CP-9,
BCM-04 RA-1,
RA-3

CP-3,
PS-2
 mp.s.2

OIS-07,
OPS-11

PS-02, mp.eq.9
OPS-06,
OPS-07,
OPS-09
 AU-4,
AU-11,
AU-12

OPS-06, CP-9, mp.info.9 mp.eq.9

OPS-07, CP-10
OPS-08,
PI-02
PS-02, CP-9, mp.info.9 mp.eq.9,
OPS-06, CP-10 mp.info.9
OPS-07,
OPS-09

PSS-01 SI-12 mp.info.9

DEV-01, MA-2, op.pl.3, op.exp.5,
DEV-03, SA-1, op.exp.2, op.ext.2,
DEV-05, SA-3, op.exp.4, mp.sw.1
DEV-08, SA-4, mp.sw.2
DEV-09, SI-2
DEV-10

OPS-16, op.exp.5
DEV-03,
DEV-05,
PSS-09

OIS-04, CM-1, org.4, op.acc.3,

OPS-16, CM-4, op.pl.3, op.exp.5,
DEV-01, CM-6, mp.sw.2 mp.sw.1
DEV-02, SI-2
DEV-03,
DEV-06,
DEV-07,
DEV-08,
PSS-02
DEV-07 op.exp.5

OPS-21, op.exp.5,
DEV-05, op.exp.7,
DEV-09 op.exp.9
 CM-1, op.exp.3
CM-2,
CM-6,
CM-7

DEV-03 CM-2, op.exp.5,

CM-6, mp.sw.1
CM-7,
SI-3,
SI-4,
SI-5
OIS-04, CM-10, org.2, op.acc.3,
OPS-16, IA-5, op.pl.3, op.exp.5,
IDM-06, SA-3 op.acc.2, mp.sw.1
DEV-01, op.acc.4
DEV-03,
DEV-09

CM-11, org.4, mp.sw.1

MA-2 op.acc.2,
op.acc.4

DEV-08 SA-1, mp.sw.2, op.exp.5,

SA-3 mp.info.9 mp.sw.1
PS-01, MA-5, org.4, op.mon.1
PS-03, MP-2, op.pl.2,
PS-04, PE-1, mp.if.1,
PS-06 PE-2, mp.if.2,
PE-3, mp.eq.3,
PE-6, mp.si.3
PE-16
PS-01, MA-2, op.exp.4, op.ext.2,
PS-04, MA-4, mp.if.1, mp.if.6
PS-06, PE-6, mp.if.3,
PS-07 PE-12, mp.if.4,
PE-13, mp.if.5,
PE-14, mp.si.3
PE-15

PS-01, PE-2, op.pl.1, mp.if.6

PS-02, PE-3, mp.if.1,
PS-03, PE-6, mp.if.3,
PS-04, PE-12, mp.if.4,
PS-05, PE-13, mp.if.5,
PS-06, PE-14, mp.si.3
PS-07 PE-15

PSS-01,
PSS-12
PS-03, PE-8 mp.if.1,
PS-04 mp.if.2,
mp.si.3

PS-04 PE-16,
PS-4

PS-03 PE-8, mp.si.3

PE-16,
PS-5
 PE-8

AM-02, MA-2, op.pl.2, mp.si.2

AM-03 PE-8, op.exp.1,
PE-16 mp.if.7,
mp.si.4
AM-02, MA-2, org.4, op.pl.4
AM-03, SA-1 op.pl.3,
AM-06, op.exp.2
COS-01

SP-01, MA-2, org.2, op.ext.2

AM-02, MA-4, org.4,
AM-03, MP-6 op.pl.1,
AM-04, op.pl.2,
AM-05, op.exp.4,
PI-03 mp.if.7,
mp.si.5,
mp.info.2,
mp.s.1
SP-01 org.2,
mp.if.1,
mp.if.2,
mp.si.3

MA-5, org.4,
PE-2, mp.if.1,
PE-3, mp.if.2,
PE-6 mp.eq.3,
mp.si.3
SP-01, mp.eq.1
AM-06,
OPS-11,
PI-02

AM-01, CM-8 op.pl.1,

OPS-10 op.pl.2,
op.exp.1,
mp.if.7,
mp.eq.3,
mp.si.1,
mp.info.2

AM-02, RA-2 op.pl.1,

AM-06 mp.if.7,
mp.si.1
AM-01,
AM-06

PSS-01

AM-05, AC-22, mp.info.1,

AM-06 MP-6, mp.info.2,
RA-2, mp.info.6,
SA-9, mp.s.1
SI-1,
SI-12
OPS-21, IR-4, op.mon.2 op.exp.7,
PI-01, IR-5, op.exp.9,
SIM-01, IR-6 op.mon.2
SIM-02,
SIM-03,
SIM-05,
PSS-04
COS-07 CA-9

DEV-10 mp.sw.2,
mp.info.6
SP-01, MP-6, mp.si.5,
AM-04, SI-12 mp.info.6
PI-03

AM-04 MP-6, mp.si.5, mp.si.5

SI-12 mp.info.6
PI-02, MP-6, mp.si.5, mp.si.5
PI-03 SI-12 mp.info.1

SP-01, MP-6, mp.si.5

OPS-12, SI-12
PI-02,
PI-03

PSS-10
 mp.eq.1

CRY-01, SC-12, op.acc.5, mp.com.2,

CRY-04, SC-13 op.acc.7, mp.info.4
COS-08 op.exp.11,
mp.com.3,
mp.si.4
CRY-01, CM-11, op.acc.1, mp.com.2
CRY-04 SC-12, op.acc.7,
SC-13, mp.com.3,
SC-20 mp.si.4

CRY-01,
PSS-01,
PSS-05,
PSS-07

CRY-02, AC-19, org.4, mp.com.2

CRY-03 MP-1, mp.eq.3,
MP-2, mp.si.4
MP-7
OPS-12, CA-3, org.4, mp.com.2,
OPS-14, IA-5 (1), op.pl.2, mp.si.2,
CRY-01, IA-7, op.acc.1, mp.info.4,
CRY-02, SC-7, op.acc.5, mp.info.9
CRY-03, SC-12, op.acc.7,
CRY-04, SC-13, op.exp.11,
COS-08, SC-20 mp.com.3,
PI-01 mp.info.1,
mp.s.1,
mp.si.4

CRY-01 SC-12, op.acc.5, mp.si.2

SC-13 op.exp.11
OPS-23, CA-3, op.pl.2, op.exp.3
COS-01, CM-2, op.acc.7,
COS-02, CM-6, op.exp.2,
COS-03, CM-7 mp.com.3
COS-07,
COS-08

COS-04 IA-2 op.acc.6

OIS-01, CA-2, op.pl.1, op.pl.2,
OIS-03, CA-2 (1), op.pl.3 op.cont.1
OIS-06, CM-4,
OIS-07, PS-2,
SP-03, RA-1
OPS-18,
OPS-20,
OPS-22,
COS-01,
COS-03,
PSS-03
OIS-06, CA-2, org.1, op.cont.1
OIS-07, CA-2 (1), org.2,
SP-03, CM-4, op.pl.1,
OPS-18, PS-2, op.pl.3
OPS-20, RA-1,
OPS-22, RA-3
COS-01,
COS-03,
DEV-03,
DEV-05,
SSO-02,
PSS-02
OIS-01, CM-4, org.1,
OIS-03, MA-5, org.3,
OIS-04, PL-1, mp.info.2
SP-03 PS-1,
SA-3,
SA-5,
SC-1,
SI-1
CA-2, org.1
CA-2 (1),
CA-5,
MA-1
COM-01, CA-2, org.1
COM-04 CA-2 (1),
CA-5,
MA-1
OIS-01, CM-4, org.1,
OIS-03, MA-5, org.3,
OIS-04, PL-1, mp.info.2
SP-03 PS-1,
SA-3,
SA-5,
SC-1,
SI-1

OIS-03,
SIM-04,
PSS-01,
PSS-09
OIS-01, org.2,
COM-01 org.3

COM-04 CA-6, org.1

MA-1,
PL-1,
PL-4,
PS-2

OIS-01 PL-2, org.1,

PL-4 mp.info.2
OIS-01 CA-6, org.1
PL-2

AT-1, org.1,
AU-1, org.2,
CA-1, org.3,
CA-6, op.mon.2
CM-1,
CP-1,
IA-1,
IR-1,
MA-1,
MP-1,
PE-1,
PL-1,
PS-1,
RA-1

SA-2
OIS-01, AC-1, org.1,
OIS-02, AT-1, org.2,
OIS-03, AU-2, org.3,
OIS-06, CA-6, org.4,
SP-01, IA-1, mp.eq.1,
SP-02, IR-1, mp.info.2
OPS-10, MA-1,
IDM-01, MP-1,
COM-02, PE-1,
COS-08 PL-1,
PL-2,
PS-1,
SA-1,
SA-5,
SC-1,
SI-1

OIS-02,
OIS-03,
IDM-01,
COS-08

OIS-02, op.exp.4 op.ext.2

SP-01,
COS-08,
PSS-01,
PSS-12
PI-01,
PSS-01,
PSS-07,
PSS-08

OIS-02,
SP-01,
SP-02
 AC-1, org.1, op.pl.2,
AU-1, org.2, op.acc.7
CM-1, org.3,
CP-1, op.acc.5,
IA-1, op.acc.7
IR-1,
MA-1,
MP-1,
PE-1,
PL-2,
PL-4,
PS-1,
PS-6,
SC-1,
SI-1

SP-03 org.1,
org.2

OPS-11, mp.info.6
OPS-12,
OPS-16,
PSS-04
OIS-02, PS-8 mp.per.2
HR-02,
HR-04,
AM-05
OIS-06, AU-1, org.1, op.cont.1
OIS-07, CA-1, org.2,
SP-03, CA-5, org.3,
COS-01, RA-3 op.pl.1,
COS-03, op.pl.3,
SSO-02, op.mon.2
COM-04

HR-01 PS-2, mp.per.1

PS-3
HR-01 PS-2, mp.per.2 mp.per.1
PS-3

PS-3

HR-02, PL-4, org.1, op.ext.1,

HR-05, PS-6, org.2, mp.per.1
HR-06, PS-7, mp.per.2
DEV-02, SA-9
SSO-01,
SIM-04
HR-02, PL-4, org.1, op.ext.1
HR-05, PS-6 org.2,
HR-06 mp.per.2

HR-02, PL-4, org.2, mp.per.1

HR-05, PS-6 op.exp.2,
AM-02, mp.per.2
AM-03,
AM-05,
SIM-04
 mp.per.3,
mp.per.4

mp.per.3,
mp.per.4

AC-19, org.4,
MP-7 mp.eq.3,
mp.s.1
 org.3,
op.pl.2

MA-5 mp.per.1

HR-03, AT-1, org.2,

DEV-04, AT-2, mp.per.3,
SIM-04, AT-4, mp.per.4,
SIM-05 IR-6, mp.si.1,
PL-2, mp.s.1
PL-4
DEV-04 AT-3, org.2,
IR-2 mp.per.3,
mp.per.4,
mp.si.1,
mp.s.1

AT-3
SIM-04 IR-6, op.exp.7
IR-7

IDM-01, AC-2, op.acc.2,

IDM-02, AC-3, op.acc.4
IDM-06, IA-2 (12),
PSS-04, IA-5,
PSS-05 MA-2,
MP-2
OPS-10, AU-6, op.exp.8 op.acc.3
OPS-12, AU-9
OPS-14,
OPS-16,
PSS-04

OPS-14, AU-6,
OPS-16 AU-9
OPS-15
OPS-16, AC-2, org.4, mp.com.2
IDM-01, AC-3, op.pl.2,
IDM-08, AC-17, op.acc.2,
IDM-09, AC-20, op.acc.5,
PSS-05, IA-2, op.acc.6,
PSS-09 IA-2 (1), op.acc.7,
IA-2 (12), mp.eq.3,
IA-5, mp.com.3
IA-5 (11),
IA-6,
IA-8,
IA-8 (1),
IA-8 (2),
IA-8 (3),
IA-8 (4),
MA-4

IDM-01, AC-1, org.2, op.acc.3

iDM-02, AC-2, op.acc.1,
IDM-06 AC-3, op.acc.2,
CM-7, op.acc.4,
CP-9, op.acc.5,
IA-2, op.exp.2
IA-2 (12),
IA-4,
IA-5,
MP-2
IDM-01,
IDM-04,
COS-02,
PSS-01,
PSS-05,
PSS-07,
PSS-08,
PSS-09

IDM-01, AC-1, op.acc.1,

IDM-05, AC-2, op.acc.2,
IDM-06 AC-3, op.acc.4,
IA-2 (12), op.exp.2
IA-4,
IA-5,
PS-5

IDM-05

IDM-01, AC-14, op.pl.2, op.acc.3

PSS-08, IA-2, op.acc.1,
PSS-09 IA-4, op.acc.2,
IA-5, op.acc.5,
IA-5 (1), op.acc.6
IA-6
IDM-01, AC-14, op.pl.2,
IDM-08, IA-2, op.acc.2,
IDM-09, IA-2 (12), op.acc.5,
PSS-07, IA-4, op.acc.6,
PSS-09 IA-5, op.acc.7,
IA-8 op.exp.2

IDM-01, AC-14, op.pl.2, mp.eq.2

IDM-08, IA-2, op.acc.2,
IDM-09, IA-4, op.acc.5,
PSS-07, IA-5, op.acc.6,
PSS-09 IA-5 (1), op.acc.7,
IA-6 op.exp.2

IDM-01,
IDM-08,
COS-02,
PSS-01,
PSS-04,
PSS-05,
PSS-07,
PSS-08,
PSS-09
OPS-15, AC-14 op.acc.1,
PSS-05, op.acc.2,
PSS-08, op.acc.6
PSS-09

IDM-03 AC-2, op.acc.5,

AC-3, op.acc.6
AC-7

PSS-06 op.acc.6

PSS-05, AC-14, op.acc.5

IDM-08 IA-5,
IA-5 (1),
PL-2
AC-7

MA-4 mp.eq.2

AC-7,
AC-8

IA-2 (12), op.exp.8

IA-5 (11),
IA-8,
IA-8 (1),
IA-8 (2),
IA-8 (3),
IA-8 (4)

SA-4 (10)

IA-5 op.exp.2

SC-15
op.acc.6 op.acc.6

mp.info.4
AM-05, AC-2, org.2,
IDM-01, IA-4, op.acc.1,
IDM-02, PS-4, op.acc.5
IDM-04 PS-7

AM-05, AC-2, org.2,

IDM-01, IA-4, op.acc.1,
IDM-02, PS-4 op.acc.5
IDM-04
HR-05, PS-4
AM-05

IDM-04

PS-4

PS-4

PS-5

AM-06, CA-7, op.pl.2, op.mon.1,

OPS-19, SC-7, mp.com.3 mp.s.8
COS-01, SI-4,
COS-02, SI-5
COS-03,
COS-04,
COS-08
COS-03, SI-1
PSS-11

COS-05

PSS-11

OPS-10 AU-3,
AU-5,
AU-6,
AU-8,
AU-9
OPS-19, CA-3, op.pl.2, op.mon.1
COS-01, CM-7, op.acc.2,
COS-02, IA-2, op.acc.6,
COS-03, SC-5, op.acc.7,
COS-04, SC-7, mp.com.1,
COS-08 SI-4, mp.com.3
SI-5

COS-01, CA-3, op.pl.2,

COS-02, CM-7, op.acc.6,
COS-03, SC-5, op.acc.7,
COS-04, SC-7 mp.com.1,
COS-08 mp.com.3
OPS-24, SC-5, op.pl.2, op.mon.1,
COS-02, SC-7, op.acc.6, mp.com.2
COS-03, SC-22, op.acc.7,
COS-04, SC-39 mp.com.3
COS-05,
COS-06,
COS-08,
DEV-10
OPS-24, SC-22, op.acc.6
COS-02, SC-39
COS-05,
COS-06,
DEV-10

OPS-24, SC-22, mp.sw.2 op.acc.3,

DEV-10 SC-39 op.exp.5,
mp.sw.1

AC-18
 AC-19

AC-19

COS-01, SC-5 op.acc.6, mp.s.8

COS-02, op.exp.6,
COS-03, mp.com.3
COS-08,
PSS-06

mp.s.2
org.2

mp.info.1
COM-01 mp.info.1

PI-02
COM-01

PI-02
IDM-07 mp.info.1

IDM-07, mp.info.1,
INQ-04 mp.info.6

PI-03,
INQ-04

mp.info.6
IDM-07

mp.info.1
INQ-02,
INQ-03

INQ-03

OIS-05

op.exp.7
mp.info.1
OPS-15

OPS-18,
OPS-20,
OPS-22,
PSS-03

OPS-18,
OPS-20,
OPS-22
OIS-03, IR-1, org.2, op.exp.3,
SP-01, IR-2, org.3, op.exp.7,
OPS-13, IR-4, op.mon.2, op.ext.2,
SIM-01, IR-6, mp.per.3, op.mon.2
SIM-02, IR-7, mp.eq.3
SIM-03, IR-8
SIM-05

OPS-13 IR-1, op.mon.2 op.mon.2

IR-2,
IR-4,
IR-6,
IR-7,
IR-8

IR-7 op.exp.7
OPS-10, AU-2, op.exp.8, op.exp.7,
OPS-13, AU-3, op.mon.2, op.exp.9,
OPS-17, AU-5, mp.per.3, op.mon.2
OPS-21, AU-6, mp.eq.3
PSS-03, AU-9,
PSS-04 AU-12,
CA-1,
CA-7,
IR-4,
IR-5,
IR-6,
IR-9,
SI-4,
SI-5

OPS-13, AU-2, op.mon.2 op.mon.2

PSS-04 AU-3,
AU-5,
AU-6,
AU-9,
AU-12,
CA-1,
CA-7,
IR-4,
IR-5,
IR-6,
IR-9,
SI-4,
SI-5
COS-03,
PSS-01,
PSS-04

PSS-01,
PSS-04
OIS-07, CA-3, org.4, op.ext.1,
OPS-21, PS-7, op.pl.1 op.ext.2
COS-01, SA-1,
COS-03, SA-4,
DEV-02, SA-9
SSO-01,
SSO-02,
SSO-03,
SSO-04,
SSO-05,
SIM-04

SSO-05
OIS-07, CA-3, org.4, op.ext.1
OPS-21, PS-7, op.pl.1
COS-01, SA-1,
COS-03, SA-4,
DEV-02, SA-9
SSO-01,
SSO-02,
SSO-03,
SSO-04,
SSO-05,
SIM-04
OPS-10, AU-2, org.2, op.exp.3,
OPS-17, AU-3, org.3, op.exp.7,
SIM-01, AU-5, op.exp.8, op.exp.9,
SIM-02, AU-6, mp.per.3, op.ext.2,
SIM-03, AU-9, mp.eq.3 op.cont.1
SIM-04, AU-12,
SIM-05 CA-1,
CA-7,
IR-1,
IR-2,
IR-4,
IR-5,
IR-6,
IR-9,
SI-4,
SI-5

AU-2,
AU-3,
AU-5,
AU-6,
AU-9,
AU-12,
CA-1,
CA-7,
IR-1,
IR-2,
IR-4,
IR-5,
IR-6,
IR-9,
SI-4,
SI-5
SIM-01, IR-2, mp.eq.3 op.mon.2
SIM-02 IR-4,
IR-5,
IR-6,
IR-7,
IR-8,
IR-9

PS-02, CP-1, op.pl.4,

OPS-01, CP-2, op.cont.1
OPS-02, CP-4,
OPS-03, CP-10
OPS-17
PS-02, CP-1, op.ext.2,
PS-06, CP-2, op.cont.1
OPS-01, CP-4,
OPS-02, CP-10
OPS-03,
OPS-09,
OPS-17

SA-2

OIS-03, op.ext.1
PI-02,
PI-03,
PSS-01
HR-06, CA-3, org.2, op.ext.1,
DEV-02, PS-7, org.4 op.ext.2
SSO-01, SA-9
SSO-02

mp.info.1 op.ext.1,
op.ext.2
OPS-04, CA-2, op.acc.6,
OPS-05, CA-7, op.exp.6,
DEV-10, RA-5, mp.s.1
PSS-02 SI-2,
SI-3

OPS-04, CA-2, op.exp.6,

OPS-05, CA-7, mp.com.3,
PSS-02 RA-5, mp.s.1
SI-2,
SI-3
OPS-04, CA-2, org.1, op.exp.3,
OPS-05, CA-7, op.pl.2, mp.sw.1,
OPS-18, RA-5, op.acc.7, mp.sw.2
OPS-19, SI-2, op.exp.6,
OPS-20, SI-3 mp.com.3
OPS-22,
OPS-23,
PSS-02,
PSS-03,
PSS-09

OPS-04, CA-2, op.exp.6 mp.sw.2

OPS-05, CA-2 (1),
OPS-18, IA-6,
OPS-19, RA-5,
OPS-20, SI-3
PSS-02
OIS-05, SA-5, org.3,
PSS-03 SI-5 op.pl.3

OIS-03,
PSS-02,
PSS-03

OPS-04, RA-5 org.1, op.exp.5,

OPS-05, op.exp.6 mp.sw.1,
OPS-18, mp.sw.2
OPS-20,
OPS-22,
OPS-23,
PSS-02,
PSS-03
OPS-05, MA-2, op.pl.2, op.exp.3,
OPS-18, SI-2 op.acc.7, op.ext.2,
OPS-19, op.exp.4, mp.sw.2
OPS-20, mp.com.3
OPS-22,
OPS-23,
COS-01,
COS-02,
SSO-01,
PSS-02,
PSS-03

AM-05, op.exp.3
OPS-04,
OPS-05
COS-07, CA-3,
PI-01 CA-9,
SA-5

OIS-05, IR-6 org.1, op.exp.7

OPS-21, org.4
PI-01,
SIM-01,
SIM-02,
SIM-05,
INQ-01

OIS-05

CM-10 op.exp.1
IDM-07

INQ-01,
INQ-03,
INQ-04

SC-20,
SC-21,
SC-22

AC-22
asic Requirements must be met
ain Spanish ENS Medium and
High
Spanish ENS High
ISMAP Reference PCI Reference
Control Ref

op.pl.5 12.7.1, 6.4.6,

13.1.1.7, 10.1
17.1.3,
18.1.1,
18.2.1,
18.2.1.9.P,
18.2.1.12.P,
18.2.1.13.P,
18.2.2,
18.2.3,

3.1.4.1,
3.1.4.2,
3.1.4.3,
3.1.4.4,
3.1.5.2,
3.1.5.5,
3.1.6.1,
3.1.6.2,

4.4.1.1,
4.4.1.2,
4.4.6.1,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.1.1,
4.5.5.2,
4.5.5.3,
4.6.1.1,
4.6.2.1,
4.6.2.2,
4.6.2.3,
 12.11.a,
12.11.b,
12.11.1

op.exp.3 6.1.5,
12.6.1,
13.1.1,
14.1.3,
14.2.8,
3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.4.1,
3.1.4.2,
3.1.4.4

13.2.4,
15.1.1,
15.1.1.14.B,
15.1.1.16.B,
15.1.2,
18.1.1,
18.1.1.5.P,
4.4.2.1,
4.4.3.1,
4.4.8.2,
3.1.4.2,
3.1.5.3

op.pl.5,
mp.com.2,
mp.com.3,
mp.si.2,
mp.si.5,
mp.info.4,
mp.info.5,
mp.s.2
op.ext.9, 11.2.3, 12.10.1.a,
op.cont.1, 12.3.1, 12.10.1.b,
op.cont.2, 17.1.1, 12.10.2
op.cont.3, 17.1.2,
mp.inf.9, 17.1.3
mp.eq.9,
mp.com.9,
mp.s.9

13.2.4,
18.1.1,
18.1.1.5.P,
4.4.3.1

op.cont.2,
mp.per.9
 8.2.3.5

op.ext.9, 17.1.2,
op.cont.2, 17.2.1
mp.if.9,
mp.eq.9
op.exp.10 12.4.1, 10.7.a,
16.1.7 10.7.b,
10.7.c

op.exp.10, 12.3.1, 12.10.1.a,

op.ext.9, 17.2.1 12.10.1.b
mp.eq.9
op.ext.9, 12.3.1,
mp.eq.9, 17.1.2,
mp.info.9 17.1.3,
17.2.1

6.3.1.1.PB,
12.1.5.1.PB,
12.3.1.16.P,
12.3.1.17.P,
12.3.1.18.P,
12.3.1.19.P,
12.3.1.20.P,
12.3.1.21.P,
12.3.1.22.P,
12.3.1.23.P,
12.3.1.24.P

9.5.1
op.exp.5, 12.1.5.P, 6.3.a,
op.ext.2, 14.2.1, 6.3.b,
mp.sw.1 14.2.1.13.PB, 6.3.c,
14.2.2, 6.3.d,
14.2.3, 6.4.5.a,
14.2.4, 6.4.5.b,
14.2.5, 6.4.5.1,
14.2.6, 6.7
14.2.8,
14.2.9,
4.5.4.4

op.exp.5 9.4.4, 6.3.a,

12.1.2, 6.3.b,
12.5.1.17, 6.3.c,
12.5.1.18, 6.3.d
14.2.4,
15.2.2,
13.1.1,
4.5.4.4,
4.5.4.5

op.acc.3, 6.1.2, 1.1.1.a,

op.exp.5, 9.4.4, 1.1.1.b,
mp.sw.1 9.4.5, 1.1.1.c,
12.1.2, 6.3.a,
12.1.5.P, 6.3.b,
12.4.3, 6.3.c,
12.5.1, 6.3.d,
12.5.1.2, 6.3.2.a,
12.6.2, 6.3.2.b,
14.2.1, 6.4,
14.2.2, 6.4.5.1,
14.2.3, 6.4.5.2,
14.2.4, 6.4.5.3.a,
14.2.5, 6.4.5.3.b,
14.2.6, 6.4.6,
14.2.7, 10.4.2.a,
14.2.8, 10.4.2.b
14.2.9,
4.5.4.1,
4.5.4.2,
op.exp.5 12.1.2,
14.2.2

op.exp.5, 12.1.2.6,
op.exp.7, 12.1.2.11.PB,
op.exp.9 13.2.1,
14.2.2,
16.1.7,
4.5.3.1
op.exp.3 12.5.1, 1.2.2.a,
12.5.1.7, 1.2.2.b,
12.6.2, 10.4.2.a,
13.1.4.P 10.4.2.b,
11.4.a,
11.4.b,
11.4.c,
11.5.a,
11.5.b,
11.5.1

op.exp.5, 6.1.5, 1.2.2.a,

mp.sw.1, 9.4.4, 1.2.2.b,
mp.sw.2 9.4.5, 10.5.5,
12.1.2, 11.4.a,
12.5.1, 11.4.b,
12.6.2, 11.4.c,
14.2.1, 11.5.a,
14.2.2, 11.5.b,
14.2.3, 11.5.1,
14.2.4, 12.10.5
14.2.5,
14.2.6
op.acc.3, 6.1.2, 6.4.2,
op.exp.5, 9.1.2, 6.4.6,
mp.sw.1 9.2.3, 11.5.a,
9.4.4, 11.5.b,
9.4.5, 11.5.1
12.1.2,
12.1.5.P,
12.4.1.7,
12.4.3,
12.5.1.18,
14.2.1,
14.2.2,
14.2.3,
14.2.4,
14.2.5,
14.2.6,
4.5.4.4

mp.sw.1 6.1.2, 12.3.7

9.1.2,
9.2.3,
9.4.4,
12.1.5.P,
12.5.1,
12.6.2,
12.6.2.1,
14.2.4,
18.1.2

op.exp.5, 6.1.5, 6.4.5.4

mp.sw.1 9.4.4,
12.1.2.3,
12.1.2.7,
12.5.1.8,
14.2.1,
14.2.2,
4.5.4.4
 11.5.a,
11.5.b

9.4.4.10.P,
9.4.4.11.P

op.mon.1 6.2.2, 9.1,

11.1.1, 9.1.1.a,
11.1.2, 9.1.1.b,
11.1.3, 9.1.1.c,
11.1.5, 9.5
11.1.6,
13.1.1,
13.1.2
op.ext.2, 11.1.4,
mp.if.6 11.2.1,
11.2.2,
11.2.3,
11.2.4

mp.if.6 11.1.4,
11.2.1,
11.2.2,
11.2.3,
11.2.4

6.1.3.3.PB
6.2.2, 9.1,
11.1.1, 9.2.a,
11.1.2, 9.2.b,
11.1.3, 9.2.c,
11.1.5, 9.2.d,
11.1.6, 9.3.a,
13.1.1, 9.3.b,
13.1.2 9.3.c,
9.4,
9.4.1.a,
9.4.1.b,
9.4.2.a,
9.4.2.b,
9.5

9.2.6 9.2.a,
9.2.b,
9.2.c,
9.3.a,
9.3.b,
9.3.c,
9.4,
9.4.3,
9.5

9.1.1, 9.5
9.2.1,
9.2.2,
9.2.3,
9.2.5,
9.2.6,
9.4.1
 9.1.1.a,
9.1.1.b,
9.1.1.c,
9.4.1.a,
9.4.1.b,
9.4.4.a,
9.4.4.b,
9.4.4.c

9.1.1.a,
9.1.1.b,
9.1.1.c

9.9,
9.9.2.a,
9.9.2.b

mp.si.2 6.2.2, 9.5,

8.1.2, 9.6,
8.2.3, 9.6.2.a,
8.3.1, 9.6.2.b,
8.3.2, 9.6.3
8.3.3,
11.2.5,
11.2.6,
11.2.7,
11.2.7.4.PB,
13.2.1,
13.2.1.1,
13.2.2,
13.2.3.5,
15.1.1.14.B,
18.1.3
op.pl.4, 8.2.3,
11.2.7.4.PB

op.ext.2 5.1.1,
5.1.2,
6.2.2,
8.2.3,
11.2.5,
11.2.6,
11.2.7,
11.2.7.4.PB,
11.2.8,
13.2.1,
13.2.3,
4.5.4.5
mp.if.9 5.1.1,
5.1.2,
6.2.2,
11.1.5

6.2.2, 9.1.2,
11.1.2, 9.1.3,
11.1.3, 9.4
11.1.5,
11.1.6
5.1.1, 3.2.a,
8.2.1, 3.2.b,
8.2.2, 3.2.c,
8.2.3, 3.2.d,
11.2.9, 3.7
14.3.1,
18.1.3

8.1.1, 1.1.2.a,
8.1.2, 1.1.2.b,
8.2.1, 1.1.3,
8.2.2 1.1.4.a,
1.1.4.b,
1.1.4.c,
2.4.a,
2.4.b,
9.6.1,
9.7,
9.7.1,
9.9,
9.9.1.a,
9.9.1.b,
9.9.1.c,
12.3.3,
12.3.4

8.1.2, 9.6.1,
8.2.1, 12.3.3,
8.2.2, 12.3.4
12.6.1.6
8.1.1.6.PB

6.3.1.1.PB,
8.2.2.7.PB,
12.1.5.1.PB,
14.1.1.20.P,
16.1.7.13.PB

8.2.1, 9.6,
8.2.2, 9.6.1,
8.2.3, 9.7,
18.1.3, 9.10
18.1.4

4.2.a,
4.2.b
 9.9,
9.9.1.a,
9.9.1.b,
9.9.1.c,
11.1.a,
11.1.b,
11.1.c,
11.1.d,
12.3.3,
12.3.4,
9.6.1,
9.7,
9.7.1

11.1.a,
11.1.b,
11.1.c,
11.1.d,
11.1.1

op.exp.7, 6.1.4,
op.exp.9, 16.1.1,
op.mon.2 16.1.1.6.P,
16.1.1.15.P,
16.1.2,
16.1.2.11.P,
16.1.2.13.P,
16.1.4,
16.1.5,
16.1.7,
3.1.5.4,
3.1.5.5,
4.4.4.1
14.1.2 1.1.2.a,
1.1.2.b,
1.1.3,
1.1.4,
4.1.a,
4.1.b,
4.1.c,
4.1.d,
4.1.e,
4.1.f,
4.1.g,
4.1.1

9.4.5.2, 4.2.a,
12.1.4.9, 4.2.b,
14.3.1 6.4.3.a,
6.4.3.b,
12.3.10.a,
12.3.10.b
 8.3.2, 9.8,
11.2.7 9.8.1.a,
9.8.1.b

mp.si.5 8.3.2, 9.8,

11.2.7 9.8.2
mp.si.5 8.3.2, 3.1.a,
11.2.7, 3.1.b,
18.1.4 3.1.c

8.3.2, 3.1.a,
11.2.7 3.1.b,
3.1.c,
3.2.a,
3.2.b,
3.2.c,
3.2.d,
9.8,
9.8.1.a,
9.8.1.b
mp.eq.1 9.8,
9.8.1.a,
9.8.1.b,
9.8.2

13.1.1.11.P

3.6.8.a,
3.6.8.b,
3.6.a,
3.6.b

mp.com.2, 10.1.1, 2.1.1.a,

mp.info.4 10.1.2, 2.1.1.b,
18.1.3, 2.1.1.c,
18.1.5 2.1.1.d,
2.1.1.e,
3.5,
3.5.1,
3.5.2,
3.5.4,
3.6.a,
3.6.b,
3.6.1.a,
3.6.1.b,
3.6.2.a,
3.6.2.b,
3.6.3.a,
3.6.3.b,
3.6.4.a,
3.6.4.b,
3.6.5.a,
3.6.5.b,
3.6.7.a,
3.6.7.b,
3.6.8.a,
3.6.8.b,
4.3
mp.com.2 10.1.1, 1.2.1.a,
13.1.1.4, 1.2.1.b,
13.2.3, 1.2.1.c,
18.1.3 1.2.3.a,
1.2.3.b,
4.1.a,
4.1.b,
4.1.c,
4.1.d,
4.1.e,
4.1.g,
4.1.f

6.3.1.1.PB,
8.1.2.7.PB,
10.1.1.9.PB,
10.1.1.10.P,
10.1.2.20.PB,
18.1.3.13.PB,
18.1.5.7.PB

mp.com.2 8.3.1, 2.3,

11.2.6, 2.3.a,
11.2.8, 2.3.b,
18.1.3 2.3.c,
2.3.d,
9.5
mp.com.2, 8.2.3, 1.2.1.a,
mp.si.2, 8.3.1, 1.2.1.b,
mp.info.3, 10.1.1, 1.2.1.c,
mp.info.4, 10.1.2, 1.2.3.a,
mp.info.9 13.1.1.4, 1.2.3.b,
13.1.2, 2.2.4.a,
13.2.1, 2.2.4.b,
13.2.3, 2.2.4.c,
13.2.3.2, 2.3,
13.2.3.5, 2.3.a,
14.1.2, 2.3.b,
14.1.3, 2.3.c,
18.1.3, 2.3.d,
18.1.4, 3.4.a,
18.1.5 3.4.b,
3.4.c,
3.4.d,
3.4.e,
3.5,
3.5.3.a,
3.5.3.b,
3.5.3.c,
3.6.a,
3.6.b,
3.6.1.a,
3.6.1.b,
3.6.7.a,
3.6.7.b,
4.1.a,
4.1.b,
4.1.c,
4.1.d,
4.1.e,
4.1.g,
4.1.f,
4.1.1,
8.2.1.a,
8.2.1.b,
8.2.1.c,
mp.si.2, 10.1.2, 3.5.2,
mp.info.3 18.1.5 3.6.a,
3.6.b,
3.6.2.a,
3.6.2.b,
3.6.3.a,
3.6.3.b,
3.6.7.a,
3.6.7.b

3.3.a,
3.3.b,
3.3.c,
3.4.a,
3.4.b,
3.4.c,
3.4.d,
3.4.e
3.4.1.a,
3.4.1.b,
3.4.1.c

3.5.3.a,
3.5.3.b,
3.5.3.c,
3.6.a,
3.6.b,
3.6.1.a,
3.6.1.b,
3.6.3.a,
3.6.3.b

3.6.a,
3.6.b,
3.6.4.a,
3.6.4.b,
3.6.5.a,
3.6.5.b,
3.6.7.a,
3.6.7.b

3.6.a,
3.6.b,
3.6.4.a,
3.6.4.b,
3.6.5.a,
3.6.5.b,
3.6.7.a,
3.6.7.b

3.6.6.a,
3.6.6.b,
3.6.a,
3.6.b
op.exp.3 13.1.1, 1.1.1.a,
13.1.2 1.1.1.b,
1.1.1.c,
1.2.1.a,
1.2.1.b,
1.2.1.c,
1.2.2.a,
1.2.2.b,
1.5,
2.1.a,
2.1.b,
2.1.c,
2.1.1.a,
2.1.1.b,
2.1.1.c,
2.1.1.d,
2.1.1.e,
2.1.1.d,
2.1.1.e,
2.2.a,
2.2.b,
2.2.c,
2.2.d,
2.2.2.a,
2.2.2.b,
2.2.3,
2.2.4.a,
2.2.4.b,
2.2.4.c,
2.2.5.a,
2.2.5.b,
2.2.5.c,
4.3,
5.3.a,
5.3.b,
5.3.c,
5.4

9.1.2, 1.2,
13.1.1, 1.2.1.a,
13.1.2 1.2.1.b,
1.2.1.c,
1.2.3.a,
1.2.3.b,
1.3,
9.1.2

mp.com.2
op.pl.2, 6.1.1,
op.cont.1 6.1.1.13.P,
6.1.5,
6.3.1.P,
12.6.1,
14.1.1,
15.1.1,
17.1.1,
17.1.2,
17.1.3,
3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.3.1,
3.1.4.1,
3.1.4.2,
3.1.4.3,
3.1.4.4,
4.4.1.1,
4.4.2.1,
4.4.3.1,
4.4.4.1,
4.4.5.1,
4.4.5.2,
4.4.6.1,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
op.cont.1 6.1.5, 5.1.2,
12.6.1, 12.2.a,
14.1.1, 12.2.b
15.1.1,
17.1.1,
17.1.2,
17.1.3,
3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.3.1,
3.1.4.1,
3.1.4.2,
3.1.4.3,
3.1.4.4,
4.4.2.1,
4.4.5.2,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5,
4.5.5.1,
4.5.5.2,
4.5.5.3,
4.6.1.1,
4.6.2.1,
4.6.3.1,
4.6.3.2,
4.6.3.3,
9.5.1.4.P

12.8,
12.8.2,
12.8.3,
12.8.5
6.1.1, 1.1.5.a,
18.2.1, 1.1.5.b,
18.2.2, 12.4.a,
18.2.3, 12.4.b,
3.1.2.1, 12.5,
3.1.2.3, 12.5.1,
3.1.3.1, 12.5.2,
3.1.3.2, 12.5.2,
3.1.3.3, 12.5.4,
3.1.3.4, 12.10.3,
3.1.5.4, 12.10.4
3.1.5.5,
3.1.6.1,
3.1.6.2,
4.4.1.1,
4.4.1.2,
4.4.1.3,
4.4.4.1,
4.4.5.1,
4.4.5.3,
4.4.6.1,
4.5.1.1,
4.5.1.2
4.5.2.2
4.5.2.7
4.5.3.1
4.6.1.2
4.6.2.1
4.8.1.1
4.8.2.1
6.1.1,
6.1.4,
4.4.1.1,
4.4.1.2,
4.4.1.3,
4.4.5.1,
4.4.5.2,
4.4.5.3,
4.4.6.1,
4.5.1.1,
4.5.2.4,
4.5.2.5,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5,
4.6.1.1,
4.6.2.3,
4.6.2.4,
4.6.2.6,
4.6.2.7,
4.6.3.1,
4.6.3.2,
4.6.3.3,
4.6.3.4,
4.8.1.1,
4.8.2.1
6.1.4,
12.7.1,
18.1.1,
18.2.1,
18.2.2,
18.2.3,
4.4.1.1,
4.4.1.2,
4.4.1.3,
4.4.5.1,
4.4.5.2,
4.4.5.3,
4.4.6.1,
4.5.1.1,
4.5.1.2,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5,
4.6.1.1,
4.6.2.2,
4.6.2.3,
4.6.2.4,
4.6.2.5,
4.6.2.6,
4.6.2.7,
4.6.3.1,
4.6.3.2,
4.6.3.3,
4.6.3.4,
4.8.1.1,
4.8.2.1,
4.9.1.1,
4.9.2.1,
3.1.2.1,
3.1.5.4
6.1.1, 1.1.5.a,
18.2.1, 1.1.5.b,
18.2.2, 12.4.a,
18.2.3, 12.4.b,
3.1.2.1, 12.5,
3.1.2.3, 12.5.1,
3.1.3.1, 12.5.2,
3.1.3.2, 12.5.2,
3.1.3.3, 12.5.4,
3.1.3.4, 12.10.3,
3.1.5.4, 12.10.4
3.1.5.5,
3.1.6.1,
3.1.6.2,
4.4.1.1,
4.4.1.2,
4.4.1.3,
4.4.4.1,
4.4.5.1,
4.4.5.3,
4.4.6.1,
4.5.1.1,
4.5.1.2
4.5.2.2
4.5.2.7
4.5.3.1
4.6.1.2
4.6.2.1
4.8.1.1
4.8.2.1

6.1.1.13.PB,
6.3.1.P,
15.1.2,
15.1.2.18.PB,
15.1.3,
15.1.3.10.P,
15.1.3.11.P,
15.2.2,
16.1.1.6.P,
16.1.7.13.PB,
18.1.3.13.PB,
18.2.1.9.P,
3.1.5.3
op.pl.1 4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.5

3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.3.2,
3.1.3.3,
3.1.3.4,
3.1.4.1,
3.1.4.3,
3.1.5.4,
4.5.1.1,
4.6.1.1,
4.6.2.3,
4.6.2.4,
4.6.2.5,
4.6.2.6,
4.6.3.1,
4.6.3.2,
4.6.3.3,
4.6.3.4,
4.9.1.1,
4.9.2.1,
4.9.2.2

3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.3.1,
3.1.3.2,
3.1.3.3,
3.1.3.4,
3.1.4.1,
3.1.4.3,
3.1.5.4,
4.5.1.1,
4.4.5.2,
4.5.1.2,
4.5.2.1
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.5

6.1.4, 1.5,
16.1.3, 3.7,
16.1.6, 4.3,
4.5.3.1, 5.4,
4.9.2.2, 6.7,
3.1.4.4, 7.3,
3.1.5.2 8.1.a,
8.1.b,
8.4.a,
8.4.b,
8.4.c,
8.8,
9.10,
10.8.a,
10.8.b,
10.9,
11.6,
12.3.6

3.1.2.3,
3.1.3.3,
4.5.1.1,
4.5.1.2,
4.5.5.3
 5.1.1, 1.1.6.a,
5.1.2, 1.1.6.b,
6.1.1, 1.1.6.c,
11.2.9, 6.7,
3.1.2.1, 7.3,
3.1.3.2, 8.1.a,
3.1.3.4, 8.1.b,
4.4.1.2, 8.4.a,
4.4.2.1, 8.4.b,
4.4.3.1, 8.4.c,
4.4.4.1, 8.8,
4.4.5.1, 9.10,
4.4.5.3, 10.9,
4.8.1.1, 11.6,
4.8.2.2, 12.1,
4.9.1.1 12.1.1,
12.3,
12.3.1,
12.3.2,
12.3.6,
12.4.a,
12.4.b,
12.5,
12.5.1

op.ext.2 6.3.1.P,
15.1.1.16.B,
15.1.2.18.PB,
15.1.3.10.P,
3.1.3.2,
3.1.3.4,
4.4.5.3,
4.9.1.1
5.1.1.22.P,
5.1.1.23.P,
5.1.1.24.P,
5.1.1.25.P,
5.1.1.26.P,
5.1.1.27.P,
5.1.1.28.P,
5.1.1.29.P,
5.1.1.30.P,
5.1.1.31.P,
6.1.1.13.PB,
6.3.1.P,
14.2.5.7,
15.1.2.18.PB,
15.1.3.10.P,
18.1.3.13.PB,
3.1.3.2,
3.1.3.4,
4.4.5.3,
4.9.1.1

6.3.1.1.PB,
12.4.5.P,
12.4.5.4.P,
12.4.5.5.P,
13.1.3.12.P,
14.1.1.19.P,
14.1.1.20.P,
14.2.1.13.PB,
18.1.3.13.PB,
18.2.1.9.P,
18.2.1.10.P,
18.2.1.11.P,
18.2.1.12.P,
3.1.4.2,
3.1.5.1
op.pl.2, 5.1.1, 1.5,
op.acc.7 5.1.2, 2.2.a,
12.1.1, 2.2.b,
12.1.5.P, 2.2.c,
3.1.3.2, 2.2.d,
3.1.3.4, 3.5,
4.4.1.1, 3.5.1,
4.4.2.1, 3.7,
4.4.4.1, 5.4,
4.4.5.1, 6.7,
4.4.5.3, 7.3
4.5.2.1,
4.5.2.6,
4.5.2.7,
4.5.2.8,
4.5.3.1,
4.8.1.1,
4.8.2.1,
4.9.1.1

4.4.5.3, 1.1.6.a,
4.9.1.1, 1.1.6.b,
3.1.4.2 1.1.6.c

16.1.7,
18.1.4
 12.4.1.a,
12.4.1.b

7.1.2.6,
7.2.1,
7.2.3,
4.4.1.2,
4.5.2.6,
4.5.2.7,
4.5.2.8,
4.8.2.2,
3.1.4.2
op.cont.1 6.1.1,
6.1.5,
12.7.1,
14.1.1,
16.1.4,
16.1.6,
17.1.1,
17.1.2,
17.1.3,
18.2.1,
18.2.2,
18.2.3,
3.1.2.1,
3.1.2.2,
3.1.2.3,
3.1.3.1,
3.1.3.3,
3.1.3.4,
3.1.4.1,
3.1.4.2,
3.1.4.3,
3.1.4.4,
3.1.6.1,
4.4.1.1,
4.4.5.1,
4.4.5.2,
4.4.6.1,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.4.1,
4.5.4.2,
4.5.4.3,
mp.per.1 7.1.1, 12.7
4.5.2.3,
4.5.2.4,
4.5.2.5
mp.per.1 7.1.1.6,
7.1.2.7,
7.2.1,
4.5.2.2,
4.5.2.3,
4.5.2.4,
4.5.2.5

op.ext.1, 7.1.1.11, 12.3,

mp.per.1 7.1.2, 12.3.1,
7.2.1, 12.3.5
7.3.1,
8.1.3.1,
13.2.4,
14.2.7,
15.1.2,
15.1.3,
18.1.2
op.ext.1 7.1.2,
7.2.1,
7.3.1,
8.1.3.1,
13.2.4,
18.1.2

mp.per.1 7.1.2, 12.3,

7.2.1, 12.3.1,
8.1.3, 12.3.5,
8.1.3.2, 12.3.6
9.4.2.1,
11.2.8,
18.1.2,
4.5.2.1
7.2.1.6,
7.2.2,
7.2.2.19.PB,
4.4.1.3,
4.5.1.2,
4.5.2.3,
4.5.2.4,
4.5.2.5,
4.6.1.2

7.2.1.6,
7.2.2,
7.2.2.19.PB,
4.4.1.3,
4.5.1.2,
4.5.2.3,
4.5.2.4,
4.5.2.5,
4.6.1.2

6.2.1,
9.1.2,
9.2.4
 6.1.1,
6.1.3,
4.4.1.2,
4.4.1.3,
4.4.5.1,
4.4.6.1,
4.6.1.2

mp.per.1 7.1.2.7,
4.4.1.2

7.2.1, 12.6.a,
7.2.2, 12.6.b,
7.2.2.19.PB, 12.6.1.a,
14.2.5.7, 12.6.1.b,
15.1.1, 12.6.1.c,
4.4.1.1, 12.6.2
4.4.1.2,
4.4.1.3,
4.5.1.2,
4.5.2.1,
4.5.2.2,
4.5.2.3,
4.5.2.4,
4.5.2.5,
4.5.2.6,
2.5.2.7,
4.5.2.8,
4.6.1.2,
3.1.3.4,
3.1.4.4
7.2.1.6, 12.6.1.a,
7.2.2, 12.6.1.b,
7.2.2.19.PB 12.6.1.c

14.2.1.11, 6.5.a,
14.2.1.13.PB, 6.5.b,
14.2.5 6.5.c

9.9.3.a,
9.9.3.b
op.exp.7 7.2.1.7,
16.1.2,
16.1.3,
3.1.5.4

9.1.1, 2.1.a,
9.1.2, 2.1.b,
9.2.3, 2.1.c,
9.2.5, 7.1.2.a,
9.3.1, 7.1.2.b,
9.4.1, 8.7.a,
9.4.4, 8.7.b,
9.4.5, 8.7.c,
12.4.3, 8.7.d
12.4.5.2.P
op.acc.3 12.4.1.8, 10.2.3,
12.4.2, 10.5,
12.4.3, 10.5.1,
12.4.5.2.P, 10.5.2,
16.1.1, 10.5.3,
16.1.7, 10.5.4
18.1.3

op.exp.10 12.4.2, 10.2.6,

12.4.2.2, 10.5.5
12.4.5.2.P,
18.1.3
12.4.1, A1,
12.4.3.1, A1.1,
16.1.1 A1.2.a,
A1.2.b,
A1.2.c,
A1.2.d,
A1.2.e,
A1.3,
A1.4

8.1.5.a,
8.1.5.b,
12.3.8.a,
12.3.8.b,
12.3.9

8.5.1
mp.com.2 6.2.2, 1.4.a,
9.1.2, 1.4.b,
9.2.4, 2.3,
9.3.1, 2.3.a,
9.4.1, 2.3.b,
9.4.2, 2.3.c,
9.4.2.2.B, 2.3.d,
9.4.3, 8.3,
11.2.6, 8.3.1.a,
11.2.8, 8.3.1.b,
13.1.1, 8.3.2.a,
13.1.1.8, 8.3.2.b
13.1.2

op.acc.3 6.1.2, 7.1,

9.1.1, 7.1.1,
9.1.2, 7.1.2.a,
9.2.1, 7.1.2.b,
9.2.2, 7.1.3,
9.2.3, 7.1.4,
9.2.6, 7.2,
9.4.1, 7.2.1,
12.4.5.2.P, 7.2.2,
14.1.1 8.1.a,
8.1.b,
8.1.2,
8.7.a,
8.7.b,
8.7.c,
8.7.d,
10.2.5.a,
10.2.5.b,
10.2.5.c,
12.5.4,
12.5.5
 6.3.1.1.PB,
9.2.1.6.PB,
9.2.2.8.PB,
9.2.3.11.PB,
9.2.4.9.PB,
9.4.2.2.B

9.1.1, 7.1,
9.1.2, 7.1.2.a,
9.2.1, 7.1.2.b,
9.2.2, 7.1.3,
9.2.3, 7.1.4,
9.2.5, 7.2,
9.2.6, 7.2.1,
9.4.1 7.2.2,
8.1.2,
12.5.5

op.acc.3 9.2.1.1, 8.1.a,

9.2.4, 8.1.b,
9.3.1, 8.1.1,
9.4.1, 12.3.2
9.4.2,
9.4.3.1
 9.1.2, 8.2,
9.2.4, 8.2.1.a,
9.3.1, 8.2.1.b,
9.4.1, 8.2.1.c,
9.4.2, 8.2.1.d,
9.4.3, 8.2.1.e,
11.2.6, 8.2.3.a,
11.2.8, 8.2.3.b,
13.1.1, 8.2.4.a,
13.1.2 8.2.4.b,
8.2.5.a,
8.2.5.b,
8.6.a,
8.6.b,
8.6.c,
12.3.2

mp.eq.2 9.1.2, 8.2,

9.2.4, 8.2.1.a,
9.3.1, 8.2.1.b,
9.4.1, 8.2.1.c,
9.4.2, 8.2.1.d,
9.4.3, 8.2.1.e,
11.2.6, 8.2.3.a,
11.2.8, 8.2.3.b,
11.2.9.4, 8.2.4.a,
13.1.1, 8.2.4.b,
13.1.2, 8.2.5.a,
13.1.3 8.2.5.b,
8.6.a,
8.6.b,
8.6.c,
12.3.2,
8.2.6

6.3.1.1.PB,
9.2.1.6.PB,
9.2.2.8.PB,
9.2.3.11.PB,
9.4.1.8.PB,
9.4.2.2.B
 9.4.2 8.5.a,
8.5.b,
8.5.c,
8.6.a,
8.6.b,
8.6.c,
A1,
A1.2.a,
A1.2.b,
A1.2.c,
A1.2.d,
A1.2.e

9.4.2.9, 8.1.4,
9.4.3 8.1.6.a,
8.1.6.b,
8.1.7,
10.2,
10.2.4,
10.6

op.acc.6 9.4.1.8.PB 8.1.8

op.acc.5 9.2.3.10, 8.2.2

9.2.4.4
op.acc.6

op.acc.5, 8.1.8,
mp.eq.2 12.3.8.a,
12.3.8.b

op.acc.6

9.2.4.8 2.1.a,
2.1.b,
2.1.c,
2.1.1.a,
2.1.1.b,
2.1.1.c,
2.1.1.d,
2.1.1.e,
8.2.6
op.acc.6 9.4.2.10,
12.4.1.5

mp.info.5, 13.2.3.4
mp.info.9

10.1,
10.2,
10.2.1,
10.2.2,
10.2.3,
10.2.4,
10.2.5.a,
10.2.5.b,
10.2.5.c,
10.2.6,
10.2.7,
10.6.1.a,
10.6.1.b,
A1,
A1.3

9.1.1.4,
9.1.1.5,
9.1.1.6,
9.1.1.7,
9.1.1.8,
9.1.1.9,
9.1.1.10,
9.1.1.11,
9.1.1.12,
9.1.1.13,
9.1.1.14,
9.1.1.15
7.3.1, 8.1.2,
8.1.4.4, 8.1.3.a,
9.2.1, 8.1.3.b
9.2.3.10,
9.2.6

7.3.1, 8.1.2,
8.1.4.4, 8.1.3.a,
9.2.1, 8.1.3.b,
9.2.3.10, 12.5.4
9.2.6
 8.1.4 12.5.4

7.3.1.1

9.2.2, 8.1.2,
9.2.3.10, 12.5.4
9.2.5.3

op.mon.1, 12.6.1, 11.1.a,

mp.s.8 13.1.1, 11.1.b,
13.1.2, 11.1.c,
14.1.2, 11.1.d,
14.1.3, 11.4.a,
16.1.1 11.4.b,
11.4.c,
12.10.5
 12.5.1,
12.6.2

13.1.1,
13.1.2,
13.1.3.11.P

5.1.1.24.P,
5.1.1.28.P,
9.5.1.P,
9.5.2.P,
9.5.2.1.PB,
13.1.4.P,
13.1.4.1.P,
13.1.4.2.P

1.3.6

op.exp.10 12.4.4, 10.4,

12.4.4.4.PB 10.4.1.a,
10.4.1.b,
10.4.2.a,
10.4.2.b,
10.4.3
 10.4,
10.4.2.a,
10.4.2.b

op.mon.1 9.4.5, 1.1,

13.1.1, 1.1.1.a,
13.1.2, 1.1.1.b,
13.2.3.1, 1.1.1.c,
14.2.6, 1.1.4.a,
18.1.3 1.1.4.b,
1.1.4.c,
1.1.5.a,
1.1.5.b,
1.1.6.a,
1.1.6.b,
1.1.6.c,
1.2.3.a,
1.2.3.b,
1.3,
1.3.3,
1.3.4,
1.3.5,
1.3.7.a,
1.3.7.b,
1.4.a,
1.4.b

13.1.1, 1.1,
13.1.2 1.1.1.a,
1.1.1.b,
1.1.1.c,
1.1.4.a,
1.1.4.b,
1.1.4.c,
1.1.5.a,
1.1.5.b,
1.1.6.a,
1.1.6.b,
1.1.6.c,
1.1.7.a,
1.1.7.b,
1.2,
1.2.1.a,
1.2.1.b,
1.2.1.c,
1.5
mp.com.1

1.3.1,
1.3.2,
1.3.3,
1.3.4

1.3.5

1.3.7.a,
1.3.7.b

op.mon.1, 12.1.4, 1.1.4.a,

mp.com.2, 13.1.1, 1.4.4.b,
mp.com.4 13.1.2, 1.1.4.c
13.1.3,
13.1.3.11.P
 9.4.1.7, 2.6,
9.5.1.P, A1,
9.5.1.1.P, A1.1,
9.5.1.2.P, A1.2.a,
9.5.1.3.P, A1.2.b,
12.4.5.3.P, A1.2.c,
13.1.3, A1.2.d,
13.1.3.10.P A1.2.e
13.1.3.11.P
13.1.3.12.P

op.acc.3, 9.4.1.7, 6.4.1.a,

op.exp.5, 9.4.5.2, 6.4.1.b
mp.sw.1, 9.5.1.1.P,
mp.com.4 12.1.4,
12.5.1.5,
13.1.3.11.P,
14.2.6

9.1.2, 1.1.1.a,
13.1.1, 1.1.1.b,
13.1.1.2, 1.1.1.c,
13.1.1.9, 1.2.3.a,
13.1.2, 1.2.3.b,
13.1.3 1.3,
1.3.5,
1.4.a,
1.4.b,
2.3,
2.3.a,
2.3.b,
2.3.c,
2.3.d,
1.4.a,
1.4.b,
1.4.c,
1.4.d,
1.4.e,
1.4.f,
1.4.g,
1.4.1,
9.1.2,
11.1.a,
11.1.b,
11.1.c,
11.1.d
mp.eq.3 11.2.6, 2.3,
11.2.8 2.3.a,
2.3.b,
2.3.c,
2.3.d

1.4.a,
1.4.b

mp.eq.3

2.2.1.a,
2.2.1.b

11.1.a,
11.1.b,
11.1.c,
11.1.d,
11.1.1,
11.1.2.a,
11.1.2.b

mp.s.8 12.6.1,
14.1.1

14.1.2,
14.1.3
8.1.3,
18.1.4

18.1.4
18.1.4

18.1.4

18.1.4
18.1.1.5.P,
18.1.4

18.1.4

9.2.6
18.1.4 3.1.a,
3.1.b,
3.1.c

18.1.4
18.1.4
op.exp.7 12.10.4
18.1.4
12.1.5.1.PB,
12.4.5.P,
12.4.5.1.P,
12.4.5.3.P,
13.1.3.12.P,
18.1.1.7.P,
4.4.3.1,
3.1.4.2,
3.1.5.1,
3.1.5.3,
3.1.5.5

12.1.5.1.PB,
12.4.5.3.P,
12.4.5.4.P,
12.4.5.5.P,
16.1.7.13.PB
op.exp.3, 6.1.3, 6.1.a,
op.exp.7, 6.1.5, 6.1.b,
op.ext.2, 12.1.5.1.PB, 11.2.a,
op.mon.2, 14.1.3, 11.2.b,
mp.s.8 16.1.1, 11.5.1,
16.1.2, 12.10,
16.1.3, 12.10.1.a,
16.1.6, 12.10.1.b,
3.1.5.2, 12.10.4,
3.1.5.4, 12.10.5,
3.1.5.5, 12.10.6
4.4.1.2,
4.5.3.1,
4.8.2.2,
4.9.2.2

op.mon.2

op.exp.7, 3.1.5.2, 12.5.3,

mp.s.9 3.1.5.4, 12.10.2
3.1.5.5,
4.9.2.2
op.exp.7, 6.1.3, 10.2,
op.exp.9, 12.4.1, 10.2.3,
op.mon.2 12.4.2, 10.2.4,
12.4.3, 10.2.6,
14.1.1, 10.5.3,
16.1.4, 10.5.4,
16.1.5, 10.6,
16.1.6, 10.6.1.a,
16.1.7, 10.6.1.b,
3.1.5.4 10.6.2.a,
10.6.2.b,
10.6.3.a,
10.6.3.b,
10.8.a,
10.8.b,
10.8.1.a,
10.8.1.b,
10.9,
12.5.5,
12.10.3,
12.10.6,
A1,
A1.3,
A1.4

op.mon.2
16.1.7.13.PB

6.3.1.1.PB,
12.4.1.15.PB,
12.4.5.4.P,
12.4.5.5.P

18.1.3.13.PB

10.3,
10.3.1,
10.3.2,
10.3.3,
10.3.4,
10.3.5,
10.3.6
op.ext.1, 7.2.1, 2.5,
op.ext.2 9.2.6, 2.6,
13.1.2, 12.8.1,
13.1.2.2, 12.8.3
13.2.1,
13.2.2,
13.2.3,
14.2.7,
15.1.1,
15.1.1.14.B,
15.1.1.16.B,
15.1.2,
15.1.3,
15.1.3.10.P,
15.1.3.11.P,
15.2.1,
15.2.2,
18.1.2,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5

op.ext.9
op.ext.1 7.2.1, 2.5,
12.1.2, 2.6,
13.1.2.1, 9.5,
13.2.1, 9.5.1,
13.2.2, 12.8,
13.2.3, 12.8.2,
14.2.5.7, 12.8.3,
14.2.7, 12.8.4,
15.1.1, 12.8.5
15.1.2,
15.1.3,
15.1.3.10.P,
15.1.3.11.P,
15.2.1,
15.2.2,
18.1.2,
4.4.7.1,
4.4.7.2,
4.4.7.3,
4.4.7.4,
4.4.8.1,
4.4.8.2,
4.4.8.3,
4.4.8.4,
4.4.8.5,
4.5.1.1,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5
op.exp.3, 6.1.5, 10.2,
op.exp.7, 9.4.2.11, 10.2.3,
op.exp.9, 12.4.1, 10.2.4,
op.ext.2, 16.1.1, 10.2.6,
op.cont.1, 16.1.1.7.P, 10.5.3,
op.mon.2, 16.1.1.8.P, 10.5.4,
mp.s.8 16.1.2, 10.6,
16.1.2.12.P, 10.6.1.a,
16.1.2.13.P, 10.6.1.b,
16.1.3, 10.6.2.a,
16.1.4, 10.6.2.b,
16.1.5, 10.6.3.a,
16.1.6, 10.6.3.b,
16.1.7, 10.8.a,
17.1.1, 10.8.b,
4.4.7.1, 10.8.1.a,
4.4.7.2, 10.8.1.b,
4.4.7.3, 10.9,
4.4.7.4, 12.5.5,
4.5.3.1, 12.10.3,
4.5.4.1, 12.10.6,
4.5.4.2, A1,
4.5.4.3, A1.3,
4.5.4.4, A1.4
4.5.4.5,
4.9.2.2,
3.1.5.2
op.mon.2 6.1.5, 12.10.2,
16.1.1, 12.10.6
16.1.2

op.pl.4, 12.1.3,
op.cont.1, 12.1.3.9.PB,
op.cont.2 17.1.1,
17.1.2,
17.1.3,
17.2.1
op.ext.2, 12.1.3,
op.cont.1 12.1.3.9.PB,
13.1.1.5,
17.1.1,
17.1.2,
17.1.3,
17.2.1

op.ext.1 13.2.1,
13.2.2,
13.2.3,
16.1.1.6.P,
18.1.1
op.ext.1, 6.1.1, 2.5,
op.ext.2 6.1.1.13.PB, 2.6,
7.1.2, 12.8,
8.2.3.7, 12.8.2
10.1.2.19,
13.1.2,
13.1.2.2,
13.2.1,
13.2.2,
13.2.3,
13.2.4,
14.2.7,
15.1.1,
15.1.2,
15.1.3,
15.1.3.10.P,
15.1.3.11.P,
15.2.1,
15.2.2,
18.1.2,
4.4.3.1

op.ext.1, 15.2.1,
op.ext.2 16.1.1.6.P,
18.1.1,
18.1.2,
18.1.4,
3.1.5.3

8.1.5.P,
8.1.5.1.P,
8.1.5.2.P,
8.1.5.3.P

3.2.a,
3.2.b,
3.2.c,
3.2.d,
3.2.1,
3.2.2,
3.2.3
 12.9

12.2.1, 5.1,
13.2.1.2, 5.1.1,
14.1.2, 5.1.2,
14.1.3, 5.2.a,
14.2.6, 5.2.b,
18.1.3 5.2.c,
5.2.d,
5.3.a,
5.3.b,
5.3.c

12.2.1, 5.1,
13.2.1.2, 5.1.1,
14.1.2, 5.1.2,
14.1.3, 5.2.a,
14.2.6, 5.2.b,
18.1.3 5.2.c,
5.2.d,
5.3.a,
5.3.b,
5.3.c

5.2.a,
5.2.b,
5.2.c,
5.2.d

5.3.a,
5.3.b,
5.3.c
op.exp.3, 6.1.5, 5.1.2,
mp.sw.1, 12.1.2.3, 6.1.a,
mp.sw.2 12.5.1.18, 6.1.b,
12.6.1, 6.6,
13.1.1, 11.2,
13.1.1.6, 11.2.1.a,
14.1.1, 11.2.1.b,
14.2.1, 11.2.1.c,
14.2.8, 11.2.2.a,
18.2.3, 11.2.2.b,
3.1.4.4, 11.2.2.c,
4.4.2.1, 11.2.3.a,
4.4.8.1, 11.2.3.b,
4.4.8.2, 11.2.3.c,
4.4.8.3, 11.3.3
4.4.8.4,
4.4.8.5,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5,
4.5.5.1,
4.5.5.2,
4.5.5.3,
4.6.1.1,
4.6.2.1

mp.sw.2 6.1.5, 6.1.a,

12.6.1, 6.1.b,
18.2.3, 11.3,
4.4.2.1 11.3.1.a,
11.3.1.b,
11.3.2.a,
11.3.2.b,
11.3.4.a,
11.3.4.b,
11.3.4.c,
11.3.4.1.a,
11.3.4.1.b
 6.1.4, 6.1.a,
12.6.1, 6.1.b,
14.1.1, 12.5.2
16.1.6

12.6.1.18.PB

op.exp.5, 6.1.5, 6.1.a,

mp.sw.1, 12.4.1, 6.1.b,
mp.sw.2 12.4.3, 6.3.1,
12.6.1, 6.3.2.a,
14.2.1, 6.3.2.b,
14.2.8, 6.4.4.a,
18.2.3, 6.4.4.b,
3.1.4.4 6.4.5.3.a,
6.4.5.3.b,
6.5.a,
6.5.b,
6.5.c,
6.5.1,
6.5.2,
6.5.3,
6.4.5,
6.5.5,
6.5.6,
6.5.7,
6.5.8,
6.5.9,
6.5.10,
6.6,
11.2,
11.2.1.a,
11.2.1.b,
11.2.1.c,
11.2.2.a,
11.2.2.b,
11.2.2.c,
11.2.3.a,
11.2.3.b,
11.2.3.c,
11.3.3
op.exp.3, 9.4.4, 1.2.2.a,
op.ext.2, 12.5.1.1, 1.2.2.b,
mp.sw.2 12.5.1.15, 2.2.a,
12.6.1, 2.2.b,
12.6.1.10 2.2.c,
2.2.d,
2.2.2.a,
2.2.2.b,
2.2.3,
2.2.5.a,
2.2.5.b,
2.2.5.c,
6.2.a,
6.2.b

op.exp.3 9.4.4, 2.2.a,

12.6.1 2.2.b,
2.2.c,
2.2.d,
2.2.2.a,
2.2.2.b,
2.2.3,
5.3.a,
5.3.b,
5.3.c,
6.2.a,
6.2.b
 9.1.2, 1.1.2.a,
12.1.5.1.PB, 1.1.2.b,
14.1.2, 1.1.3
16.1.7.13.PB,
4.4.1.1,
4.4.2.1,
4.4.3.1,
4.4.4.1,
4.4.5.1,
4.4.5.2,
4.5.3.1,
4.5.4.1,
4.5.4.2,
4.5.4.3,
4.5.4.4,
4.5.4.5,
4.6.1.1,
4.6.2.1,
4.6.3.1,
4.6.3.2,
4.6.3.3,
4.6.3.4,
4.8.1.1

op.exp.7 6.1.3, 12.10.3,

6.1.4, 12.10.4
12.6.1.18.PB,
16.1.1.6.P,
16.1.1.7.P,
16.1.1.8.P,
16.1.2.12.P,
3.1.5.1,
3.1.5.5,
4.5.3.1,
4.9.1.1,
4.9.2.2

3.1.5.5,
4.4.3.1
4.9.1.1

13.1.2, 1.2,
15.1.1, 1.2.1.a,
15.1.1.16.B, 1.2.1.b,
15.1.2, 1.2.1.c
15.1.3,
15.1.3.10.P,
15.1.3.11.P

18.1.1,
18.1.1.4.P,
18.1.1.6.P,
3.1.5.1
11.3,
11.3.1.a,
11.3.1.b,
11.3.2.a,
11.3.2.b,
11.3.4.a,
11.3.4.b,
11.3.4.c,
11.3.4.1.a,
11.3.4.1.b
 IRAP December 2021 Controls

EU Code of Conduct IRAP IRAP IRAP

Saudi CCC Reference
Reference Official Protected Secret

2-16-P-4, 5.5.A,
1-3-T-1-1, 5.5.B,
1-9-4-2, 6.2.K,
2-1-2, 6.3.A
2-1-4,
1-1-3,
1-3-2,
1-8-1,
1-8-2,
1-8-3,
2-2-2,
2-2-4,
2-3-4,
2-4-4,
2-5-4,
2-6-4,
2-7-4,
2-8-4,
2-9-4,
2-10-4, X X X
2-11-4,
2-12-4,
2-13-4,
2-14-4,
2-15-4,
3-1-4,
4-1-4,
4-2-4,
5-1-4
 5.5.E,
5.5.F,
5.5.A,
5.5.C

6.2.B,
6.2.K,
6.2.L,
6.2.M,
6.2.Q

X X X

1-3-P-1-1,
2-6-P-1-2,
1-3-T-1-1,
1-1-1,
1-3-3,
1-3-4,
1-7-1,
1-8-1
X X X
3-1-P-1-1, 6.2.E,
3-1-P-1-2, 6.2.J,
3-1-T-1-1, 6.2.K
2-9-3-1,
3-1-3-1,
3-1-3-2,
3-1-3-3,
2-9-1,
2-9-2,
2-9-4,
3-1-1,
3-1-2, X X X
3-1-4

1-3-P-1-1,
2-6-P-1-2,
1-7-1,
1-3-3,
1-3-4,
2-9-2,
3-1-1,
3-1-2,
3-1-4

1-5-3-2,
2-9-3-1,
3-1-3-1,
3-1-3-2,
3-1-3-3,
2-9-4,
3-1-1,
3-1-2

2-9-1,
2-9-2,
3-1-2
2-3-P-1-10,
2-3-P-1-11

2-9-3-1,
2-15-3-2

X X X
2-13-3-3,
2-12-3-5

X X X

X X X

2-9-3-1, 6.2.K
2-15-3-2,
2-9-1,
2-9-2

X X X
2-8-P-1-1,
2-8-P-1-2,
2-9-3-1,
2-9-1,
2-9-2

X X X

5.2.G,
6.2.K

X X X

2-4-1,
2-4-2,
2-4-3-3
1-5-P-4, 6.2.K,
2-16-P-1, 6.2.M
2-16-P-2,
1-5-3-4,
1-6-1,
1-6-3-1,
1-6-3-2,
1-6-4

X X X

2-2-P-1-6,
4-2-1,
4-2-2

X X X

1-5-P-1, 6.2.B,
1-5-P-2, 6.2.F,
1-5-P-3-1, 6.2.K,
1-5-P-3-2, 6.2.M
2-3-P-1-5,
2-16-P-2,
1-5-3-2,
1-6-1,
1-6-2-1,
1-6-2-2,
X X X
1-6-3-1,
1-6-3-2,
1-6-3-3,
1-6-3-4,
1-6-3-5
6.2.K,
6.2.M

6.2.G,
6.2.K,
6.2.L,
6.2.M,
6.2.N,
6.2.O,
6.2.Q,
6.3.A

X X X
2-1-P-1-1, 6.2.K
2-3-P-1-1,
2-3-P-1-3,
2-3-P-1-4,
2-3-P-1-5,
1-6-2-2

X X X

2-3-P-1-4, 6.2.F,
2-3-P-1-5, 6.2.K,
2-12-1, 6.2.M
2-12-2
1-5-P-3-1, 6.2.B,
1-5-P-3-2, 6.2.F,
2-3-P-1-5, 6.2.K,
2-3-P-1-7, 6.2.M
2-16-P-3-1,
2-16-P-3-2

X X X

1-6-3-2, 6.2.B,
1-3-3, 6.2.F,
1-3-4, 6.2.K
2-3-1,
2-3-4

X X X

1-5-P-3-2,
2-3-P-1-4,
2-3-P-1-5,
2-16-P-3-1,
1-6-1,
1-6-2-1,
1-6-2-2,
1-6-3-3,
1-6-3-5, X X X
2-10-1,
2-10-2,
5-1-2,
5-1-3-8
2-13-P-1-1, 6.2.B,
2-14-3-1, 6.2.J,
2-14-3-2, 6.2.L,
2-14-3-3, 6.2.Q
2-14-3-5,
2-14-1,
2-14-2,
2-3-2,
2-12-1,
2-12-2,
2-14-1,
2-14-2 X X X
5-1-2, 6.2.E,
5-1-3-4 6.2.J

X X X

5-1-2, 6.2.E,
5-1-3-4 6.2.J

X X X

X X X
2-13-P-1-1,
2-14-3-1,
2-14-1,
2-14-2,
2-14-4,
2-3-2

X X X

2-3-2,
2-14-1,
2-14-2

X X X

2-13-P-1-1 6.2.F

X X X
2-13-P-1-1,
2-14-3-2,
2-14-3-3,
2-14-1,
2-14-2,
2-3-2, X X X
2-12-1,
2-12-2

1-4-P-1-1

2-6-P-1-5, 5.7.E,
2-13-P-1-3, 5.7.F,
2-17-P-2, 6.2.D,
2-17-P-3-1, 6.2.E,
2-17-P-3-2, 6.2.J
2-6-T-2

X X X
1-5-3-4 6.2.D

X X X

2-2-P-1-10, 5.14.F,
2-5-P-1-3, 6.2.A,
2-5-P-1-4, 6.2.B,
2-13-P-1-3, 6.2.D,
2-17-P-3-1, 6.2.E,
2-5-T-1-1, 6.2.G,
2-6-T-1, 6.2.J,
2-6-3-3, 6.2.L,
2-14-3-4, 6.2.Q
1-3-3,
1-3-4,
2-3-1, X X X
2-3-4
1-3-3, 6.2.A,
1-3-4, 6.2.B,
2-3-1, 6.2.J
2-3-4,
5-1-2,
5-1-3-4

2-8-P-1-1, 6.2.B,
2-13-P-1-1, 6.2.J
2-14-3-1,
2-14-3-2,
2-14-3-3,
2-14-1,
2-14-2,
2-3-2,
2-12-1,
2-12-2

X X X
2-3-P-1-2, 5.2.E,
2-6-P-1-2, 5.7.D,
2-6-P-1-4, 5.7.E,
2-17-P-1, 5.7.F,
2-17-P-4, 6.1.A,
2-1-1, 6.1.B,
2-7-3-1, 6.2.A,
2-7-1, 6.2.D,
2-7-2, 6.2.E,
1-3-3, 6.2.J,
1-3-4, 6.2.M
2-7-4 X X X

2-1-P-1-1, 6.2.D
2-5-P-1-1,
2-1-T-1-1,
1-9-5,
2-1-1

X X X

2-1-P-1-2,
2-17-P-3-4,
2-1-5,
2-7-3-1,
4-2-3-1
X X X
1-9-5,
2-1-1

X X X

2-6-P-1-5,
1-2-T-1-2,
4-2-3-1

1-2-P-1-2, 5.12.A,
2-17-P-1, 5.12.B,
2-17-P-3-4, 6.1.A,
1-2-T-1-2, 6.1.B,
2-1-5, 6.2.D
2-7-3-1,
2-7-1,
2-7-2,
2-7-4,
4-2-3-1,
1-3-3,
1-3-4 X X X
2-12-P-1-7, 5.1.D,
2-13-1, 5.7.B,
2-13-2 5.7.C,
5.7.D,
5.10.A,
5.10.B,
6.2.B,
6.2.O
 6.2.M

X X X

2-6-P-1-1, 6.2.K,
2-17-P-2, 6.2.M
2-17-P-4,
2-7-1,
2-7-2

X X X

5.4.E,
5.4.B,
5.4.C
2-5-P-1-4, 5.2.E,
2-13-P-1-3, 6.2.D,
2-17-P-1, 6.2.E,
2-5-T-1-1, 6.2.J
2-6-T-1

X X X

2-13-P-1-3, 5.14.F,
2-17-P-2, 6.2.D,
2-17-P-3-1, 6.2.E,
2-17-P-3-2, 6.2.J
2-17-P-4,
2-3-3-2,
2-14-3-4

X X X
2-5-P-1-4, 5.2.E,
2-6-P-1-3, 5.14.E,
2-17-P-2, 6.2.D,
2-17-P-3-2, 6.2.E,
2-17-P-4, 6.2.J
2-5-T-1-1,
2-6-T-1

2-5-P-1-4, 5.2.G,
2-17-P-1, 5.2.D,
2-17-P-4, 6.2.E,
2-5-T-1-1, 6.2.J
2-6-T-1
2-15-P-1, 6.2.G,
2-15-P-2, 6.2.I
2-15-P-3-2,
2-15-P-3-3,
2-15-P-4,
2-15-T-1,
2-15-T-2,
2-15-T-3-2,
2-15-T-4,
2-8-3-1,
2-8-3-2,
2-8-1,
2-8-2,
2-8-4,
1-3-3,
1-3-4
X X X
2-7-P-1-2, 6.2.G
2-15-T-2,
2-15-3-3

X X X

2-6-P-1-5 6.2.I

2-17-P-3-3, 6.2.B,
2-17-P-3-5, 6.2.D
2-17-P-3-6,
2-6-T-2,
2-3-3-2,
1-10-3-2,
2-8-1,
2-8-2,
2-12-1,
2-12-2,
5-1-2,
5-1-3-5 X X X
2-4-P-1-4, 6.2.B,
2-6-P-1-2, 6.2.D,
2-6-P-1-5, 6.2.G,
2-7-P-1-1, 6.2.H,
2-8-P-1-1, 6.2.I,
2-8-T-1-2, 6.2.L,
2-11-P-1-8, 6.2.M,
2-14-P-1-1, 6.2.N,
2-17-P-2, 6.2.Q
2-4-T-1-1,
2-6-T-2,
2-7-T-1-1,
2-7-T-1-2,
2-5-3-3,
2-5-3-4,
2-8-3-1,
2-8-3-3,
2-15-3-3,
1-3-3,
1-3-4, X X X
2-3-2,
2-5-1,
2-5-2,
2-7-1,
2-7-2,
2-8-1,
2-8-2,
2-8-4,
4-2-1,
4-2-2

2-15-P-3-1,
2-15-P-3-2,
2-15-T-2,
2-15-T-3-1,
2-8-3-2,
2-8-1,
2-8-2
2-3-P-1-1, 6.2.L,
2-3-P-1-3, 6.2.Q
2-3-P-1-4,
2-3-P-1-5,
2-14-P-1-1,
2-10-3-4,
2-10-3-5,
1-3-3,
1-3-4,
1-6-3-4,
1-6-3-4,
2-3-1,
2-3-2,
2-3-4,
2-5-1,
2-5-2,
2-10-1,
2-10-2,
2-10-4,
5-1-2, X X X
5-1-3-7

2-4-P-1-5,
2-5-3-5,
1-6-3-4,
2-5-1,
2-5-2

X X X
1-2-P-1-1, 6.2.B,
1-2-P-1-3, 6.2.K,
1-2-T-1-1, 6.2.M,
1-2-T-1-3, 6.2.N,
1-5-1, 6.2.O
1-5-2,
1-5-4,
2-1-6,
2-5-3-4,
1-1-2,
1-8-1,
2-5-4,
2-10-1,
2-10-2,
5-1-2,
5-1-3-8

X X X
1-2-P-1-3, 6.2.B,
4-1-P-1-4, 6.2.K,
1-2-T-1-3, 6.2.M,
1-5-3-1, 6.2.N,
1-5-4, 6.2.O
2-1-6,
2-5-3-4,
1-1-2,
1-3-2,
1-6-2-1,
1-8-1,
2-2-4

X X X
1-1-P-1-1, 6.2.B
1-1-T-1-1,
1-4-1,
1-5-2,
1-9-3-1,
1-9-4-2,
1-1-1,
1-2-1,
1-2-2,
1-2-3 ,
1-3-2,
1-4-2,
1-9-1,
1-9-2

X X X
1-1-P-1-1, 6.2.B
1-1-T-1-1,
1-4-1,
1-1-1,
1-2-1,
1-4-2
1-1-P-1-1, 6.2.B,
1-1-T-1-1, 6.2.K,
1-4-1, 6.2.M
1-2-1,
1-2-3,
1-8-3
1-1-P-1-1, 6.2.B
1-1-T-1-1,
1-4-1,
1-5-2,
1-9-3-1,
1-9-4-2,
1-1-1,
1-2-1,
1-2-2,
1-2-3 ,
1-3-2,
1-4-2,
1-9-1,
1-9-2

X X X

1-1-P-1-1, 5.1.A,
1-2-P-1-1, 5.1.B,
2-12-P-1-5, 5.1.C,
1-1-T-1-1, 5.7.A,
1-4-1, 5.7.B,
2-7-3-1, 5.7.F,
2-9-1, 5.8.B,
2-9-2 5.10.A,
5.10.B, X X X
5.12.C,
6.3.A
 6.1.D

1-8-3, 6.1.C
1-2-3

X X X

1-1-P-1-1,
1-1-T-1-1,
1-4-1,
1-5-2,
1-1-1,
1-2-2,
1-2-3

X X X
 6.1.C,
6.1.D

X X X

2-12-P-1-1, 5.12.F
2-13-3-5,
1-9-1,
1-9-2,
1-10-2,
1-10-3-1
2-3-P-1-3, 6.1.C,
2-15-P-1, 6.2.A,
2-15-P-4, 6.2.B,
2-17-P-1, 6.2.E,
2-17-P-4, 6.2.J
1-2-T-1-1,
1-2-T-1-3,
2-15-T-1,
2-15-T-4,
1-1-1,
1-1-3,
1-3-1,
1-3-3,
1-3-4,
1-4-2,
1-9-6,
1-10-5,
2-2-1,
2-5-4, X X X
2-6-4,
2-7-4,
2-8-4,
2-9-4,
2-10-4,
2-11-4,
2-12-4,
2-13-4,
2-14-4,
2-15-4

1-3-3,
1-3-4

2-1-3

X X X
1-2-P-1-1, 5.1.C
2-1-1

X X X

2-3-P-1-6

X X X
1-5-P-4, 6.2.A
1-5-4,
2-1-1,
2-1-3,
2-1-4,
2-1-6,
1-3-1,
1-3-3,
1-3-4,
1-6-4,
1-8-1,
1-9-6,
2-2-1,
2-2-4,
2-3-1,
2-3-4,
2-4-1,
2-4-4,
2-5-1,
2-5-4, X X X
2-6-1,
2-6-4,
2-7-4,
2-8-1,
2-8-4,
2-9-1,
2-9-4,
2-10-1,
2-10-4,
2-11-1,
2-11-4,
2-12-1,
2-12-4,
2-13-1,
2-13-4,
2-14-1,
2-14-4,
2-15-2,
2-15-4,

2-6-P-1-3 5.2.G,
5.14.E

X X X
 5.4.F

5.1.E

2-1-4, 6.2.C,
1-3-1 6.2.E,
6.2.J
1-2-P-1-3, 6.1.B,
2-16-P-4, 6.2.B,
1-2-T-1-3, 6.2.K,
1-9-4-2, 6.2.M,
2-1-2, 6.2.O
2-1-6,
1-1-2,
1-1-3,
1-3-2,
1-10-5,
2-2-2,
2-2-4,
2-3-4,
2-4-4,
2-5-4,
2-6-4,
2-7-4,
2-8-4,
2-9-4,
2-10-4, X X X
2-11-4,
2-12-4,
2-13-4,
2-14-4,
2-15-4,
3-1-4,
4-1-4,
4-2-4,
5-1-4

1-4-P-1-1, 6.2.C
1-4-P-1-2,
1-4-T-1-1,
1-9-3-2

X X X
1-4-T-1-1 6.2.C

X X X

X X X

1-4-P-1-3, 5.12.A,
1-4-T-1-1, 5.12.B,
1-9-3-1, 5.12.D,
2-1-3, 6.2.C,
2-1-4, 6.2.D,
1-9-1, 6.2.E,
1-9-2 6.2.G,
6.2.J,
6.2.L,
6.2.M,
6.2.N,
6.2.O, X X X
6.2.Q
1-4-T-1-1, 5.12.A,
1-9-3-1, 6.2.C,
1-9-1, 6.2.D,
1-9-2 6.2.E,
6.2.G,
6.2.J,
6.2.L,
6.2.N,
6.2.Q

X X X

1-4-P-1-3, 5.12.A,
1-4-T-1-1, 6.2.C,
1-3-1 6.2.D,
6.2.E,
6.2.J,
6.2.O

X X X
1-4-P-1-2, 5.12.F,
1-9-3-2 6.2.C

2-5-P-1-1, 6.2.B,
2-5-P-1-2, 6.2.F
2-6-3-1,
2-6-3-2,
2-6-3-4,
1-10-3-2,
2-5-1,
2-5-2,
2-6-1,
2-6-2,
2-6-4, X X X
5-1-2,
5-1-3-6
 6.2.O

1-9-1 6.2.B

2-12-P-1-2, 5.1.D,
1-9-4-1, 5.12.E,
2-6-3-4, 5.12.F,
1-9-1, 6.2.C,
1-9-2, 6.2.K,
1-9-6, 6.2.N
1-10-1,
1-10-2,
1-10-3-1,
1-10-3-2,
1-10-3-3,
1-10-3-4,
1-10-4-1,
1-10-4-2, X X X
1-10-4-3,
1-10-5
1-10-1, 5.1.D,
1-10-4-1, 5.12.E,
1-10-4-2, 5.12.F,
1-10-4-3 6.2.C

X X X

1-6-3-1, 5.12.E
1-10-4-1,
1-10-4-2,
1-10-5 X X X
 6.2.C,
6.2.M,
6.2.O

X X X

2-2-P-1-3, 6.2.F,
2-2-P-1-6, 6.2.K
2-2-P-1-7,
2-2-P-1-12,
2-2-3-4

X X X
2-11-P-1-1, 6.2.K,
2-11-P-1-3, 6.2.M,
2-11-P-1-4, 6.2.O
2-11-P-1-8

X X X

2-12-1,
2-12-2

X X X
2-11-P-1-3,
2-11-P-1-4,
2-11-P-1-8,
2-12-P-1-5,
2-13-1,
2-13-2

X X X

2-11-P-1-7

X X X
2-2-P-1-3, 6.2.E,
2-2-P-1-10, 6.2.F,
2-2-P-1-11, 6.2.G,
2-13-P-1-2, 6.2.I,
2-2-T-1-4, 6.2.J,
2-2-3-2, 6.2.L,
2-5-3-3, 6.2.Q
2-5-3-4,
2-15-3-5,
1-6-3-4,
2-2-1,
2-2-2,
2-3-1,
2-3-2,
2-4-1,
2-4-2, X X X
2-4-3-2,
2-5-1,
2-5-2,
5-1-2,
5-1-3-1,
5-1-3-2,
5-1-3-6

2-2-P-1-12, 6.2.B,
2-13-P-1-2, 6.2.F,
2-2-T-1-1, 6.2.L,
2-2-3-3, 6.2.M,
2-2-1, 6.2.Q
2-2-2

X X X
2-13-P-1-2, 6.2.F
2-2-T-1-1,
2-2-T-1-5,
2-2-3-5,
2-2-1,
2-2-2,
2-2-4

X X X

X X X

2-2-P-1-1, 6.2.F
2-2-3-1

X X X
2-2-3-1, 6.2.E,
2-2-2 6.2.F,
6.2.G,
6.2.J,
6.2.L,
6.2.Q

X X X

2-2-3-1, 6.2.E,
2-2-2 6.2.F,
6.2.G,
6.2.J,
6.2.L,
6.2.Q

X X X

5.7.A,
5.7.B
2-2-T-1-2

X X X

2-2-P-1-2,
2-2-P-1-4,
2-2-T-1-3

X X X

2-2-P-1-2,
2-2-T-1-3

X X X

2-2-3-4

X X X
2-2-P-1-2,
2-2-T-1-3

2-2-P-1-2,
2-5-P-1-3,
2-2-T-1-3
X X X

2-2-P-1-2,
2-2-T-1-3

X X X

X X X
2-2-P-1-4,
2-11-P-1-2,
2-2-T-1-5,
2-11-T-1-1, X X X
2-13-3-2

2-2-P-1-5,
2-2-P-1-8,
2-2-T-1-2
1-9-5 6.2.D,
6.2.F

X X X

1-9-5 6.2.D,
6.2.F

X X X
1-4-P-2-1

X X X

1-9-5
X X X

X X X

1-9-5 5.12.D

1-9-5

X X X

2-3-P-1-12, 6.2.K,
2-4-P-1-1, 6.2.L,
2-11-P-1-5, 6.2.M,
2-5-3-4, 6.2.Q
2-5-3-6,
2-5-3-7,
2-5-3-8,
2-12-3-3,
2-5-1,
2-5-2

X X X
5-1-2, 6.2.K
5-1-3-1,
5-1-3-2

X X X

2-4-P-1-6,
4-2-3-2,
5-1-2,
5-1-3-1,
5-1-3-2

5-1-2,
5-1-3-1,
5-1-3-2

X X X

2-3-3-4 6.2.K

X X X
2-3-P-1-12, 6.2.F,
2-4-P-1-1, 6.2.K,
2-16-P-3-2, 6.2.L,
2-5-3-1, 6.2.M,
2-5-3-3, 6.2.Q
2-5-3-5,
2-5-3-7,
2-5-3-8,
2-15-3-1,
1-3-3,
1-3-4,
2-4-1,
2-4-2,
2-4-3-1,
2-4-3-5, X X X
2-5-1,
2-5-2,
2-15-1,
2-15-2

2-3-P-1-12, 6.2.L,
2-4-P-1-1, 6.2.Q
2-16-P-3-2,
2-5-3-5,
2-15-3-1,
2-5-4,
2-15-1,
2-15-2

X X X
2-3-P-1-2, 6.2.F,
2-4-P-1-2, 6.2.K,
2-4-P-1-6, 6.2.L,
2-5-3-1, 6.2.Q
2-5-3-2,
2-5-3-5,
1-6-3-4,
2-5-1,
2-5-2,
2-4-3-2

X X X
2-3-P-1-8,
2-3-T-1

2-16-P-3-2,
2-5-3-2

X X X

2-4-P-1-5, 6.2.I
2-5-3-4,
2-5-3-5,
1-6-3-4,
2-3-2,
2-5-1,
2-5-2

X X X
2-5-P-1-2,
2-6-3-1,
2-6-3-2,
2-3-2,
2-6-1,
2-6-2, X X X
5-1-2,
5-1-3-6

2-5-P-1-2,
2-6-3-2,
2-6-1,
2-6-2,
5-1-2,
5-1-3-6

2-4-P-1-3 6.2.K,
6.2.M

X X X

2-14-P-1-1,
1-6-3-1
 6.2.D

2-6-P-1-4 5.4.D
6.1.A,
6.1.B

5.1.G,
5.1.H,
5.2.B,
5.2.C,
5.3.C,
5.3.D,
5.5.D,
5.12.A

X X X

5.2.B,
5.2.C,
5.5.A,
5.5.B,
5.6.A
1-3-P-1-1, 5.1.F,
2-6-P-1-2, 5.2.A,
2-6-P-1-4 5.2.B,
5.2.C,
5.3.C,
5.3.G,
5.5.A,
5.5.B,
5.6.A

5.2.B,
5.2.C,
5.5.A,
5.5.B,
5.5.D,
5.10.B,
5.11.A,
5.12.G,
5.14.B,
5.14.C,
5.14.D

6.1.A,
6.1.B

5.1.G,
5.1.H
 5.12.C

5.2.E,
5.14.E

2-6-P-1-3 5.14.A,
5.14.B,
5.14.C,
5.14.D

2-6-P-1-5 5.4.A,
5.4.C,
5.4.D
5.1.G,
5.1.H,
5.4.A,
5.4.D

5.1.F,
5.2.D,
5.8.A,
5.8.B,
5.12.C

5.1.F,
5.2.B,
5.2.C,
5.8.A,
5.12.C,
5.12.G

5.8.A,
5.8.B

5.4.A,
6.2.H,
6.2.I
 5.11.A,
5.11.B,
5.11.C,
5.12.C

5.11.A,
5.11.B

5.7.D,
6.1.B

5.4.D

X X X

5.9.A,
5.9.B

2-13-3-4 5.13.A,
5.13.B,
6.2.P
5.2.B,
5.2.C,
5.2.D,
5.3.C,
5.3.D,
5.3.E,
5.12.G

5.1.F,
5.2.F

5.1.G,
5.1.H,
5.2.A,
5.3.A,
5.3.B,
5.3.E,
5.3.F
 5.2.B,
5.2.C,
5.7.A,
5.8.A,
5.12.G

5.1.G,
5.1.H,
5.2.A,
5.3.A,
5.3.B,
5.3.F,
5.3.G,
5.12.C

5.7.A,
5.7.B,
5.7.F,
5.14.A

X X X

2-7-3-1,
5-1-2,
5-1-3-8
 6.1.B

2-3-P-1-12, 6.2.B,
2-9-T-1-2 , 6.2.M,
2-12-3-1, 6.2.O,
2-12-3-2, 6.2.P
2-13-3-3,
2-12-3-4,
2-13-3-1,
2-13-3-2,
2-12-1,
2-12-2,
2-13-1,
2-13-2, X X X
2-13-4

2-12-1, 6.2.P
2-12-2,
2-13-1,
2-13-2,
2-13-4

2-12-P-1-2,
2-12-P-1-7,
2-13-1,
2-13-2
X X X
2-11-P-1-5, 6.2.B,
2-11-P-1-6, 6.2.G,
2-11-P-1-7, 6.2.K,
2-12-P-1-4, 6.2.M,
2-12-P-1-6, 6.2.O
2-12-P-1-8,
2-11-T-1-1,
2-11-T-1-2,
2-12-3-1,
2-12-3-2,
2-13-3-3,
2-12-3-4,
2-13-3-1,
2-13-3-2,
2-13-3-3,
2-12-1, X X X
2-12-2,
2-12-4,
2-13-1,
2-13-2,
5-1-2,
5-1-3-3

2-12-1,
2-12-2,
2-12-4,
2-13-1,
2-13-2
X X X
4-1-P-1-2, 6.2.B,
4-1-P-1-4, 6.2.F,
1-5-3-3, 6.2.G,
4-1-2-1, 6.2.L,
4-1-2-2, 6.2.M,
4-1-2-3, 6.2.N,
4-1-3-1, 6.2.Q
4-1-1,
4-1-4,
4-2-1,
4-2-2,
4-2-4

X X X

2-6-T-1 5.3.B

X X X
2-9-T-1-2, 6.2.C,
4-1-P-1-2, 6.2.F,
4-1-P-1-3, 6.2.G,
4-1-P-1-4, 6.2.L,
1-5-3-3, 6.2.M,
4-1-2-2, 6.2.N,
4-1-3-1, 6.2.Q
4-1-4,
4-2-1,
4-2-2

X X X

4-1-3-2

4-1-P-1-1
1-5-P-3-2, 6.2.B,
2-3-P-1-12, 6.2.K,
2-11-P-1-5, 6.2.O,
2-11-P-1-6, 6.2.P
2-12-P-1-4,
2-12-P-1-6,
2-12-P-1-8,
2-9-T-1-2,
2-11-T-1-2,
2-13-1,
2-13-2,
5-1-2,
5-1-3-3

X X X

6.2.P
2-12-P-1-3, 6.2.B,
2-13-1, 6.2.O
2-13-2

X X X

6.2.K

X X X
 6.2.K

X X X

2-3-P-1-9, 5.1.A,
2-3-T-1, 5.1.B,
2-15-3-4, 5.1.C,
4-1-1 6.2.G,
6.2.L,
6.2.Q,
6.3.A

X X X
4-1-P-1-2, 6.2.C,
1-5-3-3, 6.2.G,
4-1-2-1, 6.2.L,
4-1-2-2, 6.2.M,
4-1-2-3, 6.2.N,
4-1-1, 6.2.Q
4-1-4,
4-2-1,
4-2-2,
4-2-4

X X X

2-3-P-1-9, 5.1.A,
2-3-T-1, 5.1.B,
2-15-3-4 5.1.C,
6.2.N
2-14-P-1-1, 6.2.K
2-16-P-3-2,
2-3-3-1,
2-5-3-8,
2-4-3-4,
2-3-1,
2-3-2,
2-3-4,
2-4-1,
2-4-2,
2-4-3-4,
5-1-2, X X X
5-1-3-10

2-14-P-1-1, 6.2.K
2-16-P-3-2,
2-3-3-1,
2-5-3-8,
2-4-3-4,
2-3-1,
2-3-2,
2-3-4,
2-4-1,
2-4-2,
2-4-3-4,
5-1-2, X X X
5-1-3-10

X X X
2-4-1,
2-4-2,
2-4-3-1,
2-4-3-5

2-9-P-1-1, 6.2.K,
2-9-T-1-1, 6.2.L,
2-9-T-1-2, 6.2.M,
2-10-3-1, 6.2.P,
2-10-3-2, 6.2.Q
2-10-3-3,
2-13-3-5,
1-6-2-1,
2-5-1,
2-5-2,
2-10-1,
2-10-2,
2-13-1,
2-13-2,
5-1-2,
5-1-3-8

X X X

2-10-3-2, 6.2.K
2-10-3-3,
2-11-3-1,
2-11-3-2,
2-13-3-2,
1-6-2-1,
1-8-1,
2-10-1,
2-10-2,
2-11-1,
2-11-2,
2-11-4, X X X
5-1-2,
5-1-3-8
2-12-P-1-1, 6.2.B,
2-16-P-3-1, 6.2.K,
2-16-P-4, 6.2.M
2-5-3-8,
2-13-3-5,
2-4-3-4,
1-9-1,
1-9-2,
1-10-2,
1-10-3-1,
2-4-1,
2-4-2

2-9-P-1-2,
4-2-1,
4-2-2

X X X

2-9-P-1-1, 6.2.B,
2-16-P-3-1, 6.2.K,
2-16-P-4, 6.2.M
2-9-T-1-1,
2-9-T-1-2,
1-5-3-1,
1-5-3-2,
1-5-3-4,
2-10-3-1,
2-13-3-5,
1-6-1,
1-6-2-1,
1-6-2-2,
1-6-3-3,
1-6-3-5,
2-10-1,
2-10-2,
2-10-4,
2-13-1,
2-13-2, X X X
5-1-2,
5-1-3-8
2-3-P-1-1, 6.2.K,
2-3-P-1-3, 6.2.L,
2-3-P-1-4, 6.2.Q
2-3-P-1-5,
2-14-P-1-1,
2-3-3-3,
2-10-3-4,
2-10-3-5,
1-6-2-1,
1-6-2-2,
1-6-3-5,
2-4-1,
2-4-2,
2-4-3-4, X X X
2-5-1,
2-5-2,
2-10-1,
2-10-2,
5-1-2,
5-1-3-8,
5-1-3-9

2-10-3-4, 6.2.F,
2-10-3-5, 6.2.K
1-6-2-1,
2-4-1,
2-4-2,
2-4-3-4,
2-10-1,
2-10-2 X X X
2-1-P-1-1, 6.2.F,
2-1-T-1-1 6.2.M

X X X

2-9-P-1-2, 5.13.B,
2-12-P-1-6, 6.2.P
2-13-3-3,
2-13-3-4

X X X

1-6-3-2
2-2-P-1-10

X X X

2-12-P-1-5 5.11.B

2-10-P-1-1
X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X
X X X

X X X

X X X

X X

X X

X X

X X

X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
 X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X
 X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X

X X X

X X X

X X X
X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
 X

X X

X X

X X X
X X X

X X X

X X X
X X X

X X X

X X X

X X X

X
X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
 X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

x x x

x x x

x x x

x x x

x x x
x x x

x x x

x x x

x x x

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X
 X X

X X

X X

X X X

X X X

X X X
X X X

X X X

X X

X X

X X X

X X X

X X

X X X

X X X
X X X

X X X

X X X

X X X

X
X X X

X X X

X X X

X X X

X X X

X X X

X
 X

X X X

X X X

X X X

X X X

X X X

X X X

x x x

x x x

x x x

x x x
x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x
x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x

x x x
ber 2021 Controls

IRAP Top IRAP

Secret Control

1163,
1563,
1564,
0810,
0336,
1493

X
 1163,
1563,
1564,
1240

39

X
 1511,
1019,
1548,
1579,
1458,
1518

X
 1580

X
 0120,
0138,
1651,
1652,
1661,
1663,
1678,
1684,
1714,
1715

1651,
1652,
1661,
1663,
1678,
X 1684,
1714,
1715

1574,
1511

X
 1547,
1511

1574

X
 1211,
1419,
0402,
1239

1211

1211,
1239,
1419

X
 1578

X
 0303,
1499,
1497,
1500

X
 1211,
1422,
1255

1592,
0382,
1419,
1422,
1418

1211

X
 1053,
0813,
1074,
0164,
1530,
1296,
1626,
0810

X
 1053,
0813,
1074,
1530,
1296

1053,
0813,
1074,
1530,
1296

1572,
1578
X
 1053,
0813,
1074,
0164,
1296

1053,
0813,
1074,
0164,
1296
X

1053,
0813,
1074,
1296

X
 1053,
0813,
1074,
1296

1625,
0159,
0285,
0310,
0831,
0663,
0661,
0665,
0664,
0675,
0824
X
 0159,
0289

0310,
0944,
0305,
0307,
1600,
1642

X
 1053,
0813,
1074,
0164,
1296

X
 1395

0336,
0159,
1543,
1493,
1243,
1301

1057,
1525,
1633,
1634,
1635,
X 1636,
0027,
1526,
1587
 0336,
1543,
1451
X

1395,
0310,
0944,
0323,
0831,
0337,
0393,
0462,
1451,
0047,
0888,
X 1602,
0835,
0356,
0358,
0360,
1181,
0501
 0516,
0518

0133,
1395,
1420,
1274

X
 0316,
0315,
0374,
1510,
0348,
0835,
0356,
0358,
0360,
1514,
1735,
X 1722,
1723,
1724,
1725,
1726,
1727

0161,
0313,
1550,
0311,
0316,
0315,
0363,
0366,
0373

X
 702,
0455,
1449,
0501

X
 1324

1625

X
 1625,
1395,
0157,
1085,
1425,
1277,
0459,
1239,
1241,
0263

X
 0157,
0342,
1605,
1383,
1006,
1436,
0534,
1311,
1312,
1710

0157,
0342,
1006,
0628,
0631,
1271,
X 0520,
1182,
1311,
1427
 1163,
1563,
1564,
0336,
1238

X
 1163,
1563,
1564,
0336,
1238

X
 39

X
 39

0072,
1572,
1574,
1568,
1569,
1571,
1451,
1573,
X 1575
 1163

0041,
0432

X
 0041

X
 0576,
0039,
0047,
0888,
1602

0576,
0047,
0888,
1602

X
 0576,
0047,
0888,
1602

1431

X
 47,
0888,
1602

47

X
 0041,
1163,
0039

1625,
1626,
0434

X
 1625,
1626,
0434

1625,
0434

1625,
1631,
0435,
0264

X
 1625,
0435

1625,
0435,
0258,
0820,
1146,
0821,
0824

X
 1533,
1195,
1085,
0863,
0864,
1365,
1366,
0874,
1082,
1083
X
 0252,
0817,
0820,
1146,
0821,
0824,
1626

X
 1565,
0435,
1626

1565,
0401

X
 1625,
0817

0415,
0445,
1503,
1507,
1508,
1422,
1255,
1418,
1263,
1264,
1688,
X 1689,
1733
 0120,
0586

0120,
0133,
0138,
0586,
0582,
1651,
1652,
1661,
1663,
X 1678,
1684,
1714,
1715
 0120,
0125,
0138,
1566,
1228,
1651,
1652,
1661,
1663,
1678,
1684,
1714,
X 1715

1683,
1684

X
 1625,
0161,
0432,
1503,
1175,
342,
1546,
0974,
1173,
1384,
1504,
1401,
1357,
1505,
0487,
X 0488,
0705,
1418,
1680,
1681,
1682

0405,
1503,
1507,
1255,
1268,
1258,
0611,
1649,
1733

X
 0405,
1566,
1507,
1258

0405,
X 1566,
1507

0414,
0415,
1262,
1261,
1685

X
 0421,
1557,
0422,
0417,
1596,
1252,
1558,
1595,
1685

1559,
1560,
1357,
1558,
1595,
1685

X
 0414,
0415

1404,
1403,
0431,
0976

0164

1593,
1227,
1594

X
 0164,
0853,
0428
X

0120,
1507,
1508,
1509,
X 0582,
1651

0383,
1595,
1260,
1304,
1709
X
 0584,
0408,
0979,
X 0582,
1683,
1684
 430

430,
1626

X
 430,
1626

430
X

430
X

430

0576,
0157,
1028,
1030,
1185

X
 1607

1605

0125,
0988

X
 1185,
1528,
0639,
1194

1030,
1528,
0639

X
 1436,
1181,
1577,
1182,
0536,
1334

X
 0400,
1273,
1181,
1577

0157,
1085,
0342,
1322,
1085

X
 0157,
0161,
1085,
1084

1019,
1579,
1441,
1431,
1458,
1518
X
 1576

X
 1572,
1073

X
 0120,
1537

X
 1213,
1631,
0123,
0043,
0817,
1626

0043,
0817,
1626

X
 0120,
0125,
1213,
1631,
0580,
1405,
1228,
0670,
0123,
0582,
1536,
1537,
0585,
1651,
1652,
X 1660,
1662,
1677,
1683,
1714,
1715
 0120

X
 1631,
1637,
1395,
0938,
1460,
0141,
1452,
1567,
1568,
1632,
1638,
1571

1575

X
 1631,
1637,
0938,
1322,
0141,
1568,
1632

X
 0120,
0125,
0043,
0582,
1651,
1660,
1662,
1677,
1683,
1714,
1715

X
 1626

1579,
1581

X
 1581,
1435

0072

X
 1631,
1395,
0072,
1572,
1073,
1576,
0141,
1569,
1573,
1575

X
 1417,
0657,
0917,
1390,
1656

1417,
1288,
0658,
0917,
1390,
1656

1660,
1661,
X 1662
 1163,
1563,
1564,
1616,
1240

1163,
1563,
1564

X
 1616

1163,
1616,
1240,
0402

X
 1460,
1605,
1606,
1143,
1643,
0298,
0303,
1498,
1499,
1544,
1467,
1483,
1497,
X 1500

1467,
1483,
1544

X
 1178

0043

X
 0133,
1576

X
 1626
X

0714
1478
1617
0724
0725
0726
0718
0733
X 1618
0734
0720
0731

0142
1091

0142
X 1091
 0133

0554
0553
0555
0551

1014
X

0588
1092
0241
1075
0590
0245
0589
1036

0687
X

1400
 0694
1297

1482

0869
X

1202

0682
X

1196

1200

1198

1199

0240
X

0866

1145
X

1644
X

0871
X
 0870
X

0701
X

1298
X

1554

1555

X
 1299

1088

1300

X
 1556

1385
X

1386
X

1387
X 1388

1144

940

1472

1494

1495

1496

0300
X
 1424
X

0971
X

1269
X

1270
X

1272

1245
1246
1247
X

1249
1250
X 1251

1275
X

1276
X

1278
X

0267
X

0270
X 0271

0272
X

1089
X

0565
X 1023
1024
 0269

0569
0571
X

0570
X

567
X

0572

1589
X

0574
X

1183
X

1151
X

1152
X

0861
1026
1027
1540

1234
X

1502
X

1532
0529
X
 1364
X

0535
X

0530
X

0521
1186
X

1428
1429
X

1430

0385
X

1479
X

1627
X 1628
1315
X

1316
1317
X 1318

1319
X

1320
X

1321,
1711
X

1323
1325
1326
X 1327

1330
X
 1454

1332
X

1335
X

1338

1013

1314
X

1437
X

1438
1439

1432
X

0467

1192
X

0634

X
 1037
X

0637

0612
1520
0613
0616
0629

0607
X

0619
0620
1039
0622
X

0626

0597

0627

X
 0635
1521
1522

0610
X

1523

0641

0642

0643

0645

1157
X

1158

0646
X

0647
X

0648
X
 0260
0261

0963
X 1237

0961
X

0996
X

0958
1170
0959
0960
1171
1236

0659
1524
0687
X

0651
0652
X

1389
X

1284
X
 1286
X

1287
X

1289
X

1290
X

1291
X

0137
1609
X

1213

1562
0546
0547
0548
0549
0556
0558

0138

1433
1434

X
 0140

0100

1570

1529

0078

0854

0280

1408

1409

X
 1414
1492
1621
1622
1623
1624
1601

1412

1484
1485
X 1486

1470

1235

1541
1542
1487
1488
1489

X
 0304
1501
X

1543
0225
0221
X

0829
X

1058
X

0222
0223
0224

0181

1111
X

0211
0208
0206
1096
1639

X
 1645
1646

1640
0926
1216
1112
1118
1119
1126
0184
0187
0201
1718
1719

0189
0190

X
 1114

1130
X

1164
X

0195

0194

1133
X

1122

1134

1115
X

1104
X

1105
1095
1107
1109
1720
1721

X
 0218

1102
X

1101

1103

1098

1100
X

0213
X

1116
X

0216
X

0217

0198
X

1123
X
 1135

0247

0248

1137

0932

0249

X
 0246

0250

1078
0229
0230
0231
0232
0233
1015

X
 0235
0236
0931
0237
0559
1450

0286

0290
0292

1551
X

0293
X

0294
X 0332

0296

X
 1599

1079

0306

1598

1217

321

1218
X

312

0317

1219

1220
X
 1221
X 1226

0318
X

1534
X

1076

1222
X

1223

1225

0947
X

0351
X

0352

1065
X

354

1067
X
 0357,
0836

359
X

0350,
1735,
0363,
1726,
1727

1361
X

1160
X

1517

0368

0361
X

0838
X

0362
X

1723,
1724,
1725,
1641
X
 0370,
X 0371

372

0840

839
X

375

378

1406
1608
X 1588

1583
X

0975
0420
X

0409

0411

0448
X
 0446
X

0447
X

1591
X

0407

0441

0443
X

1610

1611
1612
1613
1614
1615
X 1715

1561
X

1619
X

1603
X

1055
X
 1620
X

0418
X

1402
X

1590

0042
X

1380
X 1381
1382
X

1256
X

1252
X

445
X

1648,
x 1404,
1716

705
x

1705,
x 1706,
1707

665

1650
x

1708
x
 1653
x

1687
x

1647,
x 1734

0421,
1557,
0422

1549
X

1359
X

0325

0330

1059
X

0337
X

0341
X

0343
X

0347

X
 1464

0380
1584
1491
1410
0843
1490
1469

0955
1582
1392
0846
1585
X

1471
X

0957

1341
1034
X

0345
X

1604

X
 1462
1461

1161

0457

0460
X

0461
X

1080
X

1162

0465

0469
X

0471
X

0994
X

0472
1629

X
 0473
1630
X

1446
X

0474

475

0476
0477
X

0479
X

0480

1232
X

1468
X

0481

1139
1369
1370
1372
1448
1373
1374
1375
1553
1453

X
 1506
0485
0489

0484

0490
X

0494
0496
1233
0487
1000
0498
0998
0999
1001

0499

X
 0505

0506
X

0649
1292
X 0677

1293
X

0591
X

1480

1457

0593

0594

1187
0669

1535

X
 0678

1586
1294
X 0660

1516
1515

1512
1513
X

0859

0991
X

0109

1700
x

1699,
1702,
1703
x

1732
x

1418

x
 1729

1686
x

1704

1731
x

1712
x

1728,
1729

1670
x

1690,
1691,
1692,
1693,
1697,
x 1694,
1695,
1696,
1407

863
x

1659
x

1675,
1676
x

1671,
1674
x

1673
x
 1678

1672
x

1667,
1668,
1669
x

1666,
x 1654
1084

1657,
1658
x

1722
x

1664,
1665

1677
x

664,
x 675

1698,
1701
x

1730
x

1717

1655
x
 Cisco Cloud Con
The following table contains Cisco's Cloud Controls Framework. The CCF control activities map to vario
27018:2019, ISO/IEC27701:2019, Esquema Nacional de Seguridad (ENS), Infosec Registered Assessor
Program (ISMAP), Cloud Computing Compliance Controls Catalogue (C5), EU Cloud Code of Conduct (C

The Cisco CCF is the result of research to determine what is needed to certify and achieve compliance
the control framework according to your needs and integrate into your own compliance regime.

Domain Title Control Reference

Audit Assurance & Compliance CCF 1

Audit Assurance & Compliance CCF 2

Audit Assurance & Compliance CCF 3

Application Security CCF 4

Application Security CCF 5

Application Security CCF 6

Business Continuity & Resilience CCF 7

Business Continuity & Resilience CCF 8

Business Continuity & Resilience CCF 9

Business Continuity & Resilience CCF 10

Business Continuity & Resilience CCF 11

Business Continuity & Resilience CCF 12

Business Continuity & Resilience CCF 13

Business Continuity & Resilience CCF 14

Business Continuity & Resilience CCF 15

Business Continuity & Resilience CCF 16

Business Continuity & Resilience CCF 17

Business Continuity & Resilience CCF 18

Business Continuity & Resilience CCF 19

Business Continuity & Resilience CCF 20

Business Continuity & Resilience CCF 21

Business Continuity & Resilience CCF 22

Change & Configuration Management CCF 23

Change & Configuration Management CCF 24

Vulnerability Management CCF 25

Vulnerability Management CCF 26

Vulnerability Management CCF 27

Vulnerability Management CCF 28

Change & Configuration Management CCF 29

Change & Configuration Management CCF 30

Change & Configuration Management CCF 31

Change & Configuration Management CCF 32

Change & Configuration Management CCF 33

Change & Configuration Management CCF 34

Data Center Security CCF 35

Data Center Security CCF 36

Data Center Security CCF 37

Data Center Security CCF 38

Data Center Security CCF 39

Data Center Security CCF 40

Data Center Security CCF 41

Data Center Security CCF 42

Data Center Security CCF 43

Data Center Security CCF 44

Data Center Security CCF 45

Data Center Security CCF 46

Data Center Security CCF 47

Data Center Security CCF 48

Data Center Security CCF 49

Data Center Security CCF 50

Data Security Management CCF 51

Data Security Management CCF 52

Data Security Management CCF 53

Data Security Management CCF 54

Data Security Management CCF 55

Data Security Management CCF 56

Data Security Management CCF 57

Data Security Management CCF 58

Data Security Management CCF 59

Data Security Management CCF 60

Data Security Management CCF 61

Data Security Management CCF 62

Data Security Management CCF 63

Data Security Management CCF 64

Data Security Management CCF 65

Data Security Management CCF 66

Data Security Management CCF 67

Data Security Management CCF 68

Data Security Management CCF 69

Data Security Management CCF 70

Key Management CCF 71

Key Management CCF 72

Key Management CCF 73

Key Management CCF 74

Key Management CCF 75

Key Management CCF 76

Key Management CCF 77

Key Management CCF 78

Key Management CCF 79

Key Management CCF 80

Key Management CCF 81

Key Management CCF 82

Key Management CCF 83

Governance and Risk Management CCF 84

Governance and Risk Management CCF 85

Governance and Risk Management CCF 86

Governance and Risk Management CCF 87

Governance and Risk Management CCF 88

Governance and Risk Management CCF 89

Governance and Risk Management CCF 90

Governance and Risk Management CCF 91

Governance and Risk Management CCF 92

Governance and Risk Management CCF 93

Governance and Risk Management CCF 94

Governance and Risk Management CCF 95

Governance and Risk Management CCF 96

Governance and Risk Management CCF 97

Governance and Risk Management CCF 98

Governance and Risk Management CCF 99

Governance and Risk Management CCF 100

Governance and Risk Management CCF 101

Governance and Risk Management CCF 102

Governance and Risk Management CCF 103

Governance and Risk Management CCF 104

Governance and Risk Management CCF 105

Governance and Risk Management CCF 106

Governance and Risk Management CCF 107

Governance and Risk Management CCF 108

Governance and Risk Management CCF 109

Governance and Risk Management CCF 110

Governance and Risk Management CCF 111

Governance and Risk Management CCF 112

Governance and Risk Management CCF 113

Governance and Risk Management CCF 114

People Management CCF 115

People Management CCF 116

People Management CCF 117

People Management CCF 118

People Management CCF 119

People Management CCF 120

People Management CCF 121

People Management CCF 122

People Management CCF 123

People Management CCF 124

People Management CCF 125

People Management CCF 126

People Management CCF 127

People Management CCF 128

People Management CCF 129

People Management CCF 130

Access Management CCF 131

Access Management CCF 132

Access Management CCF 133

Access Management CCF 134

Access Management CCF 135

Access Management CCF 136

Access Management CCF 137

Access Management CCF 138

Access Management CCF 139

Access Management CCF 140

Access Management CCF 141

Access Management CCF 142

Access Management CCF 143

Access Management CCF 144

Access Management CCF 145

Access Management CCF 146

Access Management CCF 147

Access Management CCF 148

Access Management CCF 149

Access Management CCF 150

Access Management CCF 151

Access Management CCF 152

Access Management CCF 153

Access Management CCF 154

Access Management CCF 155

Access Management CCF 156

Access Management CCF 157

Access Management CCF 158

Access Management CCF 159

Access Management CCF 160

Access Management CCF 161

Access Management CCF 162

Access Management CCF 163

Access Management CCF 164

Access Management CCF 165

Access Management CCF 166

Access Management CCF 167

Access Management CCF 168

Access Management CCF 169

Infrastructure Security CCF 170

Infrastructure Security CCF 171

Infrastructure Security CCF 172

Infrastructure Security CCF 173

Infrastructure Security CCF 174

Infrastructure Security CCF 175

Infrastructure Security CCF 176

Infrastructure Security CCF 177

Infrastructure Security CCF 178

Infrastructure Security CCF 179

Infrastructure Security CCF 180

Infrastructure Security CCF 181

Infrastructure Security CCF 182

Infrastructure Security CCF 183

Infrastructure Security CCF 184

Infrastructure Security CCF 185

Infrastructure Security CCF 186

Infrastructure Security CCF 187

Infrastructure Security CCF 188

Infrastructure Security CCF 189

Infrastructure Security CCF 190

Infrastructure Security CCF 191

Infrastructure Security CCF 192

Infrastructure Security CCF 193

Privacy Handling & Security CCF 194

Privacy Handling & Security CCF 195

Privacy Handling & Security CCF 196

Privacy Handling & Security CCF 197

Privacy Handling & Security CCF 198

Privacy Handling & Security CCF 199

Privacy Handling & Security CCF 200

Privacy Handling & Security CCF 201

Privacy Handling & Security CCF 202

Privacy Handling & Security CCF 203

Privacy Handling & Security CCF 204

Privacy Handling & Security CCF 205

Privacy Handling & Security CCF 206

Privacy Handling & Security CCF 207

Privacy Handling & Security CCF 208

Privacy Handling & Security CCF 209

Privacy Handling & Security CCF 210

Privacy Handling & Security CCF 211

Privacy Handling & Security CCF 212

Privacy Handling & Security CCF 213

Privacy Handling & Security CCF 214

Privacy Handling & Security CCF 215

Privacy Handling & Security CCF 216

Privacy Handling & Security CCF 217

Privacy Handling & Security CCF 218

Privacy Handling & Security CCF 219

Privacy Handling & Security CCF 220

Privacy Handling & Security CCF 221

Privacy Handling & Security CCF 222

Privacy Handling & Security CCF 223

Privacy Handling & Security CCF 224

Privacy Handling & Security CCF 225

Privacy Handling & Security CCF 226

Privacy Handling & Security CCF 227

Privacy Handling & Security CCF 228

Privacy Handling & Security CCF 229

Privacy Handling & Security CCF 230

Privacy Handling & Security CCF 231

Privacy Handling & Security CCF 232

Privacy Handling & Security CCF 233

Privacy Handling & Security CCF 234

Privacy Handling & Security CCF 235

Security Incident Management CCF 236

Security Incident Management CCF 237

Security Incident Management CCF 238

Security Incident Management CCF 239

Security Incident Management CCF 240

Security Incident Management CCF 241

Security Incident Management CCF 242

Security Incident Management CCF 243

Security Incident Management CCF 244

Supply Chain Management CCF 245

Supply Chain Management CCF 246

Supply Chain Management CCF 247

Supply Chain Management CCF 248

Supply Chain Management CCF 249

Supply Chain Management CCF 250

Supply Chain Management CCF 251

Supply Chain Management CCF 252

Supply Chain Management CCF 253

Supply Chain Management CCF 254

Supply Chain Management CCF 255

Supply Chain Management CCF 256

Supply Chain Management CCF 257

Supply Chain Management CCF 258

Supply Chain Management CCF 259

Supply Chain Management CCF 260

Supply Chain Management CCF 261

Vulnerability Management CCF 262

Vulnerability Management CCF 263

Vulnerability Management CCF 264

Vulnerability Management CCF 265

Vulnerability Management CCF 266

Vulnerability Management CCF 267

Vulnerability Management CCF 268

Vulnerability Management CCF 269

Vulnerability Management CCF 270

Vulnerability Management CCF 271

Vulnerability Management CCF 272

Vulnerability Management CCF 273

Vulnerability Management CCF 274

Vulnerability Management CCF 275

Vulnerability Management CCF 276

Vulnerability Management CCF 277

Vulnerability Management CCF 278

Vulnerability Management CCF 279

Vulnerability Management CCF 280

Vulnerability Management CCF 281

Vulnerability Management CCF 282

Vulnerability Management CCF 283

Vulnerability Management CCF 284

Application Security CCF 285

Governance and Risk Management CCF 286

Governance and Risk Management CCF 287

Governance and Risk Management CCF 288

Privacy Handling & Security CCF 289

Infrastructure Security CCF 290

Infrastructure Security CCF 291

Infrastructure Security CCF 292

Infrastructure Security CCF 293

Infrastructure Security CCF 294

Infrastructure Security CCF 295

Infrastructure Security CCF 296

Infrastructure Security CCF 297

Infrastructure Security CCF 298

Infrastructure Security CCF 299

Infrastructure Security CCF 300

Infrastructure Security CCF 301

Infrastructure Security CCF 302

Infrastructure Security CCF 303

Infrastructure Security CCF 304

Infrastructure Security CCF 305

Infrastructure Security CCF 306

Infrastructure Security CCF 307

Infrastructure Security CCF 308

Infrastructure Security CCF 309

Infrastructure Security CCF 310

Infrastructure Security CCF 311

Infrastructure Security CCF 312

Infrastructure Security CCF 313

Infrastructure Security CCF 314

Infrastructure Security CCF 315

Infrastructure Security CCF 316

Infrastructure Security CCF 317

Infrastructure Security CCF 318

Infrastructure Security CCF 319

Infrastructure Security CCF 320

Infrastructure Security CCF 321

Infrastructure Security CCF 322

Infrastructure Security CCF 323

Infrastructure Security CCF 324

Infrastructure Security CCF 325

Infrastructure Security CCF 326

Infrastructure Security CCF 327

Infrastructure Security CCF 328

Infrastructure Security CCF 329

Infrastructure Security CCF 330

Infrastructure Security CCF 331

Infrastructure Security CCF 332

Infrastructure Security CCF 333

Infrastructure Security CCF 334

Infrastructure Security CCF 335

Infrastructure Security CCF 336

Infrastructure Security CCF 337

Infrastructure Security CCF 338

Infrastructure Security CCF 339

Infrastructure Security CCF 340

Infrastructure Security CCF 341

Infrastructure Security CCF 342

Infrastructure Security CCF 343

Infrastructure Security CCF 344

Infrastructure Security CCF 345

Infrastructure Security CCF 346

Infrastructure Security CCF 347

Infrastructure Security CCF 348

Infrastructure Security CCF 349

Infrastructure Security CCF 350

Infrastructure Security CCF 351

Infrastructure Security CCF 352

Infrastructure Security CCF 353

Infrastructure Security CCF 354

Infrastructure Security CCF 355

Infrastructure Security CCF 356

Infrastructure Security CCF 357

Infrastructure Security CCF 358

Infrastructure Security CCF 359

Infrastructure Security CCF 360

Infrastructure Security CCF 361

Infrastructure Security CCF 362

Infrastructure Security CCF 363

Infrastructure Security CCF 364

Infrastructure Security CCF 365

Infrastructure Security CCF 366

Infrastructure Security CCF 367

Infrastructure Security CCF 368

Infrastructure Security CCF 369

Infrastructure Security CCF 370

Infrastructure Security CCF 371

Infrastructure Security CCF 372

Infrastructure Security CCF 373

Infrastructure Security CCF 374

Infrastructure Security CCF 375

Infrastructure Security CCF 376

Infrastructure Security CCF 377

Infrastructure Security CCF 378

Infrastructure Security CCF 379

Infrastructure Security CCF 380

Infrastructure Security CCF 381

Infrastructure Security CCF 382

Infrastructure Security CCF 383

Infrastructure Security CCF 384

Infrastructure Security CCF 385

Infrastructure Security CCF 386

Infrastructure Security CCF 387

Infrastructure Security CCF 388

Infrastructure Security CCF 389

Infrastructure Security CCF 390

Infrastructure Security CCF 391

Infrastructure Security CCF 392

Infrastructure Security CCF 393

Infrastructure Security CCF 394

Infrastructure Security CCF 395

Infrastructure Security CCF 396

Infrastructure Security CCF 397

Infrastructure Security CCF 398

Infrastructure Security CCF 399

Infrastructure Security CCF 400

Infrastructure Security CCF 401

Infrastructure Security CCF 402

Infrastructure Security CCF 403

Infrastructure Security CCF 404

Infrastructure Security CCF 405

Infrastructure Security CCF 406

Infrastructure Security CCF 407

Infrastructure Security CCF 408

Infrastructure Security CCF 409

Infrastructure Security CCF 410

Infrastructure Security CCF 411

Infrastructure Security CCF 412

Infrastructure Security CCF 413

Infrastructure Security CCF 414

Infrastructure Security CCF 415

Infrastructure Security CCF 416

Infrastructure Security CCF 417

Infrastructure Security CCF 418

Infrastructure Security CCF 419

Infrastructure Security CCF 420

Infrastructure Security CCF 421

Supply Chain Management CCF 422

Supply Chain Management CCF 423

Supply Chain Management CCF 424

Supply Chain Management CCF 425

Supply Chain Management CCF 426

Supply Chain Management CCF 427

Supply Chain Management CCF 428

Supply Chain Management CCF 429

Supply Chain Management CCF 430

Supply Chain Management CCF 431

Supply Chain Management CCF 432

Supply Chain Management CCF 433

Supply Chain Management CCF 434

Supply Chain Management CCF 435

Supply Chain Management CCF 436

Supply Chain Management CCF 437

Supply Chain Management CCF 438

Supply Chain Management CCF 439

Data Security Management CCF 440

Data Security Management CCF 441

Data Security Management CCF 442

Data Security Management CCF 443

Data Center Security CCF 444

Data Center Security CCF 445

Data Center Security CCF 446

Data Center Security CCF 447

Data Center Security CCF 448

Data Center Security CCF 449

Data Center Security CCF 450

Data Center Security CCF 451

Data Center Security CCF 452

Data Center Security CCF 453

Data Center Security CCF 454

Data Center Security CCF 455

Data Center Security CCF 456

Data Center Security CCF 457

Data Center Security CCF 458

Data Center Security CCF 459

Data Center Security CCF 460

Data Center Security CCF 461

Data Center Security CCF 462

Data Center Security CCF 463

Data Center Security CCF 464

Data Center Security CCF 465

Data Center Security CCF 466

Data Center Security CCF 467

Data Center Security CCF 468

Data Center Security CCF 469

Data Center Security CCF 470

Data Center Security CCF 471

Data Center Security CCF 472

Data Center Security CCF 473

Data Center Security CCF 474

Data Center Security CCF 475

Data Center Security CCF 476

Data Center Security CCF 477

Data Center Security CCF 478

Data Center Security CCF 479

Data Center Security CCF 480

Data Center Security CCF 481

Data Center Security CCF 482

Data Center Security CCF 483

Data Center Security CCF 484

Data Center Security CCF 485

Data Center Security CCF 486

Data Center Security CCF 487

Data Center Security CCF 488

Data Center Security CCF 489

Data Center Security CCF 490

Data Center Security CCF 491

Data Center Security CCF 492

Data Center Security CCF 493

Data Center Security CCF 494

Data Center Security CCF 495

Data Center Security CCF 496

Data Center Security CCF 497

Data Center Security CCF 498

Data Center Security CCF 499

Data Center Security CCF 500

Data Center Security CCF 501

Data Center Security CCF 502

Data Center Security CCF 503

Data Center Security CCF 504

Data Center Security CCF 505

Data Center Security CCF 506

Data Center Security CCF 507

Data Center Security CCF 508

Data Center Security CCF 509

Data Center Security CCF 510

Data Center Security CCF 511

Data Center Security CCF 512

Data Center Security CCF 513

Data Center Security CCF 514

Data Center Security CCF 515

Data Center Security CCF 516

Data Center Security CCF 517

Data Center Security CCF 518

Data Center Security CCF 519

Data Center Security CCF 520

Data Center Security CCF 521

Data Center Security CCF 522

Data Center Security CCF 523

Data Center Security CCF 524

Data Center Security CCF 525

Data Center Security CCF 526

Data Center Security CCF 527

Data Center Security CCF 528

Data Center Security CCF 529

Data Center Security CCF 530

People Management CCF 531

People Management CCF 532

People Management CCF 533

People Management CCF 534

Access Management CCF 535

Access Management CCF 536

Access Management CCF 537

Access Management CCF 538

Access Management CCF 539

Access Management CCF 540

Access Management CCF 541

Access Management CCF 542

Access Management CCF 543

Access Management CCF 544

Access Management CCF 545

Access Management CCF 546

Access Management CCF 547

Access Management CCF 548

Access Management CCF 549

Access Management CCF 550

Access Management CCF 551

Access Management CCF 552

Access Management CCF 553

Access Management CCF 554

Access Management CCF 555

Access Management CCF 556

Access Management CCF 557

Access Management CCF 558

Access Management CCF 559

Access Management CCF 560

Access Management CCF 561

Access Management CCF 562

Access Management CCF 563

Access Management CCF 564

Access Management CCF 565

Access Management CCF 566

Access Management CCF 567

Key Management CCF 568

Key Management CCF 569

Key Management CCF 570

Key Management CCF 571

Key Management CCF 572

Key Management CCF 573

Key Management CCF 574

Key Management CCF 575

Key Management CCF 576

Key Management CCF 577

Key Management CCF 578

Key Management CCF 579

Key Management CCF 580

Key Management CCF 581

Key Management CCF 582

Key Management CCF 583

Key Management CCF 584

Key Management CCF 585

Key Management CCF 586

Key Management CCF 587

Key Management CCF 588

Key Management CCF 589

Key Management CCF 590

Key Management CCF 591

Key Management CCF 592

Key Management CCF 593

Key Management CCF 594

Key Management CCF 595

Key Management CCF 596

Key Management CCF 597

Key Management CCF 598

Key Management CCF 599

Key Management CCF 600

Key Management CCF 601

Key Management CCF 602

Key Management CCF 603

Key Management CCF 604

Key Management CCF 605

Key Management CCF 606

Key Management CCF 607

Key Management CCF 608

Key Management CCF 609

Key Management CCF 610

Key Management CCF 611

Key Management CCF 612

Key Management CCF 613

Key Management CCF 614

Key Management CCF 615

Key Management CCF 616

Key Management CCF 617

Key Management CCF 618

Key Management CCF 619

Key Management CCF 620

Key Management CCF 621

Key Management CCF 622

Key Management CCF 623

Key Management CCF 624

Key Management CCF 625

Business Continuity & Resilience CCF 626

Business Continuity & Resilience CCF 627

Business Continuity & Resilience CCF 628

Business Continuity & Resilience CCF 629

Business Continuity & Resilience CCF 630

Vulnerability Management CCF 631

Vulnerability Management CCF 632

Vulnerability Management CCF 633

Vulnerability Management CCF 634

Vulnerability Management CCF 635

Vulnerability Management CCF 636

Vulnerability Management CCF 637

Vulnerability Management CCF 638

Vulnerability Management CCF 639

Vulnerability Management CCF 640

Vulnerability Management CCF 641

Vulnerability Management CCF 642

Vulnerability Management CCF 643

Vulnerability Management CCF 644

Vulnerability Management CCF 645

Vulnerability Management CCF 646

Vulnerability Management CCF 647

Vulnerability Management CCF 648

Vulnerability Management CCF 649

Vulnerability Management CCF 650

Vulnerability Management CCF 651

Vulnerability Management CCF 652

Vulnerability Management CCF 653

Vulnerability Management CCF 654

Vulnerability Management CCF 655

Vulnerability Management CCF 656

Vulnerability Management CCF 657

Vulnerability Management CCF 658

Vulnerability Management CCF 659

Vulnerability Management CCF 660

Vulnerability Management CCF 661

 Cisco Cloud Controls Framework (CCF)
Controls Framework. The CCF control activities map to various frameworks and help meet the requirements of
ma Nacional de Seguridad (ENS), Infosec Registered Assessors Program (IRAP December 2020), Payment Card In
liance Controls Catalogue (C5), EU Cloud Code of Conduct (CoC), Third-Party Cybersecurity Compliance Certific

determine what is needed to certify and achieve compliance for multiple industry accepted security compliance
needs and integrate into your own compliance regime.

Control Wording
Independent Control self-assessments are performed
by control owners, at least annually, to gain reasonable
assurance that controls are in place and operating
effectively. Corrective actions are taken based on
relevant findings and tracked to resolution.

At least quarterly, [the organization] reviews shall be

performed with approved documented specification to
confirm personnel are following security policies and
operational procedures pertaining to and not limited to:
• log reviews
• firewall rule-set reviews
• applying configuration standards to new systems
• responding to security alerts
• change management processes

If applicable, [the organization]'s documented

procedures regarding customer-requested audits shall
be defined, documented and transparently
communicated to the customer; and where applicable,
the mandated auditor.

Threats to the applications and application

programming interfaces and weaknesses with their
design are identified and assessed based on the
defined frequency by the organization policies.
Legal and regulatory requirements regarding
cybersecurity, including privacy and civil liberties
obligations, are documented and maintained by [the
organization]'s legal department on an annual basis.

When applicable, systems, products or equipment will

have their security functionalities evaluated in
accordance with European or international standards,
and whose certificates are recognized by the National
Scheme for the Evaluation and Certification of
Information Technology Security prior to being used.

A documented business continuity/disaster recovery

(BC/DR) plan is in place and tested at least annually.
Enterprise testing is done by the relevant organizational
team tasked with managing organization's risk.
Offer/Product teams perform testing for their given
Offer/Product. Any exclusions are documented as part
of the BC/DR plan. As part of the BC/DR plan,
management
[The identifies
Organization] roomsand
maintains for improvement and
documents a process
to identify, have access to, and assess applicable legal
and regulatory requirements relating to the continuity
of its products and services, activities and resources.
Such legal and regulatory requirements are reviewed at
least annually to ensure the continuity of its products
and services, activities and resources. Revision
histories and review periods are defined within the
documents themselves and [The Organization]'s Policy
Governance Policy.

Business impact assessment (BIA) or continuity specific

risk assessment are performed at least annually and
when significant changes within the organization occur.
Results of the assessments are used to establish the
scope of the continuity plan, determine business
continuity priorities, and the recovery strategies.
Business contingency roles and responsibilities are
assigned to individuals and their contact information is
communicated to authorized personnel.

Systems used for service, storage, processing,

monitoring of customer data, support, and disaster
recovery centers reside in KSA (Kingdom of Saudi
Arabia). All information stored cannot be stored outside
of the KSA.

Systems that store and process Spanish Customer Data

reside within the EU. Systems used for electronic
identification and signature also be located within the
EU. Identification and electronic signature systems that
deal with specific categories of data (such as
biometrics), reside within the Spanish Territory.

[The organization] evaluates the data localization laws

and requests from EU. If requested, [The
Organization]'s systems that store and process EU Data
reside within the EU.

[The Organization] evaluates the data localization laws

and requests from Japan. If requested, [the
organization]'s systems that store and process Japan
Data reside within Japan.
A multi-location or region strategy for production
environments is employed to permit the resumption of
operations at other [The Organization] facilities in the
event of the loss of a facility.

[The organization] allocates audit record storage

capacity in accordance with logging storage and
retention requirements; Audit logs are retained for at
least one year with one year of data immediately
available for analysis.

An alert is sent to relevant staff when the audit logging

process failed. Failures are addressed to resume
system logging.
At least annually, full backups are configured for data
stores housing sensitive customer data and personal
information. Repeated Failed backups are investigated
and resolved. Backups are periodically restored to
validate the integrity of the backup. Details of the
restoration test are logged and included over who
performed the test, a description, and restored backup,
as well as an integrity check of the restored backup.

Databases are replicated to a secondary database or

data center. Alerts are configured to notify
administrators if replication fails.

[The organization] provides the specifications of its

backup capabilities to its cloud service customers or
upon request. Where applicable, the specifications
include scope and schedule of backups, backup
methods and data formats, encryption of backup data,
retention periods for backup data, integrity verification
of backup data, procedures and timescale of data
restore, and location of backup data.
[The organization]'s backups are securely stored in an
alternate location from source data.

[The organization] periodically backs up emails.

Repeated failed backups are investigated and reviewed.

A formal systems development life cycle (SDLC)

methodology is in place that governs the development,
acquisition, implementation, changes (including
emergency changes), and maintenance of information
systems and related technology requirements.

Cloud Service Customers review and monitor changes

made by the cloud service provider for appropriateness
and any potential impact to the customer's instance.
Changes to service and supporting infrastructure
components of the service are authorized, formally
documented, tested, reviewed, and approved prior to
being implemented in the production environment.

System changes are communicated to authorized

internal users via a ticketing system or any other
documented process.

Customers are notified of critical changes that may

affect their processing.

A configuration management system is in place to

ensure that system configurations are deployed
consistently throughout the production environment.
A file integrity monitoring (FIM) tool is used to notify
system administrators of potential unauthorized
changes to the production system.

Access to migrate changes to production is restricted to

authorized personnel. All change migrations are tracked
and notifications are sent when changes are migrated
to production.
Policies governing the appropriate use and installation
of software on [the organization] workstations are
communicated and reviewed at least annually. Revision
histories and review periods are defined within the
policies themselves and [the organization]'s Policy
Governance Policy.

Version control procedures are set up to track

dependencies of individual changes and to restore
affected system components back to their previous
state as a result of errors or identified vulnerabilities.

[The Organization] uses mechanisms to detect direct

changes to the integrity of customer data and personal
information; [the organization] takes action to resolve
confirmed unauthorized changes to data.
Cloud service provider identifies the requirements for
any utility programs used within the cloud service. Any
utility programs used follow the standard change
process, and cannot be used to override any system
controls. Any necessary utility programs that can
override system controls have access limited to
authorized personnel, and all activity are reviewed for
appropriateness based on defined frequency of
organization policies.

Physical security measures are in place to restrict and

monitor for unauthorized access to the buildings which
house sensitive or critical information, information
systems, or other network infrastructure. Confirmed
incidents are documented and tracked to resolution.

The supply of the data centers (e. g. water, electricity,

temperature and moisture control, telecommunications
and Internet connection) is secured, monitored,
maintained and tested at regular intervals. The data
center has been designed with automatic fail-safe
mechanisms and other redundancies. Maintenance is
performed by authorized personnel at designated
intervals and targets recommended by the suppliers.
Maintenance records are stored for the agreed upon
Environmental security measures and safeguards are in
place to protect the premises or buildings that house
sensitive or critical information against environmental
threats or threats caused by humans.

The cloud service provider informs cloud service

customers of the geographical locations of the
provider's organization and countries where the
provider can store the customer data.
Physical access provisioning to a [organization]'s
datacenter requires management approval and
documented specification of but not limited to:
• account type (e.g., standard, visitor, or supplier)
• access privileges granted
• intended business purpose
• visitor identification method, if applicable
• temporary badge issued, if applicable
• access start date
• access duration (with end date)

Physical access to premises and buildings related to

cloud services that is no longer required in the event of
a termination or role change is revoked. If applicable,
temporary badges are returned prior to exiting facility.
Access that has not been used for 2 months after
approval is automatically withdrawn.

[The organization] performs physical access account

reviews at least semi-annually; corrective action is
taken where applicable.

All Physical access is managed through monitoring,

maintaining records, and escorting (for visitors). Access
records (including visitor access records) to the
facilities are kept for at least a year.

Surveillance feed data is retained for at least 3 months,

unless otherwise restricted by the law.
Devices that physically capture payment card data are
inspected for evidence of tampering at least quarterly.

Any positions of cybersecurity functions in [the

organization]'s Saudi Data Centers be filled with
qualified and suitable Saudi nationals.

Devices and hardware may only be transferred to

external premises after it has been approved by
authorized committees or bodies at [the organization].
The transfer takes place securely according to the type
of the assets to be transferred.

New assets to be installed into the secure premises are

approved by authorized committees or bodies at [the
organization]. The 'on-boarding' of such assets takes
place securely according to the type of the asset.
Policies and instructions with technical and
organizational safeguards are documented,
communicated and describe the maintenance
(especially remote maintenance), deletion, updating
and re-use of assets in information processing.

Policies and documentation are in place to establish a

safe and secure work environment. These policies are
reviewed at least annually and updated as necessary.
Revision histories and review periods are defined within
the policies themselves and [the organization]'s Policy
Governance Policy.

Access to the premises or buildings including those

which house sensitive or critical information,
information systems or other network infrastructure is
secured and monitored by means of physical site
access and software authorization controls in order to
avoid unauthorized site and data access. Authorized
personnel can include employees, customers, suppliers
and contractors.
Data protection policies are in place to help ensure that
confidential, personal and sensitive customer data is
properly secured and restricted to authorized
personnel. Included are policies of how CUI (Controlled
Unclassified Information) data is handled.

A formal inventory of production system assets is

maintained, and reconciled annually.

[The Organization]'s assets are labelled in accordance

with [the organization]'s standards, and have
designated owners.

The inventory of system assets include assets of the

cloud service provided by the cloud service provider.
Cloud service customer data and data derived from the
services are explicitly identified by the cloud service
provider.

[The Organization]'s cloud service provides customers

with details around their service functionality, to allow
customers the ability to classify and label the
information and associated assets.
[The organization]'s data classification criteria are
reviewed, approved by management, and
communicated to authorized personnel at least
annually; the data security management determines
the treatment of data according to its designated data
classification level. Revision histories and review
periods are defined within the documents themselves
and the [the organization]'s Policy Governance Policy.

Sharing [the organization]'s confidential (non-public)

data via messaging technologies (unless permitted by
[the organization] for sharing of such data), social
media, and public websites is prohibited.

[The organization]'s asset inventory includes in-scope

cardholder related systems, devices, and media.

[The Organization] maintains an inventory of authorized

wireless access points including a documented business
justification.

An [organization] has a support system to manage

customer issues including system information on
failures, incidents, concerns, and other complaints.
A data flow diagram is documented and maintained for
data that processed (analyzed, stored or transmitted,
etc.) within the services' applications and infrastructure
network and systems. The data flow diagram is
reviewed at least annually or based on defined
frequency of organization policies and any changes are
updated in the diagram.

Data classified as Customer Data and any Personal

Data attributable to the customer is prohibited from
being used or stored in non-production systems or
environments. If Customer Data needs to be used for
staging and research environments, then customer
data must be anonymized. If customer data cannot be
anonymized, customers shall be notified of such use,
and such environments be protected in accordance with
applicable policies and standards for such data.

[The Organization] only transfers Customer Personal

Data to a country outside of the European Economic
Area (EEA), if it was agreed upon as part of a Cloud
Service Agreement with customers. All transfers and
agreements meet GDPR requirements.

Formal retention and disposal procedures are in place

to guide the secure retention and disposal of [the
organization] data.
Electronic media containing confidential information is
purged or destroyed in accordance with best practices,
and certificates of destruction are issued for each
device destroyed.

Customer data containing confidential and personal

information is purged or removed from the application
environment (including backups and data shared with
other Offer/Product) upon customer request according
to [the organization] policy and/or contractual
obligations.

Formal retention and disposal procedures are in place

to guide the secure retention and disposal of customer
and personal data.
If the cloud service offers functions for software-defined
networking (SDN), the service uses suitable SDN
procedures to ensure the confidentiality of the cloud
user data.

Hardcopy Materials containing confidential information

are purged or destroyed in accordance with [the
organization] policy, such as cross-cutting, shredding,
incinerating, pulpling, etc.

The cloud service provider provides the cloud service

customer with information on the IPv6 support status of
the service provided by the cloud service provider.

Cryptographic key owners formally acknowledge that

they understand and accept their key owner
responsibilities upon hire and at least an annual basis
thereafter.

Key management procedures are documented,

reviewed at least annually, and define the following
processes but not limited to:
-Prevent unauthorized substitution of cryptographic
keys
-Specify how to generate strong keys
-Specify how to securely distribute keys
-Requirements for cryptographic key changes for keys
that have reached the end of their crypto period
-Requirements for retirement or replacement (for
example, archiving, destruction, and/or revocation) of
keys as deemed necessary when the integrity of the
key
[Thehas been weakened
organization] issues public key certificates under
an approved certificate authority or obtains public key
certificates from an approved service provider.
[The Organization] communicates to its cloud service
customers when cryptography is used to protect the
customer data and provides information and
cryptographic technologies to cloud service customers
to use.

Portable and removable media devices are encrypted

(as per the defined organization policies) or monitored
when in use. For NIST, FedRAMP, and CMMC, FIPS 140-2
encryption method is used to protect data at rest and in
transit.

Approved cryptographic algorithms and methods are

used for securing assets with confidential, personal,
and sensitive data both at rest and in-transit over
public networks. For NIST, FedRAMP, and CMMC, FIPS
140-2 Cryptography method is used to protect data at
rest and in transit.
Access to the cryptographic keystores is limited to
authorized personnel.

[The Organization] restricts personal account number

(PAN) data such that only the first six and last four
digits are displayed; authorized users with a legitimate
business need may be provided the full PAN.

Where full disk encryption is used, logical access be

managed independently of operating system
authentication; decryption keys not be associated with
user accounts.

Storage of data encryption keys that encrypt or decrypt

cardholder data meet at least one of the following:
• the key-encrypting key is at least as strong as the
data encrypting key and is stored separately from the
data encrypting key
• stored within a secure cryptographic device (such as
a host security module (HSM) or
PTS-approved point-of interaction device)
• keys are stored as at least two full-length key
components or key shares

Cryptographic keys are invalidated when compromised

or at the end of their defined lifecycle period.

[The Organization] changes shared data encryption

keys
- at the end of the [organization-defined lifecycle
period]
- when keys are compromised
- upon termination/transfer of employees with access to
the keys
If applicable, manual clear-text cryptographic key-
management operations be managed using split
knowledge and dual control.

Network and system hardening standards are

documented, implemented, and reviewed at least
annually. These standards are deployed to all networks
and production
Network systems.
perimeter Revision
is controlled byhistories
security and review
gateways.
For cross-network access, the access authorization is
based on security requirements of the cloud customers.

When applicable, hardware devices are used for the

establishment and use of virtual private networks.

A documented Information Security Management

System Risk Assessment Methodology is in place that
includes guidance on the identification of potential
threats, rating the significance of the risks associated
with the identified threats, and mitigation strategies for
those risks, documentation and communication of those
risks, as well as possible vulnerabilities within the cloud
service provider and their impacts. Upper management,
or its designated representative(s), owns this
methodology and is responsible for its adherence.
Risk assessments are performed at least annually. As
part of this process, threats and changes
(environmental, regulatory, and technological) to
service commitments are identified and the risks are
formally assessed. The risk assessment includes risk
mitigation strategies and acceptance levels based on
[the organization] risk criteria. The risk assessment
includes a consideration of the potential for fraud and
how fraud may impact the achievement of objectives.
The results of the risk assessment are reviewed by
leadership at least annually.

As part of their risk assessment, cloud service providers

review the risks associated with customer supplied
software within the cloud services Offer/Product by the
provider.

As part of their risk assessment, [the organization]

determines the data types that can be shared with a
managed service provider.

Management has established defined roles and

responsibilities to oversee the implementation of the
security and control environment.
The Board of Directors provides corporate oversight,
strategic direction, and review of management for [the
organization]. The Board of Directors meets at least
quarterly and has 5 sub-committees:
• Audit Committee
• Compensation and Management Development
Committee
• Nomination and Governance Committee
• Acquisition Committee
• Finance Committee

The Audit Committee is governed by a Charter, is

independent from [the organization]'s Management, is
composed of outside directors (Industry Experts), and
meets at least quarterly.

The Audit Committee oversees:

•Financial Statement Quality
•Enterprise Risk Management
•Regulatory & Legal Compliance
•Internal Audit Functions
•Information Security Functions
•External Audit Functions

[The Organization] identifies geographies with legal and

regulatory risks such as embargoed countries. [The
organization] shall not operate out of, or have
administrators that reside in such geographies.
Roles and responsibilities of the cloud computing
customers and service providers are defined and
agreed on. Included in the agreement are definitions
including but not limited to data ownership, Information
Security Accountability, access provisioning and
approval responsibilities, supplier use, and data backup
and recovery responsibilities. Management designates
stewardship to a person or group of people to govern
these agreements.

Management prepares a statement of applicability that

includes control objectives, implemented controls, and
business justification for excluded controls.
Management aligns the statement of applicability with
the results of the risk assessment.

The Information Security Management System (ISMS)

steering committee conducts a formal management
review of ISMS scope, risk assessment activities, control
implementation, and audit results at least annually.

[The Organization] has an established security

leadership team including key stakeholders in [the
organization]'s Information Security Program; goals and
milestones for deployment of the information security
program are established and communicated to [the
organization].
Information Security Management System (ISMS)
boundaries are formally defined in an ISMS scoping
document.

At least annually, [the organization] conducts a staff

meeting to communicate and align on relevant security
threats, program performance, and resource
prioritization.

Information systems security implementation and

management is included as part of the budget required
to support [the organization]'s security program.
Information security policies are documented and
define the information security rules and requirements
for the service environment. These policies are
reviewed at least annually to review requirements and
updated as needed. Revision histories and review
periods are defined within the policies themselves and
[the organization] Policy Governance Policy.

Privacy policies are documented and define the

information privacy rules and requirements for the
service environment. These policies are reviewed
according to periodic review requirements and updated
as needed. Revision histories and review periods are
defined within the policies themselves and [the
organization] Policy Governance Policy.

A cloud service customers' information security policy is

defined and maintained and is consistent with the
organization's acceptable levels of information security
risks for its information and other assets.
Considerations around information being stored in the
cloud computing environment, access management,
maintenance, and geographical locations of cloud
service provider's organization are included in the
policy.

A cloud service providers' information policy is defined

and maintained, and addresses the provision and use of
its cloud services. Considerations around baseline
information security requirements, multi-tenancy and
cloud service customer isolation, access management,
communication, lifecycle management of service
customer accounts, and communication of breaches are
included in the policy.
The cloud service provider provides information to the
cloud service customers about the information security
capabilities they use. Implementation details about
security controls are disclosed as needed.

[The organization]'s policies and standards are

reviewed, approved by management, and
communicated to authorized personnel at least
annually. Revision histories and review periods are
defined within the policies and standards themselves
and [the organization] Policy Governance Policy.

A process is in place to request, review, and approve

exceptions to policies, standards, and procedures. The
assessment of the exception is risk based and the
approved exceptions are reviewed at least annually or
based on defined frequency as per the organization
policies.

Policies and standards are in place to govern the

collection, retention, and usage of metadata (customer
usage data). Metadata is only collected for its intended
use (e.g. troubleshooting, customer billing, etc) and
only authorized staff have access to the data. Metadata
is deleted once its intended collection purpose has
been fulfilled.

Roles and responsibilities and a program charter for the

governance of PCI DSS compliance within [the
organization] are formally documented and
communicated by management.

If a cloud service provider is not established in a

member state of the European Union, and is in the
scope for GDPR, it might need to designate a
representative or controller in a member state of the
European Union as per the local regulatory
requirements.
The cloud service provider transparently communicates
to Customers their adherence to the EU Code of
Conduct.

[The Organization] communicates policy violations and

policy non-compliance consequences to all
[organizational] personnel on a regular basis.

As part of its annual information security risk

assessment, management selects and develops manual
and IT general control activities that contribute to the
mitigation of identified risks.

New hired personnel are required to pass a background

screening check consistent with local jurisdiction as a
condition of their employement.
For every candidate that is hired, there is an interview
and approval process prior to the candidate receiving
an offer.

[The Organization] conducts screening and rescreening

of authorized personnel for roles that require national
security clearances. For national security clearances; a
reinvestigation is required during the 5th year for top
secret security clearance, the 10th year for secret
security clearance, and 15th year for confidential
security clearance. In addition, for law enforcement and
high impact public trust level, a reinvestigation is
required during the 5th year.

As part of their onboarding process, contingent workers

are required to sign [The Organization]'s Confidential
Information Agreement: Individuals (Suppliers,
Contractors, Independent Contractors, Consultants, and
Partners), which includes the Supplier and Independent
Consultant Job Practice and Behavior Guide outlining
expected behavior regarding data and information
system usage. This agreement prohibits any disclosure
of information and other data to which the employee
has been granted access.
[The Organization]'s employees are required to sign a
non-disclosure agreement (PIIA) upon hire. This
agreement prohibits any disclosure of information and
other data to which the employee has been granted
access. [The Organization]'s employees in jurisdictions
where PIIA is not applicable are required to sign
Offer/Product letters that outline clauses relevant to
non-disclosure.

[The Organization] maintains a Code of Conduct, which

describes employee responsibilities and expected
behavior regarding data and information system usage.
[The Organization] employees acknowledge that they
have read and agree to the Code of Conduct as part of
their onboarding process.

[The Organization] has established a check-in

performance management process for on-going
dialogue between managers and employees. Based on
defined frequency by the organizational policies,
reminders are sent to managers to perform their
regular check-in conversation.
[The Organization] is required to enable leaders and
their team members to maintain continual
communication which facilitates 360 degree feedback
by using tools or other mechanisms.

Where applicable, authorized [The Organization]

personnel enroll mobile devices with the enterprise
Mobile Device Management (MDM) solution prior to
obtaining access to [the organization] network
resources on mobile devices.

An organization chart is documented and defines the

organizational structure and reporting lines.

[The Organization] has policies regarding the posting of

job descriptions for employees supporting the service
and include authorities and responsibilities for the
design, development, implementation, operation,
maintenance, and monitoring of the system.
At least annually, [The Organization] provides resources
for Information security awareness training to enable
[the organization] organizations to assign and track
security awareness completion.

Training is provided to employees to support their

continued development and growth.

[The Organization]'s software engineers are required to

complete training based on secure coding techniques at
based on the defined frequency by the organization
policies.
Where applicable, [the organization] personnel that
interact with cardholder data systems receive
awareness training to be aware of attempted tampering
or replacement of devices. Training needs to include
the following at a bare minimum:
• verify the identity of third- party persons claiming to
be repair or maintenance personnel, prior to granting
them access to modify or troubleshoot devices.
• do not install, replace, or return devices without
verification
• be aware of suspicious behavior around devices (e.g.,
attempts by unknown persons to unplug or open
devices)
• report suspicious behavior and indications of device
tampering or substitution to authorized personnel (e.g.,
to a manager or security officer)

A formalized whistleblower policy is established as part

of the Code of Conduct and an anonymous
communication channel is in place for employees to
report potential security issues or fraud concerns.

Privileged access to in-scope system components and

production environments is restricted to authorized and
appropriate users only.
Audit trails are secured through principles of least
privilege to prevent unauthorized access or altering.

[The Organization] monitors and flags tampering to the

audit logging and monitoring tools in the production
environment.
Log data generated allows an unambiguous
identification of user accesses at the tenant level to
support (forensic) analysis in the event of a security
incident.

Vendor accounts used for remote access are enabled

only during the time period needed, disabled when not
in use, and monitored while in use.

Where applicable, service providers with remote access

to customer premises (e.g., for support of POS systems
or servers) use a unique authentication credential
(such as a password/phrase) for each customer.

Remote access sessions are logged and event logs are

retained for review when required.

Access to production systems is restricted to authorized

employees with a valid multi-factor (MFA) token over an
encrypted [virtual private network (VPN)] connection.

Logical access provisioning to information systems

requires approval from appropriate personnel.

[The Organization] allows its cloud service customers to

manage access to the customer's instance of the cloud
service, cloud service functions, and data.
Periodic access reviews are conducted by management
for the in-scope system components to ensure that
access is restricted appropriately. Tickets are created to
remove or modify access as necessary in a timely
manner.

Inappropriate access identified as part of quarterly user

access reviews be remediated within 7 days.

Authentication to in-scope systems require unique ID

credentials.
Passwords for in-scope system components are
configured according to [The Organization]'s policy.

Passwords for the corporate active directory is

configured according to [The Organization]'s policy.

[The Organization] provides secure authentication

mechanisms (i.e. password/vpn/etc.) for customers to
access their own instances of [The Organization]'s
cloud services.
[The Organization] requires unique identifiers for user
accounts and prevents identifier reuse.

User accounts are disabled after they have not been

used for a period of two months or after a predefined
number of failed login attempts. Locked user accounts
are automatically removed after six months.

[The Organization] uses tools, such as inactivity

monitoring, to help ensure that sessions with cloud
customers are managed, to protect against attacks that
can affect [The Organization]'s service commitments.

Authorized personnel verify the identity of users before

provisioning and modifying authentication credentials
on their behalf.
Information systems are configured to limit concurrent
login sessions and the inactive user interface is not
displayed when the session is terminated.

Information systems are configured to terminate

inactive sessions after a set amount of time, or when
the user terminates the session.

Systems leveraged by the U.S. Federal Government

present a login screen that displays the following
language:
• users are accessing a U.S. Government information
system
• system usage may be monitored, recorded, and
subject to audit
• unauthorized use of the system is prohibited and
subject to criminal and civil penalties
• use of the system indicates consent to monitoring
and recording

Privileged logical access to trusted data environments

is enabled through an authorized session manager;
session user activity is recorded and tunneling to
untrusted data environments is restricted.

[The Organization] employs only information

technology products on the FIPS 201-approved products
list for Personal Identity Verification (PIV) capability
implemented within organizational information
systems.
Supplier supplied default passwords are changed prior
to device installation on [The Organization]'s network or
immediately after software or operating system
installation.

Where applicable, collaborative computing devices

used at [the organization] are configured to restrict
remote activation and provide an explicit indication that
they are in use.

All successful login accesses and failed attempts are

logged. Upon login success, users are notified of their
security obligations immediately upon gaining access.

Digital signatures include timestamps, use industry

standard encryption programs, and are validated to
confirm authenticity.
Where applicable, [the organization] logs the following
activity but not limited to the below for cardholder data
environments:
• individual user access to cardholder data
• administrative actions
• access to logging servers
• failed logins
• modifications to authentication mechanisms and user
privileges
• initialization, stopping, or pausing of the audit logs
• creation and deletion of system-level objects
• security events
• logs of all system components that store, process,
transmit, or could impact the security of cardholder
data (CHD) and/or sensitive authentication data (SAD)
• logs of all critical system components
• logs of all servers and system components that
perform security functions (e.g., firewalls, intrusion-
detection systems/intrusion-prevention systems
(IDS/IPS), authentication servers, ecommerce
redirection servers, etc.)

[The Organization] uses secure methods and algorithms

for saving, displaying, and processing passwords such
as hashing functions, and ensures they are obscured
and not displayed in plain text.

Access control policies are in place and reviewed

annually to help manage access to information,
applications, and production environments. Revision
histories and review periods are defined within the
policies and standards themselves and [The
Organization] Policy Governance Policy.

Contingent workers are terminated timely from their

contract end date or termination date.
Upon termination, full-time employee access is revoked
for employees in a timely manner.

Upon termination, management is notified to collect

[The Organization] property from terminated
employees, and all [The Organization] owned assets are
returned within 30 business days.

Upon termination, all privileged access held by a

terminated employee is revoked within 48 hours.

The People Resources system sends a notification to

relevant personnel in the event of a termination of an
employee.

Upon employee termination, management conducts

exit interviews for the terminated employee.

Upon notification of an employee reassignment or

transfer, management reviews the employee's access
for appropriateness. Access that is no longer required is
revoked and documented.
An intrusion detection system (IDS) or intrusion
prevention system (IPS) are used to provide continuous
monitoring of [The Organization]'s Corporate network
and early detection of potential security breaches.

Where applicable, the information system performs an

integrity check of virtual machine images at startup,
restart, shutdown and abort transitional states. The
system alerts administrators of any potential
discrepancies during integrity verification.

Networks used by [the organization] to migrate or

create virtual machines are logically separated from
other networks.

If virtual machines or containers are provided to

customers, the cloud service provider is required to
ensure:
- Customers can restrict the selection of images of
virtual machines or containers according to their
specifications
- Informs the customer of any changes made to
previous virtual machine or container versions.
- Images are hardened according to generally accepted
industry standards.

Where applicable, System components that store

cardholder data (such as a database), including
payment card collection devices are stored in an
internal network zone, segregated from the DMZ and
other untrusted networks. Access is strictly limited to
authorized personnel.
[The organization] components are configured to use
Universal Time Coordinated (UTC) and the clocks are
synchronized with an external time source. [The
organization] further provides cloud service customers,
when applicable, information about how the customer
can synchronize local clocks with the cloud service
clock if applicable.

Access to modify time data is restricted to authorized

personnel.
Firewalls [or security groups] are used and configured
to prevent unauthorized access to the production
environment.

Firewall rulesets and security groups are reviewed by

management at least annually. Change tickets are
created to track any firewall modifications as a result of
the review.
Firewall systems consist of two or more layers.
Redundant firewall systems are installed.

Firewalls configure and utilize a DMZ to limit inbound

and outbound traffic to only system components that
provide authorized publicly accessible services,
protocols, and ports.
Firewalls enable dynamic packet filtering on the
network.

[The Organization] does not disclose private IP

addresses and routing information to unauthorized
parties.

The network is segmented to prevent unauthorized

access.
Customer environments are segregated such that
customers only have access to their own environments.

Production environments are segregated from non-

production environments such as development and test
environments.

[The Organization] restricts access to network services

via wireless access points to authenticated users and
services; approved wireless encryption protocols are
required for wireless connections.

Mobile devices (i.e., laptops, smartphones, tablets) that

are used to access data from internal resources are
encrypted.

Where applicable, portable and mobile devices are

configured to ensure unnecessary hardware capabilities
and functionalities are disabled, and management
defined security features are enabled.

Mobile devices (i.e., laptops, smartphones, tablets) are

equipped with violation detectors that notify relevant
parties of any tampering that has occurred to the
device. Any identified tampering is identified and
followed up upon until resolution.
Only one primary function per server is implemented
within the production environment; the information
system maintains a separate execution domain for each
executing process.

At least quarterly, [The Organization] performs an

access point mapping exercise to identify and remove
unauthorized wireless access points.

[The organization] has deployed technology to protect

against or limits the effects denial of service attacks.

Sub-systems used for publishing [organization] public

announcements or information are protected against
threats to which they might be exposed, including but
not limited to unauthorized alteration, alternative
routing, "cross site scripting" attacks, URL and
customer information manipulation, code injection, and
user impersonation.

[The organization] identifies, documents, and complies

to the specific purposes for which the PII will be
processed.

[The organization] determines, documents and

complies with the relevant lawful basis for the
processing of PII for the identified purposes.

When Consent is the lawful basis for the processing of

PII, [the organization] will determine, document, and
implement a process by which it can demonstrate and
record if, when and how consent for the processing of
PII was obtained from PII principals, as well as
determine, document, and implement a process to
[The organization] is required to undergo a privacy
assessment whenever new PII, new processing of PII or
changes to existing processing of PII is planned. In
addition, the assessment shall reviewed, updated and
verified before a product is released for production, or
annually if no changes in PII, its processing
environment, or controls have occurred since the last
assessment.

[The organization] has written contract with any PII

processors or controllers that it uses, and shall ensure
that their contracts address the implementation of the
appropriate controls. The controls include but are not
limited to:
A) for notice regarding
the processing of their PII or changes to the processing
of their PII (including changes in sub-processors, if any)
B) to modify or withdraw their consent (if consent if the
lawful basis for processing the PII)
C) objection of the processing of their PII
D) restriction of the processing of their PII
E) to access, correct and/or erase their PII
F) retrieve in a secure manner any PII or user-
generated content they have provided [The
organization] in human and machine-readable formats
G) to provide in a secure manner a copy of the PII that
is processed
[The organization] determines and securely maintain
the necessary records in support of its obligations for
the processing of PII.
[The organization] determines and documents their
legal, regulatory and business obligations to PII
principals (data subjects) related to the processing of
their PII and provide the means to meet these
obligations. These controls include but are not limited
to:
A) for notice regarding the
processing of their PII or changes to the processing of
their PII (including changes in sub-processors, if any)
B) to modify or withdraw their consent (if consent is the
lawful basis for processing the PII)
C) objection of the processing of their PII
D) restriction of the processing of their PII
E) to access, correct and/or erase their PII
F) retrieve in a secure manner their PII they have
provided [the organization] in human and machine-
readable formats
G) to provide in a secure manner a copy of the PII that
is processed
H) to handle and respond to legitimate requests from
PII principals for PII and provide the means to meet
these obligations.

[The organization] determines and documents the

information to be provided to Customer/Controller
and/or PII principals regarding the processing of their PII
and the timing of such a provision and creates a
customer ready document detailing this information
prior to the offering being released and makes it
available or be prepared to make it available upon
request once [the organization] has been released.

Privacy and protection of personally identifiable

information is ensured as required in relevant
legislation and regulation where applicable.
[The organization] informs third parties with whom PII
has been shared of any modification, withdrawal or
objections pertaining to the shared PII, and implement
appropriate policies, procedures and/or mechanisms to
do so. [The organization] documents the third parties
confirming receipt of updating records and use of data
per the communication.

[The organization] limits the collection and processing

of PII to the minimum that is adequate, relevant,
proportional and necessary for the identified purposes.

[The organization] defines and documents data

minimization objectives and what mechanisms (such as
de-identification) are used to meet those objectives.
Collection and processing of PII is limited to the
minimum that is adequate, relevant, proportional and
necessary for the identified purposes.

[The organization] either deletes PII or renders it in a

form which does not permit identification or re-
identification of PII principals, as soon as the original PII
is no longer necessary for the identified purpose(s).
This includes temporary files created as a result of
processing PII.

[The organization] does not retain PII for longer than is

necessary for the purposes for which the PII is
processed.
[The organization] has documented policies, procedures
and/or mechanisms for the access, correct, and
disposal of PII.

[The organization] identifies and documents the

relevant basis for transfers of PII between jurisdictions,
external entities (i.e., third-parties), and internal
entities.

[The organization] records all requests, all transfers and

all disclosures of PII to and from third parties, including
what PII has been disclosed, to whom and at what time,
for what purpose, and will contractually ensure
cooperation with/from those parties to support future
requests related to obligations to the PII principals.

[The organization] ensures that PII processed on behalf

of a customer are only processed for the purposes
expressed in the documented instructions of the
customer/controller.
[The organization] determines and maintains the
necessary records in support of demonstrating
compliance with its obligations (as specified in the
applicable contract) for the processing of PII carried out
on behalf of a customer/controller.

[The organization] identifies decisions made by any

automated processing of PII that can have a legal or
similarly significant effect, so offering can get
Customer/Controller's instruction on how to handle
processing of PII to meet legal, contractual, policy, and
regulatory requirements associated with automatic
decision.

[The organization] documents and validates that PII is

as accurate, complete and up-to-date as is necessary
for the purposes for which it is processed, throughout
the life-cycle of the PII.

[The organization] subjects PII transmitted (e.g. sent to

another organization) over a data-transmission network
to appropriate controls designed to ensure that the
data reaches its intended destination.
[The organization] notifies customers of any legally
binding requests for disclosure of customer data or PII.

[The organization] rejects any requests for PII

disclosures that are not legally binding, and consults
the corresponding customer before making any PII
disclosures and accepting any contractually agreed
requests for PII disclosures that are authorized by the
corresponding customer.

[The Organization] notifies users whether personal

information is collected from sources other than the
user, and validates the information was collected fairly
and lawfully from reliable sources.

[The organization] determines respective roles and

responsibilities for the processing of PII (including PII
protection and security requirements) with any joint PII
controller and ensures that their contracts with any
processor or joint PII controllers address the
implementation of the appropriate controls.

[The Organization] specifies and documents the

countries to which PII can possibly be transferred when
[The Organization] as the processor/controller is
processing PII.
[The Organization] has a dedicated independent data
protection officer who is responsible for following but
not limited to:
- Reports to management all issues relating to PII
- Act as a point of contact for supervisory authorities
- Inform top-level management and employees of the
organization of their obligations regarding processing
PII
- Review and provide advice on privacy impact
assessments conducted by organization.

Relevant Parties are notified in a timely basis when

breaches of PII occur (with details of the breach,
consequences of the breach, and resolution taken to
resolve the breach), or of any PII transfers between
jurisdictions and of any intended changes in this
regard.

[The organization] does not use Pll processed under a

contract for the purposes of marketing and advertising
without establishing that prior permission was obtained
from the appropriate Pll principal. [The organization]
does not make providing such consent a condition for
receiving the service.

[The organization] ensures, where relevant, that the

contract to process PII addresses [the organization] 's
role in meeting the customer/controller's obligations of
purpose, minimization, proportionality, security, etc, to
meet their contracts with their users and regulations
where the data is processes (taking into account the
nature of processing and the information available to
[The organization]).
[The organization] determines respective roles and
responsibilities for the processing of PII (including PII
protection and security requirements) including when it
is acting on behalf of itself (and does not require
instruction from the Customer/Controller), when it is
acting as proxy for the Customer/Controller (and does
not require additional permission or instruction) and it
requires instruction and permission from the Customer
and ensure [The organization] resources are
appropriately trained.

[The organization] does not use PII processed under a

contract for the purposes other than providing the
contracted services without proper permission from the
Controller and the PII principals. [The organization]
does not make providing such permission a condition
for receiving the service.

[The organization] informs the customer/controller if, in

its opinion, a processing instruction received from the
customer/controller infringes applicable legislation
and/or regulation.

[The organization] discloses to the customer/controller,

no less than 30 days before, any use of
third-parties/subcontractors to process PII to the
customer/controller before use and provides a method
for the customer/controller to object to any changes.

[The organization] provides the customer/controller

with the appropriate information and access to
necessary controls and mechanism such that the
customer can demonstrate compliance with their
obligations.
[The organization], in the case of having general
written authorization, informs the customer/controller
of any intended changes concerning the addition or
replacement of subcontractors to process PII, thereby
giving the customer/controller the opportunity to object
to such changes.

Procedures are in place for customers to request access

to their own log records. Upon request, [the
organization] provides access to the respective log
records.

A documented Privacy Information Security

Management System Risk Assessment Methodology is
in place that includes guidance on the identification of
potential threats related to the processing of PII, rating
the significance of the risks associated with the
identified threats, and mitigation strategies for those
risks, documentation and communication of those risks,
as well as possible vulnerabilities within the cloud
service provider and their impacts. Upper management,
or its designated representative(s), owns this
methodology and is responsible for its adherence.
Privacy Risk assessments are performed at least
annually. As part of this process, threats and changes
(environmental, regulatory, and technological) to
service commitments are identified and the risks are
formally assessed. The privacy risk assessment
includes risk mitigation strategies and acceptance
levels based on [the organization] risk criteria. The
privacy risk assessment includes a consideration of
risks related to the processing of PII.

As part of its annual privacy risk assessment,

management selects and develops control activities
that contribute to the mitigation of identified risks.

[The organization] performs PII restoration tests at least

annually. Details of the restoration test are logged and
include details over who performed the test, a
description of the restored PII, as well as an integrity
check of the restored PII.

Security incident response policies and procedures are

documented and communicated to authorized
personnel.

Privacy and human rights incident response policies

and procedures are documented and communicated to
authorized personnel.

[The Organization] provides incident response

resources that Offer/Product advice and assistance on
handling and reporting security incidents for all [the
organization] employees to use.
All events related to security, confidentiality, and
availability are logged, tracked, and evaluated on an
on-going basis to determine whether they could have
resulted in a failure to meet security commitments.

All events related to privacy and human rights are

logged, tracked, and evaluated on an on-going basis to
determine whether they could have resulted in a failure
to meet privacy and human rights commitments.
Events are also reviewed for analysis and trends.

As a cloud service customer, [the organization] has

defined its requirements for event logging and verify
that the cloud service meets those requirements.

[The organization] has provided logging capabilities to

its cloud service customers upon request.

[The Organization] establishes a process for responding

to intellectual property rights complaints. Revision
histories and review periods are defined within the
policies and standards themselves and [the
organization] Policy Governance Policy.
[The Organization] records the following information for
confirmed events in the cardholder data environment:
• user identification
• type of event
• date and time
• event success or failure indication
• origination of the event
• identification of affected data, system component, or
resource

A supplier management program is in place.

Components of this program include but are not limited
to:
- Maintaining a list of critical third-party suppliers.
- Requirements for third-party suppliers to maintain
their own security and privacy practices and
procedures.

For high dependency suppliers, exit strategies and/or

alternative supplier relationships are established.

At least annually, management reviews controls within

third party assurance reports to ensure that they meet
organizational requirements; if control gaps, significant
changes, or reported incidents are identified in the
assurance reports, management takes action to
address the impact the disclosed gaps have on the
organization.
Contracts and agreements with third-party IT
outsourced suppliers include that cybersecurity
managed services centers for monitoring and
operations be completely present inside the Kingdom
of Saudi Arabia.

[The Organization] evaluates all National Cybersecurity

Authority requests to remove software or services
provided by third-party providers for appropriateness,
and will remove the software or service upon validation
of the request.

All incidents related to security, availability, and

confidentiality are logged, tracked, resolved, evaluated
and communicated to affected parties by management
until [The Organization] has recovered from the
incidents.

All incidents related to privacy are logged, tracked,

resolved, given level of severity, evaluated and
communicated to affected parties by management until
[The Organization] has recovered from the incidents.
[The Organization] has established an incident
response plan that is tested at least annually to assess
the effectiveness of the incident response program.

System capacity is evaluated continuously and system

changes are implemented to help ensure processing
capacity can meet demand.

Critical systems are monitored in accordance to

predefined availability criteria and alerts are sent to
authorized personnel.
Budgets for infrastructure capacity are established
based on analysis of historical business activity and
growth projections; purchases are made against the
established budget and plans are updated at least
annually.

Master Purchase Agreements (including Master Services

Agreements/MSAs, Enterprise Agreements, etc.) agreed
to between [The Organization] and customers includes
[The Organization]'s commitments to their customers
with respect to the relevant product(s) and service(s)
comprising the [The Organization].

Formal Legal Approved information sharing agreements

are in place with related critical suppliers. These
agreements include confidentiality commitments
applicable to that entity.
Consent is obtained for [The Organization] Terms of
Service (ToS) prior to collecting customer or personal
information.

Assets of the cloud service customer that are on the

cloud service provider's premise are removed, and
returned if necessary, in a timely manner upon
termination of the cloud service agreement. Return of
assets is documented and information regarding the
returned assets is provided to the customers.

[The Organization] does not store full track credit card

data, credit card authentication information, credit card
verification code, or credit personal identification
number (PIN) which [The Organization] processes for
payment.

Where applicable, [The organization] that manage,

store, or transmit cardholder data on behalf of the
customer provide written acknowledgement to
customers of their responsibility to protect cardholder
data and the cardholder data environment.

Where applicable, [The Organization] has managed

antivirus deployments and ensures the following:
• signature definitions are updated
• full scans are performed monthly and real-time scans
are enabled
• alerts are reviewed and resolved by authorized
personnel
Anti-malware technology is deployed for environments
commonly susceptible to malicious attack and is
configured to be updated routinely, logged, and
installed on all employee workstations.

[The Organization]'s antivirus deployments generate

audit logs which are retained at least annually with the
data immediately available for analysis.

Antivirus mechanisms cannot be disabled or altered by

users unless specifically authorized by management.

[The Organization] utilizes sandboxing to detect or

block potentially malicious emails.

Internal and external network vulnerability scans are

performed at least monthly. Identified vulnerabilities
are assigned for remediation and monitored for closure.

Penetration testing is performed at least annually. All

discovered vulnerabilities be triaged for criticality and
assigned for remediation compliant to the internal S-
Rating and SLAs as defined in the internal Standard S-
Rating Classification.

[The organization] subscribes to relevant security

bulletins and email alerts and uses them to monitor the
impact of emerging technologies and security.
The cloud service provider provides information about
the management of technical vulnerabilities that can
impact customers.

Existing and emerging software vulnerabilities are

detected at least monthly, and a vulnerability scan is
included upon every code release. Any vulnerabilities
identified are assigned a risk rating and reviewed and
remediated accordingly.

Infrastructure supporting the service, and applications

are patched upon availability as a part of routine
maintenance and as a result of identified vulnerabilities
and supplier supplied patches to help ensure that
applications and infrastructure network and system
components supporting the service are hardened
against security threats.

[The organization] installs security-relevant software

and firmware updates per [The Organization] policy;
and incorporates flaw remediation into [The
Organization]'s configuration management process.
[The Organization] has prepared a description of the
system and its boundaries and has provided this
description to internal and external authorized users.

[The Organization] defines external communication

requirements for incidents, including:
• information about external party dependencies
• criteria for notification to external parties as required
by [the organization] policy in the event of a security
breach
• contact information for authorities (e.g., law
enforcement, regulatory bodies, etc.)
• provisions for updating and communicating external
communication requirement changes

The cloud service customer identifies authorities

relevant to the combined operation of the cloud service
customer and cloud service provider.

[The Organization] maintains software license contracts

and monitors its compliance with usage restrictions.
[The Organization] informs its cloud service customers
within 72 hrs. whenever [The Organization]'s internal or
external staff read or write to cloud customers' data
during processing, storage or transmission. The
information regarding the access is sufficiently detailed
to enable the client to assess the risks of the access.

Investigation requests from government agencies are

subjected to legal assessments by subject matter
experts to determine if the requests have applicable
and legal basis, and if [the organization] is required to
comply with the requests.

All trusted connections are documented and approved

by authorized personnel; management ensures the
following documentation is in place prior to approval:
• agreement with supplier
• security requirements
• nature of transmitted information

[The Organization] protects its public information

system presence with the following processes: only
authorized and trained individuals may post public
information, content is reviewed prior to publishing,
information on public systems is reviewed periodically,
and non-public information is removed from public
systems upon discovery.
The cloud service provider informs the cloud service
customer of the legal jurisdictions governing the cloud
service.

[The Organization] services operating in Saudi (KSA)

are required to conduct penetration tests on their
environments at least semi-annually.

[The Organization] conducts penetration tests against

cardholder data environments (CDE) and includes the
following requirements:
• testing covers the entire (CDE) perimeter and critical
data systems
• testing verifies that CDE perimeter segmentation is
operational
• testing is performed from both inside and outside the
CDE network
• testing validates segmentation and scope reduction
controls (e.g., tokenization processes)
• network layer penetration tests include components
that support network functions as well as operating
systems
• testing is performed with consideration of threats
verified on an on-going basis from external alerts,
directives, and advisories.
• testing is performed with consideration of
vulnerabilities reported through [The Organization]'s
incident process on an on-going basis
• risk ratings are assigned to discovered vulnerabilities,
which are tracked through remediation

IRAP Unique Controls

Legal and regulatory advice is sought regarding the
development and implementation of a trusted insider
program.

[The Organization] has a dedicated Chief Information

Security Officer (CISO) who is responsible for providing
guidance and overseeing the cyber security program at
[The Organization]. The CISO coordinates cyber security
and business alignment through a cyber security
steering committee or advisory board, and meets
formally on a regular basis.
If applicable, the compromise or suspected compromise
of cryptographic equipment or associated keying
material is reported to an organization's Chief
Information Security Officer, or one of their delegates,
as soon as possible after it occurs. Keying material is
changed when compromised or suspected of being
compromised.

[The organization] pursuing IRAP are responsible for

identifying a sponsor.
Customer and Personal Information is monitored for
data spillage. In the event of a data spill, the event is
assessed for impact and the data is immediately
removed, or access to the data is restricted.

Authentication and authorization for use of IP Phones

and video conferencing follow the following;

• Video conferencing or IP telephone traffic have

encrypted and non-replayable authentication scheme.
• Authentication and authorization is in place for all call
related activities such as individual logins for IP Phones,
call setup, changing settings, and accessing voicemail.
• IP phones are configured to authenticate to call
controller upon registration. Auto-registration, along
with all other unused and prohibited functionalities are
disabled.
• Unauthorized devices are blocked by default.

Individual logins are implemented for IP phones used

for SECRET or TOP SECRET conversations.
A fax machine and multi-function device (MFD) policy is
in implemented and includes the following
requirements:

• Separate fax machines and MFDs are used for

sending classified information.
• Messages are encrypted to an appropriate level
depending on information sensitivity.
• The sender of a fax message makes arrangements for
the receiver to collect the fax message as soon as
possible after it is sent and for the receiver to notify the
sender if the fax message does not arrive in an agreed
amount of time.
• A direct connection from an MFD to a digital
telephone system is not enabled unless the digital
telephone system is authorized to operate at the same
sensitivity or classification as the network to which the
MFD is connected.
• MFDs connected to networks are not used to copy
documents above the sensitivity or classification of the
connected network.
• Fax machines and MFDs are located in areas where
their use can be observed.

Mobile devices do not process, store or communicate

SECRET or TOP SECRET data until approved for use by
the ACSC.

If applicable, personnel accessing OFFICIAL and

PROTECTED systems or data using a privately-owned
mobile device use an ACSC approved platform, a
security configuration in accordance with ACSC
guidance, and have enforced separation of work data
from any personal data.

Privately-owned mobile devices are prohibited from

accessing systems or data before being configured with
the appropriate security standards. Privately-owned
mobile devices do not access SECRET and TOP SECRET
systems or data. Legal advice is sought prior to
allowing privately-owned mobile devices to access
systems or data.
Personnel accessing official or classified systems or
data using an organization-owned mobile device use an
ACSC approved platform with a security configuration in
accordance with ACSC guidance.

All data on mobile devices is encrypted.

The range of Bluetooth communications between

mobile devices and other Bluetooth devices is restricted
to less than 10 meters by using class 2 or class 3
Bluetooth devices.

Bluetooth functionality is not enabled on SECRET and

TOP SECRET mobile devices.

Mobile devices are configured to remain undiscoverable

to other Bluetooth devices except during Bluetooth
pairing.

If applicable, Bluetooth pairing is performed using

Secure Connections, preferably with Numeric
Comparison if supported.

If applicable, Bluetooth pairing is performed in a

manner such that connections are only made between
intended Bluetooth devices.

If applicable, Bluetooth pairings are removed from

mobile devices when there is no longer a requirement
for their use.

Paging, Multimedia Message Service, Short Message

Service and messaging apps are prohibited to
communicate sensitive or classified data.

Sensitive or classified data is not viewed or

communicated in public locations unless care is taken
to reduce the chance of the screen of a mobile device
being observed.

Privacy filters are applied to the screens of SECRET and

TOP SECRET mobile devices.
Sensitive or classified phone calls are not conducted in
public locations unless care is taken to reduce the
chance of conversations being overheard.

Mobile devices are kept under continual direct

supervision when being actively used.

Mobile devices are carried or stored in a secured state

when not being actively used.

A mobile device emergency sanitization process, and

supporting mobile device emergency sanitization
procedures, is developed and implemented.

Personnel are advised of privacy and security risks

when travelling overseas with mobile devices.
If travelling overseas with mobile devices to
high/extreme risk countries, personnel are:
• issued with newly provisioned accounts and devices
from a pool of dedicated travel devices which are used
solely for work-related activities
• advised on how to apply and inspect tamper seals to
key areas of devices
• advised to avoid taking any personal devices,
especially if rooted or jailbroken.

Before travelling overseas with mobile devices,

personnel take the following actions:
• record all details of the devices being taken, such as
product types, serial numbers and International Mobile
Equipment Identity numbers
• update all applications and operating systems
• remove all non-essential accounts, applications and
data
• apply security configuration settings, such as lock
screens
• configure remote locate and wipe functionality
• enable encryption, including for any media used
• backup all important data and configuration settings.
Personnel take the following precautions when
travelling overseas with mobile devices:
• never leaving devices or media unattended for any
period of time, including by placing them in checked-in
luggage or leaving them in hotel safes
• never storing credentials with devices that they grant
access to, such as in laptop bags
• never lending devices to untrusted people, even if
briefly
• never allowing untrusted people to connect other
devices or media to their devices, including for charging
• never using designated charging stations, wall outlet
charging ports or chargers supplied by untrusted
people
• avoiding connecting devices to open or untrusted Wi-
Fi networks
• using an approved Virtual Private Network to encrypt
all device communications
• using encrypted mobile applications for
communications instead of using foreign
telecommunication networks
• disabling any communications capabilities of devices
when not in use, such as cellular data, wireless,
Bluetooth and Near Field Communication
• avoiding reuse of media once used with other parties’
devices or systems
• ensuring any media used for data transfers are
thoroughly checked for malicious code beforehand
• never using any gifted devices, especially media,
when travelling or upon returning from travelling.

Personnel report the potential compromise of mobile

devices, media or credentials to their organization as
soon as possible, especially if they:
• provide credentials, decrypt devices or have devices
taken out of sight by foreign government officials
• have devices or media stolen that are later returned
• lose devices or media that are later found
• observe unusual behavior of devices.

Upon returning from travelling overseas with mobile

devices, personnel take the following actions:
• sanitize and reset devices, including all media used
with them
• decommission any physical credentials that left their
possession during their travel
• report if significant doubt exists as to the integrity of
any devices following their travel.
If returning from travelling overseas with mobile
devices to high/extreme risk countries, personnel take
the following additional actions:
• reset user credentials used with devices, including
those used for remote access to their organization's
systems
• monitor accounts for any indicators of compromise,
such as failed login attempts.

Administrator workstations are placed into a separate

network zone to user workstations.

Management traffic is only allowed to originate from

network zones that are used to administer systems and
applications.

Jump servers are used for administrative activities and

are prevented from communicating to assets and traffic
not related to the administrative activities.

Security vulnerabilities in applications and drivers

assessed as extreme risk are patched, updated or
mitigated within 48 hours of the security vulnerabilities
being identified by vendors, independent third parties,
system managers or users.

Security vulnerabilities in applications and drivers

assessed as high risk are patched, updated or mitigated
within two weeks of the security vulnerability being
identified by vendors, independent third parties, system
managers or users.
Security vulnerabilities in applications and drivers
assessed as moderate or low risk are patched, updated
or mitigated within one month of the security
vulnerability being identified by vendors, independent
third parties, system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as extreme risk are patched,
updated or mitigated within 48 hours of the security
vulnerabilities being identified by vendors, independent
third parties, system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as high risk are patched, updated or
mitigated within two weeks of the security vulnerability
being identified by vendors, independent third parties,
system managers or users.

Security vulnerabilities in operating systems and

firmware assessed as moderate or low risk are patched,
updated or mitigated within one month of the security
vulnerability being identified by vendors, independent
third parties, system managers or users.
If applicable, high assurance ICT equipment is only
patched with patches approved by the ACSC using
methods and timeframes prescribed by the ACSC.

If applicable, web applications implement Content-

Security-Policy, HSTS and X-Frame-Options response
headers.

If applicable, the OWASP Application Security

Verification Standard is followed when developing web
applications.

Database servers and web servers are functionally

separated, physically or virtually.

If applicable, database servers that require network

connectivity are placed on a different network segment
to an organization’s workstations.

If only local access to a database is required,

networking functionality of database management
system (DBMS) software is disabled or directed to listen
solely to the localhost interface.

If applicable, a Database Management System (DBMS)

software is installed and configured according to vendor
guidance. All temporary files for installation are
removed after installation complete, and all unneeded
features are disabled.

If applicable, DBMS software runs as a separate

account that follows least privileges concept for access
rights. The DBMS software not have to ability to read
local files from the server.
All queries to databases from web applications are
filtered for legitimate content and correct syntax.

Parameterized queries or stored procedures are used

for database interaction instead of dynamically
generated queries.

Web applications are designed to provide as little error

information as possible to users about database
schemas.

Access to non-approved webmail services is blocked.

Protective markings are applied to all emails containing

highly sensitive information. Protective markings be
applied manually and not through and automatic tool.

Protective marking tools do not allow users to select

protective markings that a system has not been
authorized to process, store or communicate.

Protective marking tools do not allow users replying to

or forwarding an email to select a protective marking
that is lower than previously used for the email.

Email servers are configured to block, log and report

emails with inappropriate protective markings. The
sender and recipient of blocked emails are notified.

If applicable, emails containing AUSTEO, AGAO or REL

data are only sent to named recipients and not to
groups or distribution lists unless the nationality of all
members of the distribution lists can be confirmed.

Email is routed through a centralized email gateway.

When users send email from outside their network, an
authenticated and encrypted channel is configured to
allow email to be routed via a centralized email
gateway.
Where backup or alternative email gateways are in
place, they are maintained at the same standard as the
primary email gateway.

Email servers only relay emails destined for or

originating from their domains.
Opportunistic TLS encryption, as defined in IETF RFC
3207, is enabled on email servers that make incoming
or outgoing email connections over public network
infrastructure.

MTA-STS, as defined in IETF RFC 8461, is enabled to

prevent the transfer of unencrypted emails between
complying servers.

SPF (Sender Policy Framework) is used to specify

authorized email services (or lack thereof) for all
domains.

A hard fail SPF record is used when specifying email

servers.
SPF is used to verify the authenticity of incoming
emails.
Incoming emails that fail SPF checks are blocked or
marked in a manner that is visible to the recipients.
DKIM (Domain Keys Identified Mail) signatures are
enabled on emails originating from an organization's
domains and received emails are verified. Email
distribution list software used by external senders is
configured such that it does not break the validity of
the sender’s DKIM signature. DMARC (Domain-based
Message Authentication, Reporting and Conformance)
records are configured for all domains such that emails
are rejected if they fail SPF or DKIM checks.

Email content filtering controls are implemented for

email bodies and attachments.
Emails arriving via an external connection where the
source address uses an internal domain name are
blocked at the email gateway.

VLANs (Virtual Local Area Networks) are not used to

separate network traffic between organization's
networks and public network infrastructure, or networks
belonging to different security domains.

If applicable, Network devices managing VLANs

terminate VLANs belonging to different security
domains on separate physical network interfaces.

If applicable, Network devices managing VLANs

belonging to different security domains do not share
VLAN trunks.
Network devices managing VLANs are administered
from the most trusted security domain.
If applicable, IPv6 functionality is disabled for dual
stack-network devices and ICT equipment unless it is
being used. Network security devices that support IPv6
are used on Dual-stack networks.

If applicable, unless explicitly required, IPv6 tunneling is

disabled on all network devices and ICT equipment.
IPv6 tunneling is blocked by network security devices at
externally-connected network boundaries.

If applicable, dynamically assigned IPv6 addresses are

configured with Dynamic Host Configuration Protocol
version 6 in a stateful manner with lease data stored in
a centralized logging facility.

Servers maintain effective functional separation with

other servers allowing them to operate independently.
Servers minimize communications with other servers at
both the network and file system level.
Inbound network connections and outbound network
connections to anonymity networks are blocked.
The administrative interface on wireless access points
is disabled for wireless network connections.
If applicable, default SSID (Service Set Identifiers) of
wireless access points are changed and are enabled on
all wireless networks. The SSID of a non-public network
not be associated with the organization.

Static addressing is not used for assigning IP addresses

on wireless networks.

MAC (Media Access Control) address filtering is not

used to restrict which devices can connect to wireless
networks.

802.1X authentication with EAP-TLS, using X.509

certificates, is used for mutual authentication; with all
other EAP methods disabled on supplications and
authentication servers.

Both device and user certificates are required for

accessing wireless networks. Device and user
certificates are not stored on the same device and are
issued on smart cards with access PINs. User or device
certificates are protected by encryption.

If applicable, the PMK (Pairwise Master Key) caching

period is not set to greater than 1440 minutes (24
hours).
Communications between wireless access points and a
RADIUS server are encapsulated with an additional
layer of encryption using RADIUS over Internet Protocol
Security or RADIUS over Transport Layer Security.

WPA3-Enterprise 192-bit mode is used to protect the

confidentiality and integrity of all wireless network
traffic.
Wireless access points enable the use of the 802.11w
amendment to protect management frames.
Instead of deploying a small number of wireless access
points that broadcast on high power, a greater number
of wireless access points that use less broadcast power
are deployed to achieve the desired footprint.

The effective range of wireless communications outside

an organization's area of control is limited by
implementing RF shielding on facilities in which SECRET
or TOP SECRET wireless networks are used.

All wireless access points are Wi-Fi Alliance certified.

A cloud service provider is used for hosting online

services.
When using environments that require high availability,
Content Delivery Networks that cache websites are
used and the IP address of the webserver under the
organization's control is avoided. The origin server is
restricted to the CDN and an authorized management
network.

Domain names for online services are protected via

registrar locking and confirming domain registration
details are correct.

HACE (High Assurance Cryptographic Equipment) is

used to protect SECRET and TOP SECRET data when
communicated over insufficiently secure networks,
outside of appropriately secure areas or via public
network infrastructure.

All connections between security domains implement

mechanisms to inspect and filter data flows for the
transport and higher layers as defined in the OSI model.

All gateways connecting networks in different security

domains are operated such that they:
• log network traffic permitted through the gateway
• log network traffic attempting to leave the gateway
• are configured to save event logs to a secure logging
facility
• provide real-time alerts for any cyber security
incidents, attempted intrusions and unusual usage
patterns.

Gateways are subject to rigorous testing, performed at

irregular intervals no more than six months apart, to
determine the strength of security controls.
Demilitarized zones are used to broker access to
services accessed by external entities, and mechanisms
are applied to mediate internal and external access to
less-trusted services hosted in these demilitarized
zones.

System administrator roles for gateway administration

are created. Gateway administrators be formally
trained to manage gateways.

- All system administrators of gateways are cleared to

access the highest level of data communicated or
processed by the gateway.
- All system administrators of gateways that process
Australian Eyes Only (AUSTEO) or Australian
Government Access Only (AGAO) data are Australian
nationals.
- Roles for the administration of gateways are
separated.
- For gateways between networks in different security
domains, a formal arrangement exists whereby any
shared components are managed by the system
managers of the highest security domain or by a
mutually agreed third party.

Once connectivity is established, system owners

become stakeholders, and are defined, for all
connected security domains.

Users and services that access the network through a

gateway be authenticated. Only authenticated users
that are authorized can use the gateway. All ICT
(Information and Computer Technology) equipment
accessing networks through gateways are
authenticated too. Multi-factor authentication is used to
access gateways.

If applicable, when connecting a SECRET or TOP

SECRET network to any other network from a different
security domain, a cross domain solution (CDS) is
implemented.
If applicable, when designing and deploying a CDS, the
ACSC is notified and consulted; and directions provided
by the ACSC (Australian Cyber Security Centre) are
complied with.

If applicable, when introducing additional connectivity

to a CDS, such as adding a new gateway to a common
network, the ACSC is consulted on the impact to the
security of the CDS; and directions provided by the
ACSC are complied with.
If applicable, a CDS between a highly classified network
and any other network implements;
- isolated upward and downward network paths
- protocol breaks at each layer of the OSI model
- content filtering and separate independent security-
enforcing components for upward and downward data
flows

If applicable, Users are trained on the secure use of a

CDS before access to the CDS is granted.

If applicable, a representative sample of security events

generated by a CDS, relating to the enforcement of
data transfer policies, is taken at least every 3 months
and assessed against the security policies that the CDS
is responsible for enforcing between security domains.

In addition to the firewall between networks of different

security domains, an evaluated firewall is used between
an AUSTEO or AGAO network and a foreign network.

In addition to the firewall between networks of different

security domains, an evaluated firewall is used between
an AUSTEO or AGAO network and another Australian
controlled network.

If applicable, an evaluated diode is used for controlling

the data flow of unidirectional gateways between
organizations' networks and public network
infrastructure.
If applicable, an evaluated diode used for controlling
the data flow of a unidirectional gateway between a
SECRET or TOP SECRET network and public network
infrastructure completes a high assurance evaluation.

If applicable, an evaluated diode is used for controlling

the data flow of unidirectional gateways between
networks.

If applicable, an evaluated diode used for controlling

the data flow of a unidirectional gateway between a
SECRET or TOP SECRET network and any other network
completes a high assurance evaluation.

An evaluated diode is used between an AUSTEO or

AGAO network and a foreign network at the same
classification.

An evaluated diode is used between an AUSTEO or

AGAO network and another Australian controlled
network at the same classification.
A diode (or server connected to the diode) deployed to
control data flow in unidirectional gateways monitors
the volume of the data being transferred.

All web access (including internal servers) is conducted

through a web proxy. Web proxies authenticates users
and provides logging that includes:
• address (uniform resource locator)
• time/date
• user
• amount of data uploaded and downloaded
• internal and external IP addresses.

A web content filter is used to filter potentially harmful

web-based content. Web content filtering controls are
applied to outbound web traffic where appropriate.

Client-side active content, such as Java, is restricted to

a list of allowed websites.

Legal advice is sought regarding the inspection of TLS

traffic by internet gateways.

Blacklisting and whitelisting methods are used for web

content filters. Methods include;
- A list of allowed websites, using either domain name
or IP address, is implemented for all Hypertext Transfer
Protocol (HTTP) and HTTPS traffic communicated
through internet gateways.
- If a list of allowed websites is not implemented, a list
of allowed website categories is implemented instead
and a list of blocked websites is implemented instead.
- If a list of blocked websites is implemented, the list is
updated on a daily basis to ensure that it remains
effective.
- Attempts to access a website through its IP address
instead of through its domain name are blocked.
- Dynamic domains and other domains where domain
names can be registered anonymously for free are
blocked.
If applicable, when importing data into a security
domain, the data is filtered by a content filter designed
for that purpose. Content filters deployed in a CDS
(common data sets) are subject to rigorous security
assessment to ensure they mitigate content-based
threats and cannot be bypassed.

All suspicious, malicious and active content is blocked

from entering a security domain. Suspicious content is
blocked until reviewed and approved for transfer by a
trusted source other than the originator.

Email and web content entering a security domain is

automatically run in a dynamic malware analysis
sandbox to detect suspicious behavior.

Content validation is performed on all data passing

through a content filter with content which fails content
validation blocked.

Content conversion is performed for all ingress or

egress data transiting a security domain boundary.

Content sanitization is performed on suitable file types

if content conversion is not appropriate for data
transiting a security domain boundary.

The contents from archive/container files are extracted

and subjected to content filter checks.
Controlled inspection of archive/container files is
performed to ensure that content filter performance or
availability is not adversely affected.

Files that cannot be inspected are blocked and

generate an alert or notification.

If applicable, system owner consultation and legal

advice is sought before allowing a targeted cyber
intrusion activity to continue on a system for the
purpose of collecting further data or evidence.

In the event of a successful targeted cyber intrusion,

full network traffic is captured for at least seven days
and analyzed to determine whether the adversary has
been successfully removed from the system.

Video and calling infrastructure be hardened and abide

by the following requirements;

• Video conferencing or IP telephone traffic follow

through a gateway with video-aware and/or voice-
aware firewall
• Video conferencing and IP telephony calls are
established using a secure session initiation protocol.
• Video conferencing and IP telephony traffic is
separated physically or logically from other data traffic.
Workstations that use video and IP phone traffic use
VLANs or similar mechanisms to maintain separation
between video conferencing, IP telephony and other
data traffic.
• If IP phones are used in public areas, their ability to
access data networks, voicemail and directory services
are prevented.
• Video conferencing and IP telephony calls are
conducted using a secure real-time transport protocol.

Investigators are responsible for maintaining the

integrity of evidence gathered during an investigation.
Cloud customers and service providers maintain 24x7
contact details for each other in order to report cyber
security incidents. Contact details include additional
out-of-band contact details for use when normal
communication channels fail.

All Cyber Security Incidents are reported to the

Australian Cyber Security Centre (ACSC).
Commercial and government gateway services selected
by the Australian Cyber Security Centre (ACSC) undergo
a joint security assessment by ACSC and Infosec
Registered Assessors Program (IRAP) assessors at least
every 24 months.

Cloud service providers and their cloud services

undergo a security assessment by an IRAP assessor at
least every 24 months.

Only community or private clouds are used for

outsourced SECRET and TOP SECRET cloud services.

Systems processing, storing or communicating

Australian, AUSTEO or AGAO data remain at all times in
a data center residing in Australia, under the control of
an Australian national working for or on behalf of the
Australian Government.

Access to AUSTEO or AGAO data can only be accessed

from systems under the sole control of the Australian
Government that are located within facilities authorized
by the Australian Government.

If procuring an evaluated product, a product that has

completed a PP-based evaluation is selected in
preference to one that has completed an EAL-based
evaluation.

When developing a Microsoft Windows SOE (Standard

Operating Environment), the 64-bit version of the
operating system is used.

ACSC and vendor guidance is implemented to assist in

hardening the configuration of operating systems.
The use of Microsoft operating systems and Microsoft
supported applications abide by the following best
practices;

• If supported, the latest version of Microsoft’s EMET is

implemented on workstations and servers and
configured with both operating system mitigation
measures and application-specific mitigation measures.
• If supported, Microsoft’s exploit protection
functionality is implemented on workstations and
servers.
• PowerShell version be higher than 2.0 and is
configured to Constrained Language Mode.
• PowerShell is configured to use module logging, script
block logging and transcription functionality.
• PowerShell script block logs are protected by
Protected Event Logging functionality.
• If supported, Microsoft’s Attack Surface Reduction
rules are implemented.

ACSC and vendor guidance is implemented to assist in

hardening the configuration of Microsoft Office, web
browsers and PDF viewers.

Web browsers are configured to block or disable Java,

Flash, and web advertisements.

Any unrequired functionality in Microsoft Office, web

browsers and PDF viewers is disabled.

The use of Microsoft Office, web browser and PDF

viewer add-ons is restricted to organization approved
add-ons.

Microsoft Office products installed on workstation

follow the following best practice configurations;

• Microsoft Office is configured to prevent activation of

Object Linking, Embedding packages, and is configured
to disable Flash content.
• Only privileged users responsible for validating that
Microsoft Office macros are free of malicious code can
write to and modify content within Trusted Locations.
• Microsoft Office macros in documents originating from
the internet are blocked.
• Microsoft Office macro security settings cannot be
changed by users.
Applications and operating systems that are no longer
supported are updated or replaced with vendor-
supported versions.

If applicable, a formal inventory for authorized RF (radio

frequency) and IR (Infrared) devices in SECRET and TOP
SECRET areas is maintained and regularly audited.
Unauthorized RF devices are not allowed to be brought
into SECRET and TOP SECRET areas.

If applicable, Security measures are used to detect and

respond to unauthorized RF devices in SECRET and TOP
SECRET areas.

If applicable, Bluetooth and wireless keyboards are not

used unless in an RF screened building.

If applicable, when using infrared keyboards, the

following activities are prevented:
• infrared ports are positioned to prevent line of sight
and reflected communications travelling into an
unsecured space.
• multiple infrared keyboards for different systems
being used in the same area
• other infrared devices being used in the same area
• infrared keyboards operating in areas with
unprotected
If applicable,windows.
cabling infrastructure is installed in
accordance with relevant Australian Standards, as
directed by the Australian Communications and Media
Authority.

If applicable, fiber-optic cables are used for cabling

infrastructure instead of copper cables.
If applicable, a cable register is maintained and
regularly audited. The register contains the following
for each cable:
• cable identifier
• cable colour
• sensitivity/classification
• source
• destination
• location
• seal numbers (if applicable).

Note: Building management cables be labelled with

their purpose in black writing on a yellow background
at least 2.5cm x 1cm large. These labels be attached
every 5 meter interval.

If applicable, floor plan diagrams are maintained and

regularly audited. Floor plan diagrams contain the
following:
• cable paths (including ingress and egress points
between floors)
• cable reticulation system and conduit paths
• floor concentration boxes
• wall outlet boxes
• network cabinets.
If applicable, Cables are labelled at inspection points
with the following requirements:

• Foreign system's cables installed in Australian

facilities are labelled.
• Top Secret level information system's cables are Red
and are fully inspectable for their entire length. Labels
for TOP SECRET conduits are a minimum size of 2.5 cm
x 1 cm, attached at five-metre intervals and marked as
‘TS RUN’.
• Secret level information system's cables are Salmon
Pink and are fully inspectable for their entire length.
• All other information system's cables (Official level
and Protected level Information Systems) are color
coated using any color other than Red (Top Secret) and
Salmon Pink (Secret).
• Non-conforming cable colors are banded with
appropriate cable colors and are labeled at inspection
points.
• Building management cables be labelled with their
purpose in black writing on a yellow background at
least 2.5cm x 1cm large. These labels be attached
every 5 meter interval.
• Cables in non-shared government buildings are
inspectable every 5 meters.

If applicable, fiber optic cables abide by the following

requirements;
• Fibers in the sheath only carry a single cable group
based on the information protection level of the
information system. (Top Secret, Secret, Official, and
Protected)
• For Fiber cables containing subunits, each subunit
only carries cables from a single cable group.

If applicable, cable groups sharing a common cable

reticulation system have a dividing partition or a visible
gap between the cable groups.

If applicable, in shared facilities, cables are run in an

enclosed cable reticulation system.
If applicable, in shared facilities, conduits or the front
covers of ducts, cable trays in floors and ceilings, and
associated fittings are clear plastic.

If applicable, in shared facilities, uniquely identifiable

SCEC endorsed tamper-evident seals are used to seal
all removable covers on TOP SECRET cable reticulation
systems.
If applicable, in shared facilities, a visible smear of
conduit glue is used to seal all plastic conduit joints and
TOP SECRET conduit runs connected by threaded lock
nuts.

If applicable, in shared facilities, TOP SECRET cables are

not run in party walls.
If applicable, in shared government facilities, where
wall penetrations exit a TOP SECRET area into a lower
classified space, TOP SECRET cables are encased in
conduit with all gaps between the TOP SECRET conduit
and the wall filled with an appropriate sealing
compound.
If applicable, in shared non-government facilities,
where wall penetrations exit into a lower classified
space, cables are encased in conduit with all gaps
between the conduit and the wall filled with an
appropriate sealing compound.

If applicable, cables from cable trays to wall outlet

boxes are run in flexible or plastic conduit.
If applicable, wall outlet boxes have connectors on
opposite sides of the wall outlet box if the cable group
contains cables belonging to different systems.

If applicable, cabling boxes follow the following

requirements;

• Different cables groups do not share a wall outlet box.

• Wall outlet boxes denote the systems, cable
identifiers and wall outlet box identifier.
• OFFICIAL and PROTECTED wall outlet boxes are
colored neither salmon pink nor red.
• Wall outlet box covers are clear plastic.
• SECRET wall outlet boxes are colored salmon pink.
• TOP SECRET wall outlet boxes are colored red.

If TOP SECRET fiber-optic fly leads exceeding five

meters in length are used to connect wall outlet boxes
to ICT equipment, they are run in a protective and
easily inspected pathway that is clearly labelled at the
ICT equipment end with the wall outlet box’s identifier.

If applicable, cable reticulation systems leading into

cabinets are terminated as close as possible to the
cabinet.

If applicable, in TOP SECRET areas, cable reticulation

systems leading into cabinets in a secure
communications or server room are terminated as close
as possible to the cabinet.

If applicable, in TOP SECRET areas, cable reticulation

systems leading into cabinets not in a secure
communications or server room are terminated at the
boundary of the cabinet.
If applicable, cables are terminated in individual
cabinets; or for small systems, one cabinet with a
division plate to delineate cable groups.

If applicable, TOP SECRET cables are terminated in an

individual TOP SECRET cabinet.
If applicable, different cable groups do not terminate on
the same patch panel.
If applicable, there is a visible gap between TOP
SECRET cabinets and cabinets of lower classifications.
If applicable, TOP SECRET and non-TOP SECRET patch
panels are physically separated by installing them in
separate cabinets.

Where spatial constraints demand patch panels of

lower classifications than TOP SECRET be located in the
same cabinet as a TOP SECRET patch panel:
• a physical barrier in the cabinet is provided to
separate patch panels
• only personnel holding a Positive Vetting security
clearance have access to the cabinet
• approval from the TOP SECRET system’s authorizing
officer is obtained prior to installation.

When penetrating a TOP SECRET audio secured room,

ASIO (Australian Security Intelligence Organization) is
consulted and all directions provided are complied with.

If applicable, a power distribution board with a feed

from an Uninterruptible Power Supply is used to power
all TOP SECRET ICT equipment.

If applicable, in TOP SECRET areas of shared non-

government facilities, a power distribution board with a
feed from an Uninterruptible Power Supply is used to
power all TOP SECRET ICT equipment.

If applicable, system owners deploying SECRET or TOP

SECRET systems with Radio Frequency (RF)
transmitters inside or co-located with their facility
contact the ACSC for an emanation security threat
assessment and implement any additional installation
criteria derived from the emanation security threat
assessment.

If applicable, system owners deploying OFFICIAL or

PROTECTED systems with RF transmitters that will be
co-located with SECRET or TOP SECRET systems
contact the ACSC for an emanation security threat
assessment and implement any additional installation
criteria derived from the emanation security threat
assessment.
If applicable, system owners deploying SECRET or TOP
SECRET systems in shared facilities contact the ACSC
for an emanation security threat assessment and
implement any additional installation criteria derived
from the emanation security threat assessment.

If applicable, system owners deploying systems

overseas contact the ACSC for emanation security
threat advice and implement any additional installation
criteria derived from the emanation security threat
advice.
If applicable, System owners deploying systems or
military platforms overseas contact the ACSC for an
emanation security threat assessment and implement
any additional installation criteria derived from the
emanation security threat assessment.

An emanation security threat assessment is sought as

early as possible in a project’s life cycle as emanation
security controls can have significant cost implications.

If applicable, ICT (Information and Computer

Technology) equipment meets industry and
government standards relating to electromagnetic
interference/electromagnetic compatibility.

A Telephone Systems policy exists and covers the

following requirements;

• Personnel are made aware of the sensitivity of

information that they may discuss, along with their
classification levels.
• Personnel are made aware of security risks of non-
secure lines.
• Telephone lines that permit different levels of
conversation have a visual indicator.
• Telephone systems used for sensitive or classified
conversations encrypt all traffic that passes over
external systems.
• Cordless telephone systems are not used for sensitive
or classified conversations.
• Traditional analog phones are used in public areas.
Telephone systems are configured to meet the
following requirements based on the classification of
information able to discuss;

• Speakerphones are not used in Top Secret unless the

telephone system is located in a room rated as audio
secure only personnel involved in discussions are
present in the room.
• In TOP SECRET areas, push-to-talk handsets or push-
to-talk headsets are used on all telephones that are not
authorized for the transmission of TOP SECRET
information.
• In SECRET and TOP SECRET areas, push-to-talk
handsets or push-to-talk headsets are used to meet any
off-hook audio protection requirements.
• Off-hook audio protection features are used on
telephone systems in areas where background
conversations may exceed the sensitivity or
classification that the telephone system is authorized
for communicating.
• IP phone and video conferencing workstations match
the data classification level of their area.
• Microphones (including headsets and USB handsets)
and webcams are not used with non-SECRET
workstations in SECRET areas or non-TOP SECRET
workstations in TOP SECRET areas.

When procuring high assurance ICT equipment, the

ACSC is contacted for any equipment-specific delivery
procedures.

High assurance ICT equipment is installed, configured,

administered and operated in accordance with
guidance produced by the ACSC. High assurance ICT is
only operated in an evaluated configuration.

An ICT equipment management policy is developed and

implemented.
ICT equipment is classified based on the highest
sensitivity or classification of data that it is approved
for processing, storing or communicating.

ICT Equipment, and media, be labelled with protective

markings reflecting its sensitivity or classification.

The Australian Cyber Security Centre (ACSC)’s approval

is sought before applying labels to external surfaces of
high assurance ICT equipment.
ICT equipment is handled in a manner suitable for its
sensitivity or classification.

The ACSC’s approval is sought before undertaking any

maintenance or repairs to high assurance ICT
equipment.

If an uncleared technician is used to undertake

maintenance or repairs of ICT equipment, the
technician is escorted by someone who:
• is appropriately cleared and briefed
• takes due care to ensure that data is not disclosed
• takes all responsible measures to ensure the integrity
of the ICT equipment
• has the authority to direct the technician
• is sufficiently familiar with the ICT equipment to
understand the work being performed.

Following maintenance or repair activities for ICT

equipment, the ICT equipment is inspected to confirm it
retains its approved software configuration and that no
unauthorized modifications have taken place.

Labels and markings indicating the owner, sensitivity,

classification or any other marking that can associate
the ICT equipment with its original use, are removed
prior to disposal.

When disposing of ICT equipment that has been

designed or modified to meet emanation security
standards, the ACSC is contacted for requirements
relating to its secure disposal.

ICT equipment, including associated media, that is

located overseas and has processed or stored AUSTEO
or AGAO data is sanitized in situ.

ICT equipment, including associated media, that is

located overseas and has processed, stored, or
communicated AUSTEO or AGAO data that cannot be
sanitized in situ is returned to Australia for destruction.

At least three pages of random text with no blank areas

are printed on each color printer cartridge or MFD print
drum.
MFD print drums and image transfer rollers are
inspected and destroyed if there is remnant toner
which cannot be removed or if a print is visible on the
image transfer roller.

Printer and MFD platens are inspected and destroyed if

any text or images are retained on the platen.
Printers, MFDs, and fax machines are checked to
ensure no pages are trapped in the paper path due to a
paper jam.

When unable to sanitize printer cartridges or MFD print

drums, they are destroyed as per electrostatic memory
devices.

Printer ribbons in printers and MFDs are removed and

destroyed.
Televisions and computer monitors with minor burn-in
or image persistence are sanitized by displaying a solid
white image on the screen for an extended period of
time.

Televisions and computer monitors that cannot be

sanitized are destroyed.
Memory in network devices is sanitized using the
following processes, in order of preference:
• following device-specific guidance in evaluation
documentation provided by the ACSC
• following vendor sanitization guidance
• loading a dummy configuration file, performing a
factory reset and then reinstalling firmware.

The paper tray of the fax machine is removed, and a

fax message with a minimum length of four pages is
transmitted, before the paper tray is re-installed to
allow a fax summary page to be printed.

When transferring data manually between two systems

belonging to different security domains, rewritable
media is sanitized after each data transfer.

If applicable, volatile media is sanitized by removing

power from the media for at least 10 minutes.
If applicable, SECRET and TOP SECRET volatile media is
sanitized by overwriting it at least once in its entirety
with a random pattern followed by a read back for
verification.

If applicable, the host-protected area and device

configuration overlay table of non-volatile magnetic
hard drives is reset prior to sanitization.

If applicable, non-volatile magnetic media is sanitized

by overwriting the media at least once (or three times if
pre-2001 or under 15 Gigabytes) in its entirety with a
random pattern followed by a read back for verification.

The ATA secure erase command is used, in addition to

block overwriting software, to ensure the growth
defects table of non-volatile magnetic hard drives is
overwritten.
If applicable, non-volatile EPROM media is sanitized by
applying three times the manufacturer’s specified
ultraviolet erasure time and then overwriting it at least
once in its entirety with a random pattern followed by a
read back for verification. Non-volatile EEPROM media
is sanitized by overwriting it at least once in its entirety
with a random pattern followed by a read back for
verification.

Non-volatile flash memory media is sanitized by

overwriting the media at least twice in its entirety with
a random pattern followed by a read back for
verification.
The following media types are destroyed prior to
disposal:
• microfiche and microfilm
• optical discs/semiconductor memory (using either
furnace/incinerator, hammer mill, disintegrator,
grinder/sander or cutting destruction methods.)
• programmable read-only memory
• read-only memory
• other types of media that cannot be sanitized
• faulty media that cannot be successfully sanitized.

SCEC or ASIO approved equipment is used when

destroying media.

If using degaussers to destroy media, degaussers

evaluated by the United States’ National Security
Agency are used.
If applicable, equipment that is capable of reducing
microform to a fine powder, with resultant particles not
showing more than five consecutive characters per
particle upon microscopic inspection, is used to destroy
microfiche and microfilm.

Media destroyed using either a hammer mill,

disintegrator, grinder/sander or cutting destruction
method result in media waste particles no larger than 9
mm.

Magnetic media is destroyed using a degausser with a

suitable magnetic field strength and magnetic
orientation.

A degausser capable of the magnetic orientation

(longitudinal or perpendicular) of the magnetic media is
used.
Any product-specific directions provided by degausser
manufacturers are followed.

If applicable, following destruction of magnetic media

(floppy disks, hard disks, tapes) using degausser
destruction methods, the magnetic media is physically
damaged by deforming the internal platters by any
means prior to disposal using either furnace/incinerator,
hammer mill, disintegrator, or cutting destruction
methods.

If applicable, the destruction of media is performed

under the supervision of at least one person cleared to
the sensitivity or classification of the media being
destroyed.

If applicable, the destruction of accountable material is

performed under the supervision of at least two
personnel cleared to the sensitivity or classification of
the media being destroyed.
If applicable, when outsourcing the destruction of
media to an external destruction service, a National
Association for Information Destruction AAA certified
destruction service with endorsements, as specified in
ASIO’s PSC-167, is used.

The destruction of media storing accountable material

is not outsourced.

Following sanitization, destruction or declassification, a

formal administrative decision is made to release
media, or its waste, into the public domain.

Labels and markings indicating the sensitivity,

classification, owner or any other marking that can
associate media with its original use, are removed prior
to disposal.
Standard operating environments are used for all
workstations and are scanned for malicious content and
configurations before use. These environments are
reviewed and updated at least annually.

Personnel who are contractors are identified as such.

Where a system processes, stores or communicates

AUSTEO, AGAO or REL data, personnel who are foreign
nationals are identified as such, including by their
specific nationality.

Foreign nationals, including seconded foreign nationals,

do not have access to systems that process, store or
communicate AUSTEO or REL data unless effective
security controls are in place to ensure such data is not
accessible to them.
Foreign nationals, excluding seconded foreign
nationals, do not have access to systems that process,
store or communicate AGAO data unless effective
security controls are in place to ensure such data is not
accessible to them.

Foreign nationals, excluding seconded foreign

nationals, do not have privileged access to systems,
applications and data repositories.

Foreign nationals, including seconded foreign nationals,

do not have privileged access to systems that process,
store or communicate AUSTEO or REL data.
Foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems
that process, store or communicate AGAO data.

Upon identifying malicious activities, access to systems,

applications and data repositories are removed or
suspended within 24 hours.
A secure record is maintained for the life of each
system covering:
• all personnel authorized to access the system, and
their user identification
• who provided authorization for access
• when access was granted
• the level of access that was granted
• when access, and the level of access, was last
reviewed
• when the level of access was changed, and to what
extent (if applicable)
• when access was withdrawn (if applicable).

When personnel are granted temporary access to a

system, effective security controls are put in place to
restrict their access to only data required for them to
undertake their duties.

Temporary access is not granted to systems that

process, store or communicate caveated or sensitive
compartmented information.
If applicable, a method of emergency access to systems
is documented and tested at least once when initially
implemented, and each time fundamental information
technology infrastructure changes occur.

Break glass accounts are only used when normal

authentication processes cannot be used and only for
specific authorized activities. Use of the break glass
account is monitored and audited to confirm that
access was appropriate. Once access is no longer
required, the access credentials for the break glass
account are updated to prevent unauthorized access.
Once credentials are changed, the break glass account
access is tested.

Passwords used for multi-factor authentication on TOP

SECRET systems are a minimum of 10 characters.
Service accounts are created as group Managed Service
Accounts.

Authentication methods susceptible to replay attacks

are disabled.

LAN Manager and NT LAN Manager authentication

methods are disabled.

Privileged accounts are members of the Protected

Users security group.

Credentials are stored separately from systems to

which they grant access.

Stored passwords/passphrases are protected by

ensuring they are hashed, salted and stretched.
Passwords/passphrases are changed if:
• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network
• they are discovered being transferred in the clear
across a network
• membership of a shared account changes
• they have not been changed in the past 12 months.

A system administration process, with supporting

system administration procedures, is developed and
implemented.

Privileged users use separate privileged and

unprivileged operating environments for performing
tasks.

Privileged users are assigned an unprivileged

administration account for authenticating to their
dedicated administrator workstations.
File-based access controls are applied to database files.

Passphrases stored in databases are hashed with a

uniquely salted Australian Signals Directorate Approved
Cryptographic Algorithm.

Privileged users are assigned a dedicated privileged

account to be used solely for tasks requiring privileged
access.

Access to systems, data repositories, and applications

is automatically disabled after 45 days of inactivity.

When accessing an organization's network via a VPN

connection, split tunnelling is disabled.

Unprivileged accounts, and privileged accounts

(excluding backup administrators) cannot modify,
delete, or access other account or their own account's
backups.

Trusted sources for SECRET and TOP SECRET systems

are limited to people and services that have been
authorized as such by an organization's Chief
Information Security Officer.

Access changes and changes to privileged accounts

and groups are logged.
Backup administrators (excluding backup break glass
accounts), are prevented from modifying or deleting
backups.

Privileged service accounts are prevented from

accessing the internet, email and web services.

Privileged operating environments are not virtualized

within unprivileged operating environments.

Privileged access to systems, data repositories, and

applications is automatically disabled after 12 months
unless revalidated.

Passphrases used for single-factor authentication have

the following requirements:
- minimum of 14 characters with complexity, ideally as
4 random words.
- on SECRET systems are at least 5 random words with
a total minimum length of 17 characters.
- on TOP SECRET systems are at least 6 random words
with a total minimum length of 20 characters.

A media management policy is developed and

implemented.
A removable media usage policy is developed and
implemented.
Any media connected to a system with a higher
sensitivity or classification than the media is
reclassified to the higher sensitivity or classification,
unless the media is read-only or the system has a
mechanism through which read-only access can be
ensured.

In order to reclassify media to a lower sensitivity or

classification, the media is sanitised (unless the media
is read-only) and a formal administrative decision (in
consultation with data owners) is made to reclassify the
media.

All data stored on media is encrypted.

Media is only used with systems that are authorized to

process, store or communicate the sensitivity or
classification of the media.

Any automatic execution features for media are

disabled in the operating system of systems.
Removable media is prevented from being written to
via the use of device access control software if there is
no business requirement for its use.

When transferring data manually between two systems

belonging to different security domains, write-once
media is used unless the destination system has a
mechanism through which read-only access can be
ensured.

Where a consumer guide for evaluated encryption

software exists, the sanitization and post-sanitization
requirements stated in the consumer guide are
followed.

Operating system hardening practices are performed.

Practices include;

• Unused operating system accounts are disabled.

• Standard user roles do not have elevated privileges to
modify security functionality or execute Powershell and
other scripting tools.
• Scripting tools and code execution is disabled for
applications installed on all workstations and servers
unless authorized.
• Local administrator accounts are disabled.
• Unique domain accounts with local administrator
access are used to make workstation and server
changes.
If applicable, application controls are implemented and
follow the following best practices;

• Application controls are implemented using

cryptographic hash rules, publisher certificate rules or
path rules and are validated at least annually.
• Users (other than privileged users) are not exempt
and cannot change or remove application controls.

If applicable, when implementing application control

using publisher certificate rules, both publisher names
and product names are used.

If applicable, application control is configured to

generate event logs for failed execution attempts,
including the name of the blocked file, the date/time
stamp and the username of the user attempting to
execute the file.

A Host-based Intrusion Prevention System is installed

on all workstations and high value servers such as
authentication servers, Domain Name System (DNS)
servers, web servers, file servers and email servers.

External interfaces of workstations and servers that

allow DMA are disabled.

If applicable, when using a software-based isolation

mechanism to share a physical server’s hardware, the
configuration of the isolation mechanism is hardened
by removing unneeded functionality and restricting
access to the administrative interface used to manage
the isolation mechanism.
If applicable, when using a software-based isolation
mechanism to share a physical server’s hardware for
SECRET or TOP SECRET workloads, the physical server
and all computing environments running on the
physical server are of the same classification and within
the same security domain.

If applicable, encryption software that implements an

ASD Approved Cryptographic Algorithm (AACA) is used
if an organization wishes to reduce the physical storage
or handling requirements for ICT equipment or media
that contains sensitive data.

If applicable, encryption software that has completed a

Common Criteria evaluation against a Protection Profile
is used when encrypting media that contains OFFICIAL:
Sensitive or PROTECTED data.

HACE (High Assurance Cryptographic Equipment) is

used when encrypting media that contains SECRET or
TOP SECRET data.

HACE used for data at rest implements full disk

encryption, or partial encryption where access controls
will only allow writing to the encrypted partition.
In addition to any encryption already in place, an AACA
is used to encrypt AUSTEO and AGAO data when at rest
on a system.

Cryptographic equipment or encryption software that

implements an ASD Approved Cryptographic Protocol
(AACP) is used to communicate sensitive data over
public network infrastructure and through unsecured
spaces.

Cryptographic equipment or encryption software that

has completed a Common Criteria evaluation against a
Protection Profile is used to protect OFFICIAL: Sensitive
or PROTECTED data when communicated over
insufficiently secure networks, outside of appropriately
secure areas or via public network infrastructure.

In addition to any encryption already in place, an AACP

is used to protect AUSTEO and AGAO data when
communicated across network infrastructure.
Only AACAs (ASD Approved Cryptographic Algorithm) or
high assurance cryptographic algorithms are used by
cryptographic equipment and software.

If applicable, ECDH and ECDSA are used in preference

to DH and DSA.

If applicable, when using DH for agreeing on encryption

session keys;
- a modulus of at least 2048 bits is used.
- a modulus and associated parameters are selected
according to NIST SP 800-56A Rev. 3.

If applicable, when using DSA for digital signatures;

- a modulus of at least 2048 bits is used.
- a modulus and associated parameters are generated
according to FIPS 186-4.

If applicable, when using elliptic curve cryptography, a

curve from FIPS 186-4 is used.

If appliable, when using ECDH for agreeing on

encryption session keys, a base point order and key
size of at least 224 bits is used.

If applicable, when using ECDSA for digital signatures, a

base point order and key size of at least 224 bits is
used.

When using RSA for digital signatures and session keys,

a modul of at least 2048 buts is used and a key pair for
passing encrypted session keys that is different from
the key pair used for digital signatures is used.
Symmetric cryptographic algorithms are not used in
Electronic Codebook Mode.

If applicable, 3DES is used with three distinct keys.

If applicable, AACAs used by HACE are implemented in

an ASD approved configuration, with preference given
to CNSA Suite algorithms and key sizes.

If applicable, preference is given to using the CNSA

Suite algorithms and key sizes.

Only AACPs or high assurance cryptographic protocols

are used by cryptographic equipment and software.

If applicable, when using Transport Layer Security,

communication systems follow the following
requirements;

- The latest version of TLS is used.

- AES in Galois Counter Mode is used for symmetric
encryption.
- Only server-initiated secure renegotiation is used.
- DH or ECDH is used for key establishment. The
ephemeral variant is used and anonymous DH is not
used.
- SHA-2-based certificates are used.
- Cipher suites are configured to use SHA-2 as part of
the Message Authentication Code and Pseudo-Random
Function.
- PFS is used for TLS connections. TLS compression is
disabled.
The use of SSH have SSH version 1 disabled and have
public key-based authentication for connections. When
SSH-agent or other similar key caching programs are
used, it is only on workstations and servers with screen
locks, key caches are set to expire within four hours of
inactivity, and agent credential forwarding is enabled
only when SSH traversal is required.

If applicable, the configuration settings in the following

table are implemented for the SSH daemon:
• only listen on the required interfaces (ListenAddress
xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than
60 seconds (LoginGraceTime 60)
• disable host-based authentication
(HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts
yes)
• disable the ability to login directly as root
(PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no)
• disable connection forwarding (AllowTCPForwarding
no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).

If applicable, versions of Secure/Multipurpose Internet

Mail Extension (S/MIME) earlier than 3.0 are not used.
If applicable, IPsec configuration and usage abide by
these requirements;

- Tunnel mode is used for IPsec connections; however, if

using transport mode, an IP tunnel is used. PFS is used
for all IPsec connections.
- The ESP protocol is used for IPsec connections.
- IKE is used for key exchange when establishing an
IPsec connection. If using ISAKMP in IKE version 1,
aggressive mode is disabled.
- A security association lifetime of less than four hours,
or 14400 seconds, is used.
- HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is
used as a HMAC algorithm.
- The largest modulus size possible for all relevant
components in the network is used when conducting a
key exchange.
- The use of XAuth is disabled for IPsec connections
using IKE version 1.

All communications security and equipment-specific

doctrine produced by the ACSC for the management
and use of HACE is complied with.
If applicable, cryptographic equipment is stored in a
room that meets the requirements for a server room
based on the sensitivity or classification of the data the
cryptographic equipment processes.

Areas in which HACE is used are separated from other

areas and designated as a cryptographic controlled
area.

A list of allowed content types is implemented. The

integrity of content is verified where applicable and
blocked if verification fails. If data is signed, the
signature is validated before the data is exported.

All encrypted content, traffic and data is decrypted and

inspected to allow content filtering.

If applicable, an evaluated peripheral switch is used

when sharing peripherals between systems.
An evaluated peripheral switch used for sharing
peripherals between SECRET or TOP SECRET systems
and any non-SECRET or TOP SECRET systems
completes a high assurance evaluation.

If applicable, an evaluated peripheral switch used for

sharing peripherals between SECRET and TOP SECRET
systems, or between SECRET or TOP SECRET systems
belonging to different security domains, preferably
completes a high assurance evaluation.

If applicable, an evaluated peripheral switch is used

when sharing peripherals between official systems, or
classified systems at the same classification, that
belong to different security domains.

If applicable, an evaluated peripheral switch is used

when accessing a system containing AUSTEO or AGAO
data and a system of the same classification that is not
authorized to process the same caveat.

When exporting data from a SECRET to TOP SECRET

system, the following activities are undertaken:

• protective marking checks

• data format checks and logging
• monitoring to detect overuse/unusual usage patterns
• limitations on data types and sizes
• keyword searches on all textual data.

A process, and supporting procedures, is developed and

implemented to prevent AUSTEO and AGAO data in
both textual and non-textual formats from being
exported to foreign systems.
When exporting data from an AUSTEO or AGAO system,
keyword searches are undertaken on all textual data
and any identified data is quarantined until reviewed
and approved for release by a trusted source other than
the originator.

Data transfer logs are used to record all data imports

and exports from systems. Transfer logs are fully and
partially audited at least monthly.

Partial restoration of backups are tested on a quarterly

basis, and full restoration of backups are tested initially,
and each time a fundamental information technology
infrastructure change occurs.

Backups are stored offline or in a non-writable manner

and are stored at a multiple geographically-dispersed
locations.

Event logs are retained for a minimum of 7 years in

accordance with the National Archives of Australia’s
Administrative Functions Disposal Authority Express
Version 2 publication.

DNS and proxy logs are retained for at least 18 months.

Policies governing event logs are communicated and

reviewed periodically. Revision histories and review
periods are defined within the policies themselves and
[The Organization]'s Policy Governance Policy.

A vulnerability scanner is used at least fortnightly to

identify missing patches or updates for security
vulnerabilities in other applications.
A vulnerability scanner is used at least weekly to
identify missing patches or updates for security
vulnerabilities in office productivity suites, web
browsers and their extensions, email clients, PDF
software, operating systems of workstations and
servers and network devices, and security products.

When identified, all intrusion remediation activities are

conducted in a coordinated manner during the same
planned outage.

Unauthorized removable media and devices are

prevented from being connected to workstations and
servers via the use of device access control software or
by disabling external communication interfaces in
operating systems.

The resulting media waste particles from the

destruction of TOP SECRET media is stored and handled
as OFFICIAL if less than or equal to 3 mm, or SECRET if
greater than 3 mm and less than or equal to 9 mm.

Windows Defender Credential Guard and Windows

Defender Remote Credential Guard are enabled.
Where applicable, internet-facing services, office
productivity suites, web browsers and their extensions,
email clients, PDF software, Adobe Flash Player, and
security products that are no longer supported by
vendors are removed.

When identified, planning and coordination of intrusion

remediation activities are conducted on a separate
system to that which has been compromised.

The use of FT (802.11r) is disabled unless

authenticator-to-authenticator communications are
secured by an ASD Approved Cryptographic Protocol.
The resulting media waste particles from the
destruction of SECRET media is stored and handled as
OFFICIAL if less than or equal to 3 mm, PROTECTED if
greater than 3 mm and less than or equal to 6 mm, or
SECRET if greater than 6 mm and less than or equal to
9 mm.

PDF software is blocked from creating child processes.

Patches, updates or vendor mitigations for security

vulnerabilities in internet-facing services, office
productivity suites, web browsers, extensions, email
clients, PDF software, operating systems of
workstations and internet facing services, and security
products are applied within two weeks of release, or
within 48 hours if an exploit exists. Patches, updates or
vendor mitigations for security vulnerabilities in other
applications are applied within one month.

Mobile devices prevent personnel from installing or

uninstalling non-approved applications once
provisioned.

Microsoft’s ‘recommended driver block rules’ are

implemented.

Microsoft Office macros digitally signed by an untrusted

publisher cannot be enabled via the Message Bar or
Backstage View. A list of trusted publishers is validated
on an annual basis.
Microsoft Office macros can only be executed by
authorized users with valid business requirement and
only macros that are running from a trusted location
and issued by a trusted publishers are allowed to
execute.

Microsoft Office macros are blocked from making Win32

API calls.

Microsoft Office macro event logs are logs are centrally

stored and protected from unauthorized modification
and deletion, monitored for signs of compromise, and
actioned when cyber security events are detected.

Microsoft Office macro antivirus scanning is enabled.

Microsoft Office is blocked from creating child

processes, creating executable content, and injecting
code into other processes.

Internet Explorer 11 is prohibited from being used.

If unable to carry or store mobile devices in a secured

state, they are physically transferred in a security
briefcase or an approved multi-use satchel, pouch or
transit bag.

Execution of drivers, executables, software libraries,

scripts, installers, compiled HTML, HTML applications
and control panel applets is limited to an organization-
approved set
Electrostatic memory devices are destroyed using
either furnace/incinerator, hammer mill, disintegrator or
grinder/sander destruction methods.

Blocked PowerShell script executions are logged, and

event logs are centrally stored and protected from
unauthorized modification and deletion, monitored for
signs of compromise, and actioned when cyber security
events are detected.

Allowed and blocked Microsoft Office macro executions

are logged.

All data transferred from a SECRET or TOP SECRET

system to any other system is reviewed and approved
by a trusted source.

A vulnerability scanner is used at least daily to identify

missing patches or updates for security vulnerabilities
in internet-facing services and the corresponding
operating systems.

A software bill of materials is produced and made

available to consumers of software.
A ‘security.txt’ file is hosted for all internet-facing
organizational domains to assist in the responsible
disclosure of security vulnerabilities in organizations'
products and services.

.NET Framework 3.5 (includes .NET 2.0 and 3.0) is

disabled or removed.
oud Controls Framework (CCF) Public Release V1.0
s map to various frameworks and help meet the requirements of AICPA SOC 2 Trust Services Criteria, ISO/IEC 2
ered Assessors Program (IRAP December 2020), Payment Card Industry Data Security Standard (PCI-DSS v3.2.1
of Conduct (CoC), Third-Party Cybersecurity Compliance Certificate (CCC), and The Federal Risk and Authorizat

ve compliance for multiple industry accepted security compliance standards SaaS products. The CCF is purely g
regime.

Control Narrative
1. Develop and document a procedure for performance of control self-assessments
against the CCF controls that have been implemented.
2. The self-assessment procedure shall minimally include:
• Tracking of the self-assessment in a ticketing system
• Identification of the controls to be assessed (shall include SOC 2(S/A/C) and ISO
27001 relevant controls at a minimum)
• Documentation gathering as necessary for the identified controls
• Evidence gathering in accordance with the “Control RFI” requirements of each CCF
control
• Process review session(s) by the responsible management team
• Review and approval of the audit report by the responsible management
• Identification of shortcomings and creation of separate tickets for remediation
(assigned to responsible party)
• Lessons learned meeting by the responsible management teams with an output of
updated policy and procedure to prevent control shortcomings in the future
• Store the documented procedure in a backed-up, access-controlled location

1. On a quarterly basis, perform and document a review of logs, firewall rule-sets,

configuration standards, security alert and incidents, and change management
processes.
2. Ensure review is performed at least on a quarterly basis

1. Obtain audit procedures and ensure the document covers procedure regarding
customer-requested audits
2. Ensure procedure regarding customer-requested audits are communicated to
customers and where applicable, the mandated auditor

1. Perform application vulnerability scanning in accordance with to identify threats

and weaknesses continuously
2. Remediate in accordance with the defined vulnerability management procedure
3. Configure quality "gate" or "gates" within the CI/CD pipeline that require security
assessments to occur and any changes with vulnerabilities are reviewed and fixed
before any new or changed code can be pushed into production. Perform the
following assessments for new or changed code at a minimum:
1. The corporate organization Legal department documents and maintains legal and
regulatory requirements. Teams shall work with the Legal department to understand
the requirements that shall be met to be onboarded into the corporate and offering
Legal process if not already completed. Implementation of the procedures,
architectures, technologies, and strategies that are necessary to meet the
requirements of the corporate legal and regulatory requirements are the
responsibility of the offering+E54. Such legal examples include regulation such as
GDPR, encryption requirements, and more.

1. Any offering with services in the EU shall review and understand European and/or
international standards applicable in the EU.
2. Documented review and applicable standards shall be documented.
3. Any security requirements shall be adhered to and followed for security around the
product.
4. Any security certificates provided to systems, products, or equipment shall be
appropriate and recognized by the National Scheme for Evaluation and Certification
of Information Technology Security prior to being used.

1. Ensure Business continuity / disaster recovery planning is completed in

coordination with the centralized BC / DR team
2. Coordinate with the corporate BC / DR team to understand the requirements for
developing a BC / DR plan for the products/services
3. Contact the BC / DR team to jointly identify a BC / DR plan for the
products/services that meets corporate standards
4. Coordinate with the corporate BC / DR team to perform annual or semi-annual
tests
1. of the
Obtain BC / DR plan.
documented Review
process to the results
identify an of the tests
assess and update
applicable the operational
legal and regulatory
continuity
requirementsandrelating
businesstocriticality of all of
the continuity assets within
products theservices.
and requiredLegal
assetand
inventory
regulatory
requirements include local laws and regulations of the country the service is provided
2. Review and verify if documented legal and regulatory requirements for business
continuity are reviewed at least annually to ensure local legal and regulatory
requirements are kept up to date for continuity and storage of its services and data.
3. Verify on an sample basis whether updates/ amendments to applicable legal or
regulatory requirements have been assessed by the team and the continuity
requirements have been addressed.

1. Identify and complete a business impact assessment that meets corporate

standards.
2. Identify all critical assets, or any significant changes that are planned.
3. Perform a business impact analysis and continuity specific risk assessment on an
annual basis for all critical assets or when significant changes to the infrastructure
occur. Review the results of the test and plan remediation or update system
resources accordingly to ensure continuity of services.
4. Ensure business continuity plans are established and followed in the case of an
emergency.
5. Store the documentation in a organization-approved, backed-up, access-controlled
storage repository
1. Review BCMS document consisting of business contingency roles and
responsibilities. If needed, the offering shall identify business contingency roles and
responsibilities within their own team as well.
2. Identify and validate whether identified roles and responsibilities documented are
adequate an cover all necessary responsibilities before crisis, during crisis an after
crisis.
3. Verify if key stakeholders/ individuals have been assigned for each specified
business contingency roles (e.g. Executive council, crisis management team, product/
process owners recovery teams, BCMS Head, Facility manager, third party
employees, CISO, security compliance officer etc.)
4. Define, validate, and obtain evidence for communication of BCMS roles and
responsibilities to individuals assigned with BCMS roles and responsibilities.
5. Obtain evidence to check whether contact details of all individuals assigned with
BCMS roles and responsibilities are communicated to all applicable stakeholders/
audience

For products pursuing Saudi CCC, the following shall be met:

1. Ensure systems used for storage, processing, monitoring, support, and disaster
recovery centers reside in KSA only
2. Verify whether all information stored is within KSA and ensure no information is
stored outside KSA

1. Any offering pursuing Spanish ENS, that host Spanish Customer Data, shall have
their systems and databases reside in the EU.
2. Any systems used for electronic identification and signature shall also reside in the
EU.
3. Data shall not be transferred out of the EU unless specific guidance and approval
has been obtained.

1. Any offering providing services to the EU shall evaluate data localization laws and
requests from any EU country.
2. A review and documentation shall be maintained confirming adherence to data
localization laws and requests from the EU.
3. If a request from an EU country is made to provide services that reside in the EU,
the offering shall have systems and databases reside in the EU.
4. Data shall not be transferred out of the EU unless specific guidance and approval
has been obtained.

1. Any offering providing services to Japan shall evaluate data localization laws and
requests from Japan.
2. A review and documentation shall be maintained confirming adherence to data
localization laws and requests from Japan.
3. If a request from Japan is made to provide services that reside in Japan, the
offering shall have systems and databases that reside in Japan.
4. Japan Data shall not be transferred out of Japan, unless specific guidance and
approval has been obtained.
1. For systems/solutions hosted on major CSP's like AWS or GCP :
• Deploy subnets in at least two availability zones. Mirror application resources
across the subnets to remove single points of failure.
• Deploy elastic load balancing and configure health checks so that load balancing
directs traffic to resources in the functional AZ in the case of an AZ failure.
• Deploy at least two NAT Gateways in different AZ’s in AWS
• Deploy virtual machines that host or support the application redundantly in at least
two subnets. This includes virtual appliances like firewalls, load balancers, proxies,
etc.
1. Obtain Log management policy/procedure
2. Verify if document includes legal, regulatory, contractual, leading practice an
business requirements to be considered for audit logging an retention.
3. Verify if log management procedure clearly specifies logging storage an retention
requirements to ensure logs are retained for at least one year with one year of data
immediately available for analysis. If certain regulations or contractual obligations
require longer retention periods, this needs to be considered as well.
4.Validate whether log management procedure clearly specifies controls to be put in
place to prevent exceeding the storage capacity of the logging media. (i.e. log
archival, backups], replication).
5. Configure in-scope tools an systems to ensure that logs are captured an retained
for at least one year
6. On a sample basis, check for applicable systems/ applications whether logs are
collected and stored is as per documented log storage an retention schedules
7. Validate whether logs are retained for at least one year with one year of data
immediately available for analysis
8. Audit Log/Record Storage Capacity shall be evaluated at a set cadence to ensure
sufficient capacity is available.

1. Maintain a list of personnel authorized to receive audit logging failure alerts

2. Ensure alert notifications are sent to relevant staff when the audit logging process
fails
3. Ensure the logging failures are addressed timely to resume system logging
1. Identify all production instances and assets that store customer data and personal
information.
2. For AWS, configure the AWS Backup service to centralize incremental backup
management in AWS. Configure backup plans to perform timely (daily, weekly)
backups of application data stores such as Amazon Elastic Block Store (Amazon EBS)
snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, Amazon
DynamoDB backups, and AWS Storage Gateway. Additionally, use backup software
such as Veeam to perform weekly or daily full backups of data stores.
3. For GCP, configure persistent disk snapshots, cloud sql snapshots, managed
database service backups, Cloud File Storage Backups to perform daily, weekly
incremental backups. Additionally, use backup software such as Veeam to perform
weekly or daily full backups of data stores.
4. All other types of cloud services that are in use, or other assets that hold customer
data and personal information shall be configured for weekly, daily backups for data
stores. Use backup software such as Veeam to perform weekly or daily full backups
of data stores.
5. Ensure each backup is able to be used, in the case of an emergency.
6. Review backups for completion, and follow up/resolve any backups that fail. Create
a ticket for each backup that fails detailing the failure, and what resolution was
completed to resolve the failed backup.
7. Weekly/Daily cadence of backups do not need to be enforced, but full backups
shall occur at least monthly to reasonably ensure up-to-date data.
8. Backups are tested for restoration at least annually to validate integrity of the
data. The backup validation can be completed as part of BCDR procedures if needed.

Offering's shall identify primary databases that support the application and host
customer data. This data shall be replicated to a secondary database periodically
(real-time if possible). Any databases that are not replicated real-time shall have a
documented rationale.

1. For systems/solutions hosted on AWS:

• Configure database software hosted on EC2 instances to (asynchronously or
synchronously)
1.Document backup replicate to a secondary
capabilities instance
that cloud serviceincustomers
another availability
can use aszone using
a guidance
OEM
to provided
configure capabilities,
their cron(if
own backups jobs, or scheduled tasks.
applicable)
2. Verify if specifications of platform/product backup capabilities are provided to the
cloud service customers.
• Verify if following specifications are provided to the cloud service customer as
applicable:
- Scope and schedule of backups
- Backup methods and data formats
- Encryption of backup data
- Retention periods for backup data
- Integrity verification of backup data
- Procedures and timescale of data restore
- Location of backup data.
3. Validate via. a test customer instance to verify how customers can view
information around backup capabilities and configure backups in their own instance.
1. Ensure backups are securely stored in an alternate/secondary location from source
data

1. Ensure emails are periodically backed up

2. Ensure alerts are configured to notify administrators if backup/replication fails or in
case if backups are performed manually, a similar process is in place
3. Ensure repeated failed backups are investigated and reviewed

Develop and document a formal SDLC methodology. The SDLC methodology

minimally includes the following phases (or similar):

1. Initiation

- Establish the need for system development or for changes to an existing system
- Begin security planning by identifying security roles and evaluating security
requirements.
1. Identify any cloud service provider accounts (vendor accounts i.e. AWS, GCP, etc.)
that have direct access to the production instance. Validate that this account belongs
to the vendor and no organization developers have access.
2. shall a direct cloud service provider account exist, run an audit log of all changes
made by the service account.
3. Review all changes made by the service account for appropriateness.
4. Document all details of the review in a ticket, at least quarterly, with appropriate
screenshots of the audit log history pull (i.e. period of audit log, any exclusions used,
filters, etc.)
5. Alternatively, changes can be reviewed on an ad-hoc basis by creating an alert
configuration every time a change is pushed by the cloud service provider. Each
change is reviewed for appropriateness.
6. Any inappropriate changes identified are immediately followed up with the service
provider and remediated.
7. If a service provider account does not exist, validate that the service provider is
unable to make direct changes to the production instance.
8. Review the service providers' third party assurance report (SOC report) to validate
the provider did not have any deviations that may affect the production instances.
1. Obtain Change management policy
2. Obtain asset register and identify list of changes performed for service and
supporting infrastructure
3. Ensure that changes to software components of the service are documented and
follow the SDLC methodology including mandatory testing and review.
4. Segment non-production environments from production environments.
5. Leverage the configuration management and infrastructure as code tools required
for the deployment of the system or solution to make the required updates to the
system. Updates shall not be made outside of these tools used in the change
management process in order to limit configuration drift.
6. For sample changes, validate if:
• Change tickets were created
• Sample changes are tested prior to deployment in production. Only successfully
tested changes shall be pushed to production.
• Roll back strategies for sample changes were established
• Security impact analysis is performed for sample changes
• Appropriate approvals were obtained for sample changes at various stages of
change management process
• Change process based SLAs were met for all sampled changes

1. Obtain Change management policy

2. Obtain asset register and identify list of changes performed for service and
supporting infrastructure
3. Identify authorized internal users that would be notified of System Changes
4. Identify channel(s) of formal communication/notification of System Changes to the
authorized internal users. If changes are tracked through ServiceNow, those part of
the change shall be notified when the change gets pushed to production.
5. Validate if change request tickets were created and appropriate internal
stakeholders/ users are notified.
6. Any major changes are communicated as needed to larger/broader relevant groups
as well.

1. Obtain communication policy that includes notifying changes to customers

2. Obtain asset register and identify list of critical changes performed for service and
supporting infrastructure that may impact customer processes.
3. Identify customers who will be notified of critical changes that may affect their
processing
4. Identify channel(s) of formal communication/notification of critical changes to
customers. Channel can be via email, or public facing page, or alternative
communication page that notifies customers of any critical change such as patches,
updates to service, changes in location, etc. Critical changes can be categorized as
any change that may affect the security, availability, confidentiality, and processing
of the service.
5. Validate if change request tickets were created and customers were notified of
critical changes
6. For sample critical changes, verify if customers were formally notified (i.e.
Notification platform, Change notification emails, providing customer with access
change ticketing system) prior to implementing changes.

1. Security hardening and Baseline configuration standards shall be established

2. Configuration of systems (systems can include AWS, Azure, GCP, and more) shall
be configured with the baseline configuration
3. Configure required permissions for the configuration management server.
1. Verify that the file integrity monitoring (FIM) tool is implemented. File integrity
monitoring (FIM) refers to an IT security process and technology that tests and checks
operating system (OS), database, and application software files to determine whether
or not they have been tampered with or corrupted.
2. Define baseline configurations within the FIM tool and configure the rule engine of
the tool to identify the variances in the configurations
3. These baseline configuration can be maintained in an internal wiki or an procedural
document that matches the rules defined in the file integrity monitoring (FIM) tool
4. Validate that FIM tool is configured to notify system administrators of any potential
unauthorized changes to the production system
5. Verify sample notifications received by system administrators from FIM tool for
appropriateness and accuracy
6. Follow up on any unauthorized changes, and validate if they were appropriate, and
root cause of change, and revert change if needed.

1. Identify personnel that require authorization to make changes to production as a

part of their job function
2. Required authorized personnel can include quality assurance, system/solution
owners, and security personnel.
3. Prevent access by all other personnel using the IAM features of the component
1. Obtain
tools (codeand review theautomation
repositories, documented policiescontainer
servers, governing the appropriate
registries, use an
etc.). Developers
installation of software
shall not have on Organization
direct access workstations to verify the whitelisting /
to production.
blacklisting an approval requirements
• Check if policies governing the appropriate use an installation of software on
organization workstations are approved an reviewed annually
• Check if policies governing the appropriate use an installation of software on
organization workstations are communicated to relevant stakeholders

2. Configure workstation logs to be forwarded to the SIEM solution. Configure alerts in

the SIEM to identify unauthorized software install on workstations. Configure the SIEM
to notify admins when unauthorized software installs are detected.

3. Blacklisted applications shall not be able to be downloaded to organization

workstations. If they are, a notification shall be kicked off, followed up upon, and
reserved if deemed necessary.

1. All changes made to production shall have version control procedures that allow
for reversal of changes, or the ability to restore affected system components back to
their previous state as a result of any errors or identified vulnerabilities.
2. Check if production instances are version controlled and all changes to production
instances are documented.
3. Verify if roll-back/restoration functionality is in place to restore affected system
components back to their previous state.

1. Ensure there are mechanisms in place to detect direct changes to the integrity of
customer data and personal information
2. Ensure appropriate actions are taken to resolve confirmed unauthorized changes
to data
1. All offerings shall identify any utility programs used by the cloud service. This can
be programs related to memory management, antivirus, package installer, etc. that
help execute functions that are critical for running an operating system/cloud service.
2. All utility program use is documented and changes to the program shall follow the
standard change process. Such utility programs shall not have access to production
unless deemed necessary.
3. Any utility programs with privileged access to modify the production instance shall
have its activity reviewed on a monthly basis for appropriateness.

1. Worldwide Badging Policy and Restricted Access Authorization policy shall be

established to determine whether requirements for physical access provisioning are
defined.

2. Physical security system to determine whether requests for physical access

require management approval and required documented specification of:
1. Organization's Global Business Resiliency Program Policy and Physical and
Environmental Security Standard shall be established
2. Backup Generators shall be configured at organization corporate offices and owned
data center C40and data rooms to determine whether they are employed to support
critical systems in the event of a power disruption or failure.
3. Temperature and humidity monitoring system shall be configured at organization
corporate offices and owned datacenter to determine whether appropriate thresholds
are configured within the system. Additional failover mechanisms (such as fire safety
and fire hydrant expiration checks) can be included as well if deemed necessary.
1. Obtain a review the documented procedures in place for building an implementing
environmental security measures an safeguards
2. Validate that the environmental security measures and safeguards are in place by
performing walkthroughs and reviews of the premises or buildings storing sensitive or
critical information and ensure the following:
• Perimeters of an building or site containing information processing facilities shall be
physically sound (i.e. there shall be no gaps in the perimeter or areas where an
break-in could easily occur); the exterior roof, walls an flooring of the site shall be of
solid construction an all external doors shall be suitably protected against
unauthorized access with control mechanisms, (e.g. bars, alarms, locks); doors and
windows shall be locked when unattended an external protection shall be considered
for windows, particularly at ground level.
• Physical barriers shall, where applicable, be built to prevent unauthorized physical
access and environmental contamination.
• All fire doors on an security perimeter shall be alarmed, monitored and tested in
conjunction with the walls to establish the required level of resistance in accordance
with suitable regional, national and
international standards; they shall operate in accordance with the local fire code in an
failsafe manner.
• Suitable intruder detection systems shall be installed to national, regional or
international standards and regularly tested to cover all external doors and accessible
windows; unoccupied areas shall be alarmed at all times; cover shall also be provided
for other areas, e.g. computer room or communications rooms.
3. Verify that the measures are implemented in accordance with the criticality of
information, wherein such measures can include backup electricity, fire detection &
prevention measures, backup servers, etc.

All other types of environmental threats shall be examined and security measures
shall
1. be implemented
Obtain as needed.
a list of all assets Environmental
that customer threats
information can include
resides on. flood,
earthquake,
2. Validate thecivil unrest, humidity
geographical monitor,
location etc.
of each asset. Depending on the service used,
this can be AWS, GCP, organization Data Center locations, or other.
3. Verify with legal that the geographical locations and countries that customer
information is stored is appropriate and allowed.
4. Provide customers with details of the geographical locations that the customer
information resides in. This could be done through a web page, announcement, direct
customer requests, etc.
1. All physical access to organization data centers require management approval and
documentation.
2. A ticket shall be created to obtain organization data center access, detailing the
type of access needed (standard, visitor, or supplier). Additionally, level of access
privilege needed, intended business purposes, access start date and access duration
shall be included.
3. An approval shall be obtained by both the requestor's manager and data center
manager. Once approved, access can be provisioned to the requestor's badge and/or
separate badge.
4. When accessing any data center, badge access shall be scanned, and visitor
authentication shall be validated before entering the data center.
5. An audit log shall be retained showing each time the use accessed the data center.
6. Access shall be automatically terminated upon access duration expiration.

1. Organization's Worldwide Badging Policy shall exist and it determine whether

requirements for physical access de-provisioning are defined.
2. System configuration of the automated feed from the HR system to the badging
system shall be determined and configured to automatically revoke access to the
organization-owned data center when access is no longer required as a result of a
termination or role change.
3. Documentation shall be maintained of physical access de-provisioning for a
selection of terminated organization full time or temporary employees, and role
changes to determine whether their physical access is removed in a timely manner.
4. List of users with active access to in-scope co-location data centers shall be
compare with terminated employee listings from the examination period to
1. Identify all
determine organization
that Data
no terminated Centers and
contractors or organization officephysical
employees retain sites access.
2. For each data center, obtain a complete user access list, identifying all users with
access to the data center. Guest access, as well as access to sensitive areas shall be
identified.
3. For those users identified, a review of each users' access for appropriateness.
4. Take screenshots of the complete user access listing with any filters used for
completeness and accuracy purposes.
5. Alternatively, physical access logs can be pulled, and reviewed for any
inappropriate access and/or incidents.
5. Any access deemed inappropriate, validate access was removed immediately. If
needed,
1. Obtainperform additional
and review validation over
the documented any inappropriate
policies/procedures activities
in place that may an
for managing have
occurred
provisioningby the inappropriate
visitor's user.
physical access
2. Evaluate the security mechanisms implemented for secure visitor's physical access
provisioning including monitoring, maintaining records, temporary badge access, and
escorting
3. All visitor access shall adhere to these security mechanisms and tested
4. Verify that the visitor access records to the facilities are kept securely for at least
an year
5. Evaluate visitor access form for completeness used to maintain records while
provisioning physical access to visitors

1. Ensure surveillance feed data is retained for at least 3 months, unless otherwise
restricted by the law
1. Inspect devices that physically capture payment card data on a quarterly basis to
ensure devices are not tampered

1. Ensure all positions of cybersecurity functions in organization Saudi Data Centers

are filled with qualified and suitable Saudi nationals only

1. Obtain and review the documented procedures for transfer of assets such as
devices, hardware, software or data or off-site removals
2. Validate that the devices, hardware, software or data are transferred to external
premises post obtaining approvals from the authorized committees or bodies of the
cloud provider
3. Verify that the assets are tagged an classified according to information
classification scheme to ensure that the transfer takes place securely according to
the type of the assets to be transferred
4. Verify that the list of approvers to authorize device an hardware transfer is
maintained and communicated to relevant personnel
5. Validate that the list of authorized approvers is reviewed periodically, and only this
list of authorized approvers can approve device, hardware, software, data transfers to
external premises. An external premises can be categorized as any location outside
of a organization controlled building and data center.

1. Obtain and review documented procedures for asset onboarding

2. Validate that the approvals from authorized committees or bodies of the cloud
provider are taken prior to installation of new assets into the secure premises and
data centers. Assets needing approval include any new assets that may affect the
processing capabilities of organization, network, data center equipment, cabling, any
equipment with access to sensitive information, etc.
3. Verify that assets are tagged and classified as per the information classification
scheme to ensure secure onboarding of assets in accordance with the type of asset
4. Verify that the list of approvers to authorize asset onboarding or installation is
maintained and communicated to relevant personnel
5. Validate that the list of authorized approvers is reviewed periodically
6. Prior to putting into operation, a study will be made of the following aspects:
• Processing needs.
• Information storage needs: during processing and during the retention period.
• Communication needs.
• Personnel needs: number and professional qualifications.
• Needs in terms of facilities and auxiliary resources.
7. The asset shall be installed by an authorized personnel after approval. The asset
shall be installed appropriately. After the asset is installed, validate the asset is
securely installed, and verify if there are any vulnerabilities to the installed asset that
need to be remediated. If needed, the vulnerability will be addressed as part of the
1. Asset maintenance policies with technical and organizational safeguards shall
exist.
2. Asset management policy shall have instructions to verify if asset maintenance
safeguards are described (especially remote maintenance), deletion, updating an re-
use of assets for information processing in outsourced premises or by external
personnel.
3. Assets shall be appropriately sanitized and cleaned before deletion and/or re-use of
an asset. In addition, asset updates and maintenance shall follow a prescribed
process detailed in the policy and standard.
4. An audit log and/or inventory history of each asset shall be maintained that tracks
maintenance, deletion, updating, and re-use of assets, and the procedures taken for
each asset.
5. These policies and standards shall be reviewed annually.

1. Policy regarding the management approved safe and secure work environment
shall exits with in organization.
2. The safe and secure work environment policies an documentation are reviewed at
least annually an updated as necessary or on any major changes
3. Revision histories an review periods are defined within the safe and secure work
environment policies an documentation
4. organization shall be able to demonstrate a safe and secure work environment that
aligns with the policy and standard.

1. Documented procedures shall be in place to authorize an maintain secure building

access
2. Evaluate implementation of access controls an installation of secure access
devices to restrict access to the premises or buildings including those which stores
sensitive or critical information, information systems or other network infrastructure.
Access shall be managed via badge reader and include security camera feeds
3. Ensure that the documented records are maintained for access granted /
provisioned
4. Visitors shall be escorted by authorized personnel an records are maintained
5. Software authorization controls are monitored in order to avoid unauthorized site
and data access
6. List of authorized personnel (e.g. employees, customers, suppliers and contractors)
with business justification for access shall be maintained.
1. If offering has been required to align with the organization corporate data
classification policy then a new policy does not need to be created. Contact the
organization privacy office to understand the requirements that shall be met to be
onboarded into the organization data classification process. Implementation of the
procedures, architectures, technologies, and strategies that are necessary to meet
the requirements of the corporate policy are the responsibility of the offering
2. Ensure that yearly updates to the organization corporate data classification policy
are addressed
3. If the offering has not been required to align with the organization corporate data
classification policy, then create and document a new data classification policy.
Creating the policy consists of the following steps, at a minimum:

• Establish a data catalog

Corporate Inventory (such as computers/data center equipment etc.)
• All inventory assets shall be evaluated and documented on an annual basis. One
way of identifying production assets is:
* Configure a vulnerability scanner to perform inventory scans of the production
1. Identify any assets being used by the service/provider. This includes all assets in
system
production and/or store customer information (AWS, Azure, etc.).
2. Document the assets and their use/purpose accordingly in a ticket or page. Each
asset is given a designated owner.
3. Validate each asset is labelled, managed, and appropriately protected/secured
according to the organization Asset Management standard and Data protection
policies.

1. The offering shall keep an inventory of system assets. This includes a validation
that the inventory of system assets include assets of the cloud service provided by
the cloud service provider. This can include where customer resides, data center
locations, production instances, production tools, etc.
2. Validate that the cloud service customer data and data derived from the services
are explicitly identified by the cloud service provider. The offering shall be able to
clearly identify where customer data and data derived from the service reside.

1. Publish a customer facing page or announcement page detailing the services

offered by the organization service. This page can additionally include details such as
what customer information is taken, types of cloud service providers used and/or
location (i.e. AWS, GCP, organization Data Center), type of service that is provided.
2. Validate this page is up-to-date on an on-going basis, and update if there are any
inaccuracies or major changes that have occurred.
1. A data classification and handling standard shall exist. organization data
classification criteria are reviewed annually, and approved by management.
2. The criteria shall be communicated to authorized personnel, and used to determine
the treatment of data classification policies and documentation
3. Validate the policies and standards include the treatment of different types of data,
such as customer data and/or PII, and how to classify them, and handle the data.

1. Ensure relevant mechanisms/controls are implemented to prohibit sharing

organization confidential data via messaging technologies, social media, and public
websites. Tools allowed by organization for sharing can be used if needed. A Non-
Disclosure Agreement (NDA) shall be obtained prior to any type of sharing occurring.

1. Obtain Organization's asset inventory and ensure that the inventory includes all in-
scope cardholder related systems, devices, and media

1. Obtain Organization's asset inventory and ensure that authorized wireless access
points are recorded along with a valid business justification

1. Engage the offering support team and complete required onboarding actions. This
includes, but is not limited to:
• Identifying a mechanism or tool (ticketing system, etc.) to record all customer
submitted issues and requests (this can follow a corporate central support system or
offering specific)
* Identifying offering specific support personnel for escalation or use corporate
support team to handle all issues and requests.
* Identify how customer tickets are assigned
• Identifying urgency and importance classifications for support to reference during
triage
1. A data flow diagram shall be documented and reviewed on an annual basis.
2. The data flow diagram shall include a service infrastructure diagram with details
regarding where customer data is stored, and how it is transmitted within the
services' applications and infrastructure.
3. The diagram shall clearly articulate any 3rd party suppliers and services used such
as AWS, GCP, etc. The diagram, shall clearly label what is owned and hosted by
organization as well.
4. If applicable, an abbreviated diagram can be provided publicly to customers as
well.
5. As part of its annual review, any changes are accurately reflected/updated to the
diagram.

1. All production data (including customer data) is prohibited from being used and/or
stored in non-production systems and environments.
2. Production data (including customer data) cannot be used for testing purposes or
development purposes.

1. Obtain the cloud service agreements signed with the customers

2. Ensure that customer personal data is transferred outside EEA, only if it was
agreed upon as part of a Cloud Service Agreement with customers
3. Ensure all transfers and agreements meet GDPR requirements

1. Obtain relevant policies and standards regarding retention and disposal procedures
of organization data (i.e. Data Protection Policy/standard, Media Handling, etc.).
2. Validate the policies/standards include guidelines and appropriate methods
regarding the retention and disposal of organization data.
3. Validate these policies and standards are reviewed on an annual basis and a
review history is included.
4. Each service shall adhere to the formal retention and disposal procedures (such as
appropriate deletion of organization data, retention/encryption requirements of data,
etc.).
1. Organization shall adhere electronic media handling and disposal Standard to
determine whether requirements for destroying media containing data had been
established, as well as requirements for maintaining an log of such activities.
2. Ensure that the electronic media containing confidential information is purged or
destroyed in accordance with management approved documentation an best
practices. Ensure that the confidential information within the media cannot be
accessed again, and appropriately sanitized upon destruction.
3. Certification shall be issued of destruction for each device destroyed
4. An inventory of all destroyed electronic media shall be maintained and updated
regularly.

1. Each service shall provide a method or ticketing system for customers to request
for deletion of their account and information.
2. Upon request of deletion, the customer account and information is immediately
purged and deleted from databases and the production instances (AWS, GCP, etc.).
3. Once purged, a confirmation message or email is provided back to the customer
confirming the deletion of their account and information.

1. Obtain relevant policies and standards regarding retention and disposal procedures
of customer data (i.e. Data Protection Policy/standard, Media Handling, etc.).
2. Validate the policies/standards include guidelines and appropriate methods
regarding the retention and disposal of customer data.
3. Validate these policies and standards are reviewed on an annual basis and a
review history is included.
4. Each service shall adhere to the formal retention and disposal procedures (such as
appropriate deletion of customer data, retention/encryption requirements of
customer data, etc.).
1. Validate whether or not the service uses any software-defined networking (SDN)
solutions.
2. If an SDN is used, verify suitable SDN procedures are defined and documented.
SDN procedures shall include steps to harden the SDN system and ensure
confidentiality of the cloud user data residing within it.
3. Validate the SDN procedures and instances include the encryption of traffic,
routing protocol security measures, authentication of endpoints and secure tunneled
traffic and access restrictions.
4. The cloud service provider validates the functionality of the SDN functions before
providing any new SDN features to its customers or existing SDN features.
5. Any SDN deficiencies or defects are assessed and corrected accordingly.

1. Organization shall document a best practices with destroying hardcopy materials

containing confidential information.
2. Hardcopy material containing confidential information is purged or destroyed in
accordance with management approved documentation an best practices, such as
cross-cutting, shredding, incinerating, pulping, etc.
3. organization shall share these best practices and make them available for
organization employees to see. Communications can include emails, posting the
practices in offices, reminders to employees, etc.

1. The offering shall use IPv6 to provide their service to cloud service customers.
2. The offering shall provide information of the IPv6 support status to their cloud
service customers via a communication line (email, page, announcement site, etc.)

1. All Cryptographic Key Custodians and Cryptographic Materials Custodians shall

acknowledge in writing or electronically that they understand and accept their
cryptographic-key-custodian responsibilities.
2. Acknowledgement shall be obtained upon hire if they are responsible, and at least
on an annual basis thereafter.

1. Use the CSP specific KMS (for e.g. AWS KMS) service to provide key management
capabilities where possible. If key management is required to be performed by a
third-party software that is fully controlled by the offering deploy and configure a
software tool such as Hashicorp Vault
2. Limit access to key storage and generation mechanisms
3. Configure logging and ensure that key creation, editing, and deletion is captured
via logs and that alerts are configured to notify personnel of these actions so that the
validity of the action can be confirmed
4. Develop a formal key management policy / procedure that minimally includes:

• Prevent unauthorized substitution of cryptographic keys (Specify how to generate

strong keys)
•
1.Specify howshall
Offering's to securely
only usedistribute
public keykeys
certificates under an approved certificate
authority.
2. Examine the key management policy for lists of approved certificate authorities.
3. SSL certificates can be obtained from approved services, for both public and
private PKI certificates.
4. Certificate from the provided services can be checked from the root CA
5. Certificate shall be approved from the approved service provider.
1. If an offering uses cryptography to protect customer data, it communicates what
methods and technologies are used to their respective customers. Communication
can be high level, and does not need to include exact cryptography configurations.
2. If confidential/secure methods are provided to customers, the communication shall
be via a secure method (i.e. in account inbox, account notification page, etc. that
only customers can access). Methods that are high level can be published externally
if deemed appropriate.

1. Procedures/Standards shall be documented an maintained for the management of

portable and removable media device
2. Portable and removable media shall not contain any confidential or secure data
that can be accessed at a non-organization controlled endpoint. The ability to write to
portable and removable media shall be controlled.
3. If write access is allowed, cryptographic techniques shall be used to protect data
on portable an removable media
4. Documented approvals shall be fetched for usage of portable an removable media
5. Portable and removable media devices are monitored when in use
6. Evaluate controls in place to check that portable and removable media containing
information is protected against unauthorized access, misuse or corruption during
transportation.
7. For NIST, FedRAMP, and NIST 800-171, FIPS 140-2 encryption method is used to
protect data at rest and in transit.

1. Organization Common Cryptography Modules (C3M) module shall be established or

called out
2. PKI Standard shall be established and reviewed on an annual basis as part of the
module.
3. Approved cryptographic Algorithm or other industry accepted standards such as
accredited National Cryptological Center algorithms shall be used in organization.
Voice over internet protocol (VoIP) shall be considered and encrypted as well.
4. Evidence of data at rest and in-transit are both protected and encrypted shall be
readily available.
5. Specific to NIST, FedRAMP, and NIST 800-171, appropriate cryptographic methods
are used such as FIPS 140-2 Cryptography methods to protect data at rest and in
transit.
6. For data in transit, TLS1.2 at a minimum shall be used.
1. Key management procedure shall be adhered
2. For each service team, verify cryptographic keystores are stored in respective tool.
used in organization.
3. Process shall be adhered for retirement or replacement (for example, archiving,
destruction, and/or revocation) of keys when the integrity of the key has been
weakened i.e. expiry, excess usage, compromise, unauthorized disclosure, employee
termination etc.
4. Process shall be in place for key change/ rotation for keys that have reached the
end of their crypto period
5. Access controls shall be implemented to restrict access to keys and key storage to
authorized personnel only
6. Periodic reviews performed for key records maintained by the offering.

1. Ensure personal account number (PAN) data is restricted/masked such that only
the first six and last four digits are displayed
2. Ensure full PAN is only provided to authorized users with a legitimate business
need

1. Check if full disk encryption is implemented. If yes,

• Ensure logical access is managed independently of operating system
authentication
• Decryption keys shall not be associated with the user accounts

1. Ensure data encryption keys that encrypt or decrypt cardholder data meet at least
one of the following storage requirements:
• the key-encrypting key is at least as strong as the data encrypting key and is stored
separately from the data encrypting key
• Data encryption keys are stored within a secure cryptographic device (such as a
host security module (HSM) or PTS-approved point-of interaction device)
• Data encryption keys are stored as at least two full-length key components or key
shares

1. Ensure there is a formal process in place for retirement or replacement (for

example, archival, destruction, and/or revocation) of keys when the integrity of the
key has been weakened i.e. compromised or end of life

1. Ensure a formal process is followed for retirement or replacement (for example,

archiving, destruction, and/or revocation) of keys when the integrity of the key has
been weakened i.e. expiry, end of life, compromised, unauthorized disclosure,
employee termination/transfer etc.
1. This control is applicable for manual key-management operations, or where key
management is not implemented by the encryption product
2. Ensure manual clear-text cryptographic key-management operations are managed
using :
• Split Knowledge AND
• Dual control
3. Split knowledge is a method in which two or more people separately have key
components, where each person knows only their own key component, and the
individual key components
4. Dual control requires two or more people to perform a function, and no single
person can access or use the authentication materials of another

1. Network Security Standard, Firewall, Router and Switch Configuration Standard

need to be established and reviewed on an annual basis.
2. Obtain evidence of the configuration of network and system components need to
meet
1. network
Identify and system
security and validate
mechanisms, servicethey meet
levels andthe policies andrequirements
management standards of of
#1.all
network services and include in network services agreements, whether these services
are provided in-house or outsourced. The organization network perimeter shall be
controlled by specific security gateways.
2. Network perimeter controls are implemented and ensure defined process is
followed to satisfy the security requirements of customers
3. Cross-network access shall be granted to authorized personnel which is based on
security requirements of the cloud customers
4. Evaluate the list of authorized personnel having access to the cross-network

1. If allowable, Hardware devices will preferably be used in the establishment and use
of the virtual private network.
2. If Hardware devices were not used, a documented rationale shall be documented.

1. Risk management standard shall be established and reviewed annually

2. Risk Management Standard shall contain the guidance on the identification of
potential threats, rating the significance of the risks associated with the identified
threats, and mitigation strategies for those risks, documentation and communication
of those risks, as well as possible vulnerabilities within the cloud service provider
1. Organization's Technology Risk Management Standard shall exist and the following
requirements shall be defined and followed.
• Annual risk assessment performed by management
• Risk assessment results review
• Prioritized mitigation of identified risks
• The annual risk assessment includes consideration of the potential for fraud, and
performs a fraud risk assessment as well.
2. Management shall execute and review the risk assessment activities annually.
3. Any identified issues will have a corresponding risk treatment plan or corrective
action plan shall be in place. Each issue needs to be tracked to completion.

1. As part of the annual risk assessment, cloud service providers/offerings shall

evaluate the risks associated with customer supplied software within the cloud
service offering provided by the provider. This can include any additional
add-on's/software the customer installs/adds to their instance within the cloud service
provider's service.
2. The cloud service provider shall evaluate any potential security impact that these
add-ons may have on the instance, and whether or not there are any new security
risks that are introduced.
3. All risks/action items that come from the risk assessment are followed up upon,
and tracked to completion in a timely manner.

1. Ensure risk assessment process is established, documented and followed

2. Determine data types that can be shared with a managed service provider
3. Obtain data risk assessment report

1. A defined team at organization shall be defined an responsible for overseeing the

security an control environment at organization.
2. Verify the roles of each member and validate security an control environments are
being reviewed and followed up upon.
3. Managers checks in with each member to review responsibilities and roles at least
annually.
1. Board of Directors responsibilities and members shall be documented within an
charter.
2. Board of Directors meet at least quarterly, and document meeting minutes of each
meeting.
3. Board of directors have at least 3 sub-committees defined and formed, audit
committee, executive compensation an nominating committee, an governance
committee.
4. Board of directors will meet with each sub-committee at least annually to provide
updates in each respective area.
5. Action items from each board of directors meeting shall be documented and
actioned upon. The Board of Directors shall discuss plans of succession when needed
and develop contingency plans for assignments of responsibility important for
internal control when needed.

1. Obtain documented information on the Audit Committee and Audit Committee

Charter
2. Verify that the audit committee is independent and meets quarterly as defined
within the charter. Document the most recent meeting in the form of an audit
committee minutes form.
3. Verify that the audit committee includes outside directors (industry experts)
4. Validate and review audit reports/document information to verify audit review
including various activities such as financial statement quality, enterprise risk
management, regulatory & legal compliance, internal and external audit function, an
information security functions.
5. Review any open items from previous audit committee meetings to ensure they
are being worked on an closed out.
6. Continuously evaluate results of audits and ensure audit committees' requirements
are met, and any concerns are addressed and/or remediated.

1. Each offering is responsible for identifying geographies with legal and regulatory
risks such as embargoed countries, countries with legal bans, countries marked as
non-cooperative countries or territories (NCCTs), etc. Such countries shall be labeled
accordingly with "jurisdiction risk".
2. Once identified, offerings shall not operate out of, or have administrators that
reside in such geographies.
1. Cloud service customers and cloud service providers shall agree on the appropriate
allocation of information security roles and responsibilities, and confirm that each
party can fulfill its allocated roles and responsibilities. These roles and responsibilities
shall be defined within an agreement between the two parties.
2. Cloud service customers shall identify and manage its relationship with the
customer support and care functions of the cloud service provider.
3. Once agreed upon, the customer and providers are responsible and accountable
for the agreed upon terms and responsibilities. Roles and responsibilities relating to
operational activities, data ownership, access controls, infrastructure maintenance,
shall be clearly defined to avoid any legal disputes.
4. Ownership of all assets, parties responsibilities for operations associated with
these assets, such as backup and recovery operations, shall be defined an
documented.
5. The use of sub-contractors shall also be defined and agreed upon between
customers and providers, and security risks associated with the use of sub-
contractors shall be discussed.
6. Details around an incident response policy and communication line shall be
defined between customer and providers as well. Providers shall also communicate to
customers that "false reports" of events that do not subsequently turn out to be
incidents do not have any negative consequences.

1. A statement of applicability (SOA) shall be documented.

2. The SOA shall include control objectives, implemented controls, business
justification for excluded controls, and shall align with the risk assessments.
3. The SOA shall be reviewed and approved at least annually.

1. ISMS Steering committee shall meet at least annually, and include meeting
minutes from each meeting.
2. Attendees of the steering committee meeting shall be documented, and members
of the information steering committee shall include relevant members from the
offering's organization.
3. Each meeting shall include an discussion and review of current scope (products
included), audit progress, ISMS scope, risk assessment activities, control
implementation, and audit results. Included shall be action items for any audit
findings.

1. A security leadership team including key stakeholders in the organization

Information Security Program shall be identified an established at organization.
2. The security leadership team oversees the information security program an shall
define the goals an milestones for deployment of the information security program at
the organization.
1. Document an ISMS scope document.
2. Within the document, ensure the ISMS boundaries with respect to the offering, and
supporting corporate platforms are included in the scope of certification.
3. Review the scoping document and boundaries on an annual basis, updating it
when necessary.

1. At least annually, organization shall have an staff meeting to discuss relevant

security threats, program performance, and resource prioritization.
2. The meeting shall be sent out through an formal invite an shall be recorded for
organization
3. Corresponding meeting material such as power point slides going over security
threats, program performance, an resource prioritization shall be included as part of
this meeting.
4. The meeting can be segregated into multiple meetings if necessary, an depending
on the audience, can be integrated with other organization meetings such as ISMS
Steering Committee meetings, or other announcements.

1. Ensure that all the security requirements for which budget is required as an part of
Organization's Security program and corresponding business justification are
identified, documented and maintained.
2. Ensure that as a part of regular periodic management review meetings identified
critical security requirements across organization are reviewed as well as analyzed
and based on multiple factors as well as justifications basis which budget is allocated
for management of Organization's security program and corresponding records are
maintained.
3. Ensure representation from all the key departments to ensure allocation of budget
for security program is aligned with business objectives.
4. Ensure the spending of allocated budget is aligned with business justification
approved by top management and corresponding records are maintained.
1. Document and maintain information security policy/policies and corresponding
procedures ensuring coverage of the information security requirements for the
service environment in compliance with different standards as well as frameworks.
2. Ensure the policy an procedure documents are communicated, implemented,
reviewed as well as updated if required on an annual basis and corresponding records
are maintained.

1. Document and maintain privacy policy/policies and corresponding procedures

ensuring coverage of the requirements pertaining to processing of personal
identifiable information for the service environment in compliance with applicable
privacy laws as well as industry standards and frameworks.
2. Ensure the policy an procedure documents are communicated, implemented,
reviewed as well as updated if required at an regular frequency and corresponding
records are maintained.

1. Each offering shall follow the organization corporate information security policy
stated as part of GRM-04.01. However, as part of each offering's responsibility, if they
are a cloud service customer (i.e. utilize AWS, Azure, GCP, etc.) they shall further
define considerations around information being stored in the cloud computing
environment, access management, maintenance, and geographical locations of cloud
service provider's organization as part of the policy.
2. Policy shall be consistent with the Organization's acceptable levels of information
security risks for its information and other assets
3. The considerations can be documented as part of the Corporate Information
Security Policy, or on a separate offering specific document/page.
3. This information security policy shall be reviewed annually with approvals.

1. A cloud service provider (offering)'s information policy can follow a corporate

information policy, or maintain their own information policy.
2. The information policy document for the cloud service provider shall cover various
aspects such as but not limited to Baseline information security requirements, Multi-
tenancy and cloud service customer isolation, access management, Lifecycle
management of service customer accounts and communication of breaches in
compliance with different standards as well as frameworks.
3. Ensure the policy an procedure documents are communicated, implemented,
reviewed as well as updated at least annually and corresponding records are
maintained.
1. Cloud service providers/cloud offerings provide customers details regarding the
security capabilities they use via request, or general public page and/or
announcement page.
2. Cloud service providers/cloud offerings upon request also provide details regarding
their security posture via a SOC report if needed.
3. The cloud offering also provides details to customers with security capabilities the
customer can implement while using the cloud services provided.

1. Ensure Organization's governance policies and procedures are documented in

order to meet security requirements. These policies include any policy relevant to
ISO, SOC, and other governance frameworks
2. Policies and procedures are reviewed and approved by management in order to
meet security requirements
3. Policies and standards are communicated to authorized personnel on annual basis
4. Roles and responsibilities shall be defined in the policy
5. Policies and procedures are reviewed and updated at least annually with revision
history

1. Exception to policies and procedures are documented and maintained

2. Process shall be in place to request, review and approve exceptions to policies and
procedures
3. Exception to policies and procedures are approved and reviewed annually by
appropriate personnel
4. Evaluate any defined Business user specific exceptions and review them for
appropriateness

1. Management approved policies and standards are maintained and followed to

govern the collection, retention, and usage of metadata (customer usage data)
2. The policy and standard shall define the restriction of access to data, and access to
data shall be restricted and reviewed
3. Customer usage data shall be deleted once its intended collection purpose has
been fulfilled, and/or upon customer request
4. Evaluate access to customer usage data to be granted to authorized staff only
5. The policy is reviewed annually

1. Ensure a program charter for the governance of PCI DSS compliance is established,
documented and followed
2. Ensure roles and responsibilities for the governance of PCI DSS compliance are
defined and documented
3. Ensure program charter and roles and responsibilities are communicated by the
management

1. Identify the scope of GDPR

2. If the cloud service provider is not established in a member state of the EU, verify
if it's in- scope of GDPR
3. If it's in scope of GDPR, ensure the cloud service provider designates a
representative in a member state of the European Union
1. Ensure cloud service provider adhere to EU Code of Conduct
2. Ensure the cloud service provider transparently communicates to customers their
adherence to the EU Code of Conduct

1. Ensure all policy violations and non-compliance including associated implications,

disciplinary and legal action are documented as well as maintained in the Code of
Conduct.
2. Ensure that all employees including new joiners provide acknowledgment for
adhering to the Code of Conduct and corresponding records are maintained.
3. Ensure employees are notified in case of policy violations and actions of non-
compliance that may lead to disciplinary as well as legal action and corresponding
records are maintained.
4. Ensure frequent communication and awareness mailers are sent across to all
organization employees for updates to Code of Conduct and corresponding records
are maintained.
5. A population/repository of employees with violations to COC shall be documented
and captured if occurred.

1. Document and maintain the results of annual information security risk assessment
2. Ensure that the results of annual information security risk assessment are
discussed an finalized with designated risk owner(s), corresponding records of the
same are also maintained.
3. Ensure that risk treatment plan for closure of identified risks is documented as per
the timelines and approvals based on cost benefit analysis leading to selection as
well as development of manual and IT general controls, corresponding records of the
same are also maintained. This can be considered and reviewed as part of CCF
releases as well.

1. Background checks shall be mentioned and included in a policy/standard.

2. For all new hires, a background check shall be completed prior to their hire date.
1. Hiring process shall be mentioned and included in a policy/standard highlighting
details of what the hiring process is.
2. For all new hires, an interview and approval process shall be conducted prior to
receiving an offer.
3. Each new hire shall have at least one approval prior to the candidate receiving an
offer.

1. Ensure list of roles requiring national security clearances is reviewed an kept up-to-
date
2. Document and maintain a process on screening/ rescreening or vetting of
employees that need national security clearances
3. Ensure that screening and rescreening of authorized personnel are conducted for
roles that require national security clearances
4. For national security clearances, ensure that rescreening is conducted for the
following:
• 5th year for top secret security clearance
• 10th year for secret security clearance
• 15th year for confidential security clearance
5. For law enforcement an high impact public trust level, ensure that an
reinvestigation is conducted during the 5th year

1. Document and maintain onboarding process of contingent workers (Suppliers,

Contractors, Independent Contractors, Consultants, an Partners). Document and
maintain the organization Confidential Information Agreement.
2. Maintain a list of contingent workers being onboarded
3. Ensure the organization Confidential Information Agreement includes expected
behavior regarding data and information system usage, prohibiting disclosure of
information another data to which the contingent worker has been granted access
4. Ensure all contingent workers sign the organization Confidential Information
Agreement
1. Document and maintain an policy which enforces that employees sign the terms
and conditions of employment and the non-disclosure agreements (PIIA). A formal
non-disclosure agreement shall be maintained as well.
2. Ensure all full time employees sign the non-disclosure agreement (PIIA- Proprietary
Information an Invention Assignment) upon hire which prohibits any disclosure of
information to which the employee has been granted access
3. Where PIIA is not applicable, ensure that full time employees sign offer letters that
outline clauses relevant to non-disclosure

1. Ensure that an Code of Conduct and Acceptable Use Policy is documented and
maintained
2. Ensure that the Code of Conduct covers employee's responsibilities regarding
confidentiality, data protection, ethics as well as reputed practices expected by
organization and is communicated to all employees
3. Ensure that all full time employees acknowledge that they have read through and
agree to the Code of Conduct as part of their onboarding process

1. Document and maintain a check-in performance management process for on-going

dialogue between managers and employees
2. Establish a performance review criteria as part of performance management
process
3. Ensure periodic reminders are sent to managers for performing regular check-in
performance. Each manager shall have regular check-in's with employees to discuss
performance. Check-In's shall occur at least once a year, and can be included as part
of compensation reviews.
1. Ensure leaders and team members have access to Team Space for on-going
communication, goals, and feedback between them
2. Establish continuous communication and 360 degree feedback via Team Space
amongst the leaders and team members

1. Ensure that a defined procedure or a mobile device policy is maintained to enroll

mobile devices with the enterprise Mobile Device Management (MDM) solution and
that responsibilities with respect to the usage of mobile devices for accessing
organization resources is communicated
2. Ensure that only authorized organization personnel who are enrolled in a MDM
solution are able to obtain access to the organization network on mobile devices

1. Ensure that organizational structure an reporting lines for communicating clear

paths of responsibilities within the organization are defined, documented an available
as necessary
2. This can be maintained in organization Directory or Active Directory, or alternative
methods as well.
3. The organizational chart shall serve as a method to developing contingency plans
for assignments of responsibility important for internal control as well

1. Ensure policies around appropriate posting of job descriptions are defined an

documented
2. Ensure the defined policies are implemented regarding the posting of job
descriptions for employees supporting the service an include authorities an
responsibilities for the design, development, implementation, operation,
maintenance, and monitoring of the system
3. Validate if the job descriptions, responsibilities and authorities are reviewed on an
periodic basis. Further, job descriptions shall not be posted publicly unless it has first
undergone review and/or approval.
1. Ensure resources are provided for security awareness training (including cloud
security awareness) on at least an annual basis. The security awareness training shall
include how to securely handle mobile devices and storage media, secure internet
browsing, and use of social media.
2. Ensure resources for security awareness trainings are provided to all employees
(per their job responsibility)
3. Ensure security awareness trainings are tracked for completion
4. Offering's are responsible for identifying whether or not RB need to complete any
type of security awareness training annually, and track them to completion.

1. Ensure information security, privacy, and various other types of trainings are
provided to all the employees at their disposal
2. Ensure trainings related to operational activities of the offering are provided to
respective employees in order to enable continued development and growth.
Trainings can be offered through various platforms via Degreed, or budget for
training for each individual, etc.

1. Verify if training module is available on secure coding techniques

2. Obtain list of software engineers who are responsible for completion of this training
3. Validate if the training based on secure coding techniques are completed by
software engineers at least annually
1. Obtain the list of organization personnel that need to interact with cardholder data
systems
2. Ensure personnel that interact with cardholder data systems undergo awareness
training
3. Ensure the awareness training covers the following:
• Verify the identity of third- party persons claiming to be repair or maintenance
personnel, prior to granting them access to modify or troubleshoot devices
• Do not install, replace, or return devices without verification
• Be aware of suspicious behavior around devices (e.g., attempts by unknown
persons to unplug or open devices)
• Report suspicious behavior and indications of device tampering or substitution to
authorized personnel (e.g. to a manager or security officer)

1. Process shall be defined for reporting the issues related to

ethics/code-of-conduct/any wrong-doings
2. Quarterly Audit Committee presentations to determine whether Ethics hotline
allegations and the resulting actions were presented to the Audit Committee shall be
established

1. Organization's Authentication Standard to determine whether the policies contain

requirements for the creation, allocation, change, distribution and safeguarding of
passwords shall exist.
1. Logs of critical information system activity shall be stored in secure repository
2. Configuration that appropriately disables administrators the ability to delete or
modify the enterprise audit logs. shall be enforced.
3.
1. Admins with (read
Obtain relevant only) accesspolicy/standard
organizational to the audit logs shall
and be verified
ensure defined from the
process
appropriateness perspective
regarding enabling audit logging and monitoring are adhered to
2. Ensure specific mechanisms to monitor and flag tampering to the audit logging
and monitoring tools in the production environment are documented
3. Ensure appropriate mechanisms are implemented for protecting integrity of logs
and to prevent/detect logs modified/tampered at the storage location. Additionally,
ensure such activities are recorded and controlled
4. Restrict and control administrative permissions to manage and modify audit logs to
authorized personnel only
5. Ensure all administrative and operational activities are logged and events are
captured to trace back to a particular user in case of any modifications/tampering
performed
6. Replicate and store all applicable logs on a centralized server and restrict access to
only authorized personnel
1. All audit logs shall allow an unambiguous identification of user accesses at the
tenant level. All activities shall correspond or be able to be traced back to a
corresponding owner.
2. In all security events or incidents, logs can be traced back to a user, to identify any
malicious activity or support forensic analysis.

1. Ensure the process to be followed by vendors for remote access are established,
documented and followed
2. Ensure vendor accounts used for remote access are enabled only during the time
period needed, disabled when not in use, and monitored while in use

1. Obtain Password management policy

2. Ensure service providers with remote access to customer premises have a unique
authentication credential (such as a password/phrase) for each customer

1. Obtain Log management procedure

2. Ensure remote access session details are logged
3. Retain event logs and ensure it's available for review whenever required

1. Access to all production instances shall be only accessed via organization VPN and
a valid multi-factor (MFA).

2. Production instances shall be integrated such that direct access to the application
outside of the organization VPN is prevented when possible.

3. Shall a production instance be accessed outside of organization VPN and multi-

factor authentication, additional termination and password controls maybe evaluated.

4. All access to "root" shall be restricted to employees with valid MA token per
guidance requirement
Escalating user or account privileges to 'root' [ on development, build, and
production systems ] is restricted to authorized employees with a valid multi-factor
(MFA) token [ and an authorized business need ].

1. Organization's Logical Access Policy, Logical Access Account Standard and Role
Based Access Control Standard shall exist.
2. Organization's Joiner workflow configurations for automatically creating an AD
account shall be tested
1. As part of its offering, the offering provides the ability to manage and monitor
access to their customers, to restrict access to the customer's own instance of the
offering's cloud services.
2. This can include the ability to delegate different types of access (i.e. read only,
admin).
1. Organization's Logical Access Account Standard shall exist.
2. Quarterly or semi-annual review process shall be established for user access
review for core application and tools. Quarterly cadence shall be strived, however if
access is extremely limited to a number of users, or type of access is extremely
limited in action (i.e. no one can make changes to production), then semi-annual
cadence can be utilized.
3. Population of users shall be complete and accurate and pulled directly from the
source application.
4. Approval shall be provided by Manager for the user access review. In case of any
discrepancy

1. Documented procedure for performing user access reviews in accordance with

organization policies which covers the following shall exist
• Quarterly access reviews are performed for in-scope systems components;
• Keeping audit trails and maintaining tickets for all requests for addition,
modification or deletion of user accounts/ IDs and access rights;
• Reviewing user accounts at specified intervals(quarterly) to identify and facilitate
removal/ deactivation of inactive accounts or accounts that have not been used for a
longer duration

2. Quarterly review process shall be established for user access review.

3. Approval shall be provided by Manager for the user access review.
4. Any discrepancies identified as part of the user access review (i.e. inappropriate
access), shall be remediated within 7 days (access removed and/or modified).

1. Ensure unique organization ID credentials are used for all in-scope systems.
Additionally, ensure organization id's are not reused. ID's shall not be shared between
employees, and no employees/users shall be provisioned identical ID's to access
organization applications and network.
2. Ensure access to all in-scope systems is authenticated via unique organization ID
credentials
1. Validate if access to production systems follows organization AD and VPN.
2. shall access to production systems not follow organization AD and VPN, direct
application password criteria shall be reviewed to ensure it meets organization policy.
3. If needed, passwords are stored within a centralized directory to simplify password
management, and configure the password requirements and enforce them on all
accounts.

1. Obtain organization policy for password management

2. Ensure the corporate active directory password settings meet organization policy
requirements for all active directory accounts. organization policy requires following:
• Passwords shall have minimum 8 character length
• Passwords shall have complexity enabled
• No password reuse for 5 years

1. The offering provides user access management, authentication functions, and

password or log in customization functions for its customers to access their own
instances of Organization's cloud services
2. Functions/Features can include the ability to use customer SSO, VPN, password
log-in, credential verification, etc.
1. The offering validates that access to each of its production instances can only be
accessed via unique ID and login.
2. The offering shall not allow identifier re-use to be allowed. Each user shall have a
unique log in, and cannot be re-used, even with retired ID's.

1. Obtain Access Management process an password management policy

2. Applications shall be configured such that:
• User accounts are disabled after they have not been used for an period of two
months or after an predefined number of failed login attempts
• Locked user accounts are automatically removed after six months after inactivity
(i.e. they stay locked for 6 months)

1. Documented procedure for facilitating inactivity monitoring of active sessions shall

exist
2. Inactivity monitoring tools shall be configured as per the requirements defined in
documented organizational policy and procedure.
3. Sessions with cloud customers (i.e. customer chats, customer help channels,
customer access, etc.) are secured by session management ensuring that the
sessions are expired if inactive for longer duration and sessions are secured over
encrypted connections.
4. Sessions can include instances where customers have accessed an application with
no activity, having a mechanism of auto-log out enabled.

1. Process shall exist for authentication method to include

allocation/revocation/replacement of possession factor (such as password, security
token, OTP, certificates, passphrase).
2. Unique user IDs shall be used to enable users to be linked to and held responsible
for their actions.
3. log-on information shall be validated only on completion of all input data. If an
error condition arises, the system shall not indicate which part of the data is correct
or incorrect
4. Identity of users shall be verified by authorized personnel before provisioning and
modifying their authentication credentials. This shall be done initially when providing
access, or during trouble shooting a user's access.
5. Access to generic/faceless accounts shall always be monitored, and provisioning
access to them shall not be allowed until approval and identity of user is confirmed.
1. Each offering shall limit the number of concurrent login sessions to information
systems, and once a session is terminated, the inactive user's interface is no longer
displayed. Once the session is terminated, users shall re-log in to access the
information system.

1. Obtain Access Management process an verify the session timeout details.

2. Each offering shall set a set time limit upon which inactive sessions will
automatically terminate. Once the session is terminated, users shall re-log in to
access the information system.

1. For systems leveraged by the U.S Federal Government, offerings shall present a
login screen that displays the following language:
• users are accessing an U.S. Government information system
• system usage may be monitored, recorded, an subject to audit
• unauthorized use of the system is prohibited an subject to criminal and civil
penalties
• use of the system indicates consent to monitoring an recording

1. Obtain user access management process for managing privileged access to trusted
data environments in accordance with organization policies and verify the following:
• Creation and allocation of privileged user accounts/ IDs on the information systems
is controlled through a formal authorization process.
• Privilege access to trusted data environments are enabled through an authorized
session manager
• Privileged access rights are allocated to users on a time bound need-to-use basis
and on an event-by event basis in line with the access control policy, i.e. based on
the minimum requirement for their functional roles and shall be revoked post that
defined time period;
• All session user activities are recorded and tunnelling to untrusted data
environments is restricted
• As applicable, terminate inactive sessions after a set amount of time, or when the
user terminates the session.
• Expiry of privileged access rights is defined;

1. Obtain and validate list of applicable/in-scope information technology products

2. Obtain and validate list of FIPS 201 Approved Products List (also available on
idmanagement.gov)
3. Validate if all, in-scope, IT products employed are FIPS 201-approved products with
Personal Identity Verification (PIV) capability implemented to ensure physical access
control are in place.
4. Document and maintain this validation as an audit evidence
1. Review the password policy at organization.
2. organization shall ensure that Supplier supplied default passwords shall change
prior to device installation on the organization network or immediately after software
or operating system installation.
3. Each offering shall validate that all default accounts in the production instances are
changed prior to use.
4. If possible, access to all applications and devices shall at the minimum follow
Corporate AD and log in procedures (VPN).

1. Obtain minimum baseline security standard policy or procedural document

covering considerations for collaborative computing devices. Collaborative computing
devices include, for example, networked white boards, cameras, and microphones.
2. Identify list of collaborative computing devices that are in-scope
3. For such computing devices, validate if they are configured to reflect baseline
security standard/considerations, like - remote activation restriction, explicit
indication when such devices or related components are in use. Explicit indication of
use includes, for example, signals to users when collaborative computing devices are
activated.

1. Obtain sample logs to review user specific activities.

2. Validate if in-scope applications are configured to log all successful and failed login
attempts.
3. Validate if in-scope applications are configured to notify users of security
obligations (such as acceptable use) immediately upon gaining access. A banner shall
be displayed that shows the security obligations.
4. Validate and confirm that no user has modify access to the repository where all the
successful and failed login logs are stored
5. Validate if organization VPN logs all successful and failed attempts of access.
6. Once login is successful to any application, validate users are notified of their
security obligations.

1. Digital signatures shall include timestamps and use standard encryption programs.
They shall be validated to confirm authenticity as well.
2. Time stamps will be applied to information that is likely to be used as electronic
evidence in the future.
3. The pertinent data for the subsequent verification of the date will be treated with
the same security as the information dated for the purposes of availability, integrity
and confidentiality.
4. Time stamps will be regularly renewed until the protected information is no longer
required by the administrative process it supports.
1. Obtain log management procedure
2. Ensure the following activities for cardholder data environments are logged:
• individual user access to cardholder data
• administrative actions
• access to logging servers
• failed logins
• modifications to authentication mechanisms and user privileges
• initialization, stopping, or pausing of the audit logs
• creation and deletion of system-level objects
• security events
3. Ensure logs of all critical system components and system components that store,
process, transmit, or could impact the security of cardholder data (CHD) and/or
sensitive authentication data (SAD) are maintained
4. Ensure logs of all servers and system components that perform security functions
(e.g., firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS),
authentication servers, ecommerce redirection servers, etc.) are maintained

1. Ensure secure methods and algorithms such as hashing functions are used for
saving, displaying, and processing passwords

1. Policies are maintained that govern access control to information, applications, and
production environments.
2. Such policies shall be reviewed annually and documented.

1. A user access management process for managing contingent workers access shall
be completed and reviewed annually (this can be a corporate policy/standard).
2. Upon contract expiration or contingent worker termination, AD access, Directory,
and Badge access shall be suspended immediately within 2 business days.
3. After 16 days, AD access, Directory, and Badge access shall be terminated
completely (i.e. record removed).
4. During the 16 days, access for contingent workers can be extended by 30 days, or
the life of a new contract, that is approved by management.
5. If workers have access to sensitive tools and applications that have their own log-
in credentials (i.e. outside of VPN & organization Active Directory), the offering is
responsible for ensuring contingent worker access to all tools where direct access is
permitted is terminated timely upon contract end date or termination.
1. Review the corporate user access management process
2. As per the user access management process, create a ticket or a formal
documentation chain/thread capturing when the user access was finalized to be
terminated (Term date), who triggered this task, identify systems/tools that the user
had access to, confirmation from each application owner stating when they
deactivated/removed access
3. If possible, attach screenshots from the systems/tools showing that the access was
removed within 2 business days from the date of termination
4. Validate access is to all applications and active directory is terminated 2 business
days within the Workday Termination date.
5. If workers have access to sensitive tools and applications that have their own log-
in credentials (i.e. outside of VPN & organization Active Directory), the offering is
responsible for ensuring full time worker access to all tools where direct access is
permitted is terminated timely upon contract end date or termination.

1. Obtain HR exit policy/process around access termination and procedures around

collection of organization property (laptops, etc.)
2. Validate that a process exists to obtain the asset(s) when organization owned
asset(s) is/are not returned within 30 business days.
3. Maintain evidence when the request to return the asset was first requested to the
terminated personnel and following communication/notification that were made
4. Update IT asset inventory indicating returned assets along with return date
5. Validate within 30 days of the termination date in Workday, assets are returned
within 30 days. This can be done via approved vendors shipping (FedEx, UPS, etc.), or
returned physically on site.

1. Obtain user access management process for managing privileged access

2. Verify if process includes requirements to revoke privilege access for employees
within 48 hours of termination
3. Upon a user is marked as terminated in workday, all privileged access related to
the user is removed within 48 hours either automatically or manually.

1. Once a user is marked as terminated in workday, the relevant personnel, such as

the user's managers, are notified of the termination.
2. Notifications can include either a message, email, or alternative method of
communication.

1. Once a user is terminated in workday, corresponding exit interviews are

conducted. HR, managers, legal, or any other relevant team shall be involved in the
exit interview process.
2. A record of the interview shall be retained via calendar invite, Workday tracking, or
alternative method of tracking.

1. When an employee transfers teams in Workday, each employee's corresponding

access shall be reviewed and adjusted as necessary.
2. The employee's previous manager is responsible for ensuring all access is adjusted
accordingly.
3. As part of the review process, a ticket or alternative documentation method shall
be retained demonstrating a review of the employee's access, and the changes of
access that occurred.
1. Identifying scope for continuous monitoring of Organization's network that may
include but not limited to: network and infrastructure devices, systems, applications,
services/products etc.
2. Verify if intrusion detection system (IDS) and prevention system (IPS) are
implemented on Organization's Corporate network from the Network Diagram to
detect any potential security breaches on its network.
3. Validate if adequate staffing of personnel is in place responsible for continuous
monitoring (real-time) of IDS and IPS and for responding to various information
security incidents, events and breaches.
4. Verify if internal and external communication strategies and Service Level
Agreements (SLAs) are in place to ensure early detection of incidents that will allow
timely
1. Cloudresponse andhardening
offerings, recovery shall
from be
incident, events
managed, and breaches.
reviewed, and updated periodically,
including whenever the offering is enhanced or changed, and upon discovery of new
threats.
2. Integrity check shall be configured in virtual machine at startup, restart, shutdown
and abort transitional states.
3. Resolution steps shall be taken in case of potential discrepancies during integrity
verification and check
4. The Integrity check shall be done at start-up. If the image is not restarted,
shutdown or aborted then no additional integrity checks need to be performed. An
integrity check shall only be performed shall any of those events occur.

1. Network architecture (HLD / LLD) is defined and documented by the offering.

2. If virtual machines are used, the networks used to migrate or create virtual
machines are segregated from other networks.
3. Networks used for the administrative management of the infrastructure and for
the operation of management consoles are logically or physically separated from the
clo+E169ud customer's network and protected from unauthorized access by multi-
factor authentication

1. Validate if virtual machines or containers are provided to customers to use.

2. If virtual machines are provided for customer use, virtual machine integrity checks
shall be performed to ensure customers can restrict the selection of images of virtual
machines or containers according to their specifications
3. The offering informs customers about changes made to previous virtual machine or
container versions.
4. Hardening standards are documented and compliance checks are performed to
validate each customers virtual machine/container is hardened accordingly.
5. Images shall be hardened according to generally accepted industry standards.

1. Ensure system components that store cardholder data, including payment card
collection devices are stored in an internal network zone
2. Ensure internal network zone is segregated from the DMZ and other untrusted
networks
3. Obtain the list of personnel that need to be granted access to internal network
zone
4. Ensure access is strictly limited to only these authorized personnel
1. NTP configuration shall be configured at the hosts/Golden Image to synchronize
information system time clocks based on International Atomic Time or UTC.
2. For NIST, FedRAMP, and NIST 800-171, considerations around using NIST time
servers shall be considered and evaluated.

1. Ensure access to modify time data/time-synchronization settings is restricted to

only personnel with a business need to access time data
2. Ensure any changes to time settings on critical systems are logged, monitored,
1.
andOrganization's
reviewed Policies and Standards shall exist and the requirements shall be
defined for managing network traffic to and from untrusted networks.
2. Network traffic logs (Security Group report) shall go under the Review.
3. Security group report, Firewall perimeter policy, Data Center Egress Policy and
Internet and
1.Policy Packet Filteringdocument
procedure guide shall go under
shall exist inreview.
order to govern Firewall configuration
management
2.Regular review shall be conducted of the Firewall configuration (at least annually),
records of review meetings shall be maintained and configuration shall be updated as
when required based on different threats and vulnerabilities.
1. Physical/Hardware firewall systems shall consist of 2 or more pieces of equipment
made by different manufactures, and follow a waterfall model layout.
2. Redundant firewall systems shall be installed as well.

1. Configure firewalls and utilize a DMZ to limit inbound and outbound traffic to only
system components that provide authorized publicly accessible services, protocols,
and ports

1. Ensure dynamic packet filtering firewall is enabled

1. Identify authorized parties

2. Ensure private IP addresses and routing information is not disclosed to
unauthorized parties

For systems/solutions hosted on AWS :

1. Design the system VPC with subnetworks to segment the network into smaller
parts isolated in accordance with functionality
2. At minimum configure public and private subnets to isolate resources that shall not
be publicly accessible from those that shall
3. To further segment the network, create subnets that contain system resources that
perform similar functions such as a specific subnet for databases, web servers etc.
4. Assign public IP only to resources that require direct access from the public
internet
1. Obtain network architecture diagrams for oversight on segregation of network
environment for each customer
2. Verify if customers environment are segregated physical and logically (as per
applicability) to ensure customers only have access to their own environments.
3. Verify if customer's environment access to internal environment is filtered at
network level components(Router, L3 Switches etc.) to prevent logical access.
Customers shall not be able to access other customer instances.

1. Obtain the relevant policy that enforces this requirement and ensure segregation
of production environment from non-production environments such as development
and test environments
2. Production environments and non-production environments are segregated.
Development and Test environments shall not share a same environment as
production.
3. All testing shall be performed in development and test environments, and only
pushed to production upon completion of testing and approval.

1. Obtain wireless access policy

2. Access to network services shall be limited to specific wireless access points only
provisioned to authenticated users and services.
3. Only approved wireless encryption protocols are in use for wireless connections.
Consideration shall be taken for voice over internet protocol (VoIP) to validate it is
encrypted if applicable.
4. Organization's network shall be protected to prevent inappropriate access to the
network and internal sites
5. Access to modify the network services and access points is limited to a select
group of organization users, and strictly managed.

1. Obtain mobile and portable device management policy

2. All mobile devices that access data from Organization's internal resources are
encrypted and monitored. Devices that are not adequately encrypted cannot access
Organization's internal resources.

1. Obtain mobile and portable device management policy

2. Each mobile devices shall have a mobile device management solution installed on
each mobile device to monitor and manage the mobile device.
3. Verify portable and mobile devices permissions are managed, and security/admin
features for each mobile devices is controlled. Baseline security features on each
mobile device shall not be modifiable by regular users, and shall be managed
centrally.
4. shall baseline security features be modified or changed to insufficiently meet
Organization's standards, access to Organization's internally resources shall be
removed/inaccessible.
5. Access to the mobile device management solution shall be restricted and limited.

1. All mobile devices are equipped with violation detectors that notify relevant parties
of any tampering that has occurred to the devices.
2. Any identified tampering is identified and followed up until resolution, and an
impact assessment shall be identified.
1. Ensure only one primary function per server is implemented within the production
environment
2. Ensure the information system maintains a separate execution domain for each
executing process

1. Obtain relevant wireless access policy

2. Ensure access to network services via wireless access points is restricted and only
provisioned to authenticated users and services
3. Perform access point mapping exercise annually to identify and remove
unauthorized wireless access points

1. Obtain threat management process

2. Each offering shall include technology shall include an Anti-Ddos solution along
with endpoint security, intrusion detection and preventions (IDS and IPS) are
implemented to protect against denial of service attacks
3. Each offering's solution shall include spam protection mechanisms and manage
information system access entry and exit points as well
4. Access to the solution shall be strictly limited, and managed.
5. Any incidents shall be reported, documented, and tracked to completion.
Corresponding parties of management and customers shall be notified of any
successful DDOS attacks as well.

1. Obtain list of all sub systems or verify asset inventory to include sub systems that
can publish information
2. Each sub system shall be adequately protected from threats such as unauthorized
read and alternation, alternative routing, "cross site scripting" attacks, URL and
customer information manipulation, code injection, and user impersonation.
3. Each offering and central organization site shall have mechanisms to protect from
DNS spoofing, impersonation, and central secure organization offerings and pages
shall be secure from risks listed above.
4. Access to such systems shall be strictly monitored and limited.

1.Privacy policy and procedure documents shall be present and implemented in

order to ensure that personal identifiable information is processed for a specified,
explicit and legitimate purpose.
2.Processing is done only in a manner that is compatible with the specified purpose
apart from specific exceptions corresponding to national security, public health,
defense, scientific/historic/
1.Privacy statistical
policy and procedure research
documents shallpurposes dependent
be present on applicable
and implemented in
privacy
order toregulation(s).
ensure that there is a lawful basis for processing personal identifiable
information as per the specified, explicit and legitimate purpose.
2.Processing as per the specified purpose will only be lawful in case the criteria for
lawful basis applies subject to the applicable privacy regulation(s).
1.Privacy policy and procedure documents shall be present and implemented in
order to ensure that when consent is a lawful basis for processing personal
identifiable information as per the specified, explicit and legitimate purpose
appropriate controls are implemented around consent management to demonstrate,
renew and withdraw consent.
2.For consent to be lawful basis of processing personal data, it shall be freely given,
informed, unambiguous indication of wishes, withdrawable and explicit/implicit
dependent on the applicable privacy regulation(s).
1.Privacy policy and procedure documents shall be present and implemented in
order to ensure that where a type of processing will result in high privacy risks then
prior to processing, assessment of impact of the processing operations on protection
of personal data shall be determined.
2.Guidance on high risks pertaining to protection of personal data and performance
of privacy impact assessment dependent on the applicable privacy regulation(s).
3. Performance of privacy assessments shall be in conjunction with the organization
privacy office. Contact the organization privacy office to understand the requirements
for coordinating the privacy assessment activities and providing required
documentation and evidence
4. It is the responsibility of the offering to support assessment activities and evidence
gathering for applications that fall under their scope. Additionally, implementation of
the procedures, architectures, technologies, and strategies that are necessary to
meet the requirements of the corporate privacy policy are the responsibility of the
offering.
5. Ensure that the PII Privacy Assessment process is implemented for all existing and
new applications in-scope
6. Obtain the results of recent privacy impact assessment conducted by the
Organization's team for application and ensure gaps were closed as per timelines
7.
1. Ensure PII privacy
Each offering shallassessment is conducted
define any PII processors whenever new
it uses, and PII, new processing
customers (controllers)of
PII Obtain
2. or changes to existing
the written processing
contract/data of PII is planned
processing agreement in place with any PII
processors or controllers identified.
3. Verify agreements are in place with processors and controllers that address:
• Controls for notice regarding the processing of their PII or changes to the
processing of their PII (including changes in sub-processors, if any)
• Controls to modify or withdraw their consent (if consent if the lawful basis for
processing the PII)
• Controls for objection of the processing of their PII
• Controls for restriction of the processing of their PII
• Controls to access, correct and/or erase their PII
• Controls to retrieve in a secure manner any PII or user-generated content they have
provided the offering in human and machine-readable formats
• Controls to provide in a secure manner a copy of the PII that is processed
• Controls to handle and respond to legitimate requests from PII principals

4. Agreements with controllers can be included in the Customer Terms of Service or

MSA's. Any additional agreements with controllers shall be documented and retained.
1. Each offering shall evaluate the legal regulations, and agreements they have with
Any individual agreements with controllers shall at the minimum address the items
customers in regards to processing PII.
above.
2. Each offering shall go through internal audits to demonstrate their commitment
toward processing PII.
3. Each offering shall have a method of publishing their adherence to obligations
around processing of PII. This can be done via securely providing SOC reports,
specialized certification reports/certificates, customer notifications, etc.
4. Such methods shall be available upon request.
1. Obtain the Privacy Data Sheet/Record of Processing activities, Data Inventories and
Data Processing Agreements/Binding Corporate Rules, all PII related documents the
offering shall adhere to.
2. Evaluate the Privacy Data Sheet/Record of Processing activities, Data Inventories
and Data Processing Agreements/Binding Corporate Rules/PII documents for the
following:
• Applicable Data Subject Rights
• Cross Border Data Transfer
• Technical and Organization Security Measures
• Legal grounds of processing
• Appropriate Level of Security across Processors/Joint Controller
• Divisions/Third Parties processing PII/SPI

3. Repercussions of non-compliance to such privacy requirements, are articulated

and widely known to the relevant stakeholders within the organization
4. Timely review of the Privacy Data Sheet/Record of Processing activities, Data
Inventories and Data Processing Agreements/Binding Corporate Rules, and check
document control.

1. Obtain the privacy notice and check for the below requirements:
• Information about PII/SPI data from Data Subjects and processing operations.
• Legal grounds of handling and processing PII
• Technical & Security measures provided to collected PII/SPI data.
• Third Party/Processor the PII/SPI data can be shared with..
• Rights of Data Subjects.
• Cross-Border transfer of collected PII/SPI data.
• Explicit consent procedure for SPI data collection.
• Details of Privacy Grievance Office or Data Protection Officer.

2. A document detailing all the above items shall be maintained, and reviewed at
least annually.
3. This document shall be readily available to customers to demonstrate legal
regulations and other considerations have been taken when processing customer PII.

1. Ensure legal standards of the geographical location with respect to privacy and
protection of personally identifiable information are identified and documented
2. Ensure appropriate standards such as encryption, isolated customer environments,
retention period of customer data, etc. are defined to protect PII
3. Ensure PII is protected as per the documented requirements
1. Each offering shall have guidelines/procedures with third party suppliers where PII
has been shared with regarding:
• modification of PII
• Withdrawal or objections around shared PII

2. Each third party supplier shall adhere to these procedures, and when requested,
make the corresponding changes to PII. For example, shall a customer request all PII
to be deleted and remove, third parties involved in the processing of PII shall adhere
to this request as well.
3. Each third party supplier shall not modify any customer PII without the consent of
the customer or offering.

1. Ensure there is a documented formalized process that the personal information

collected is used
• in conformity with the purposes identified in the privacy notice
• in agreement with the consent received from the individual
• in compliance with applicable laws and regulations
2. PII shall only be collected and retained at a minimum. Amount of PII needed shall
be limited to that needed for the service to operate. Additional PII shall not be
collected.

1. Each offering defines and documents the data minimization objectives and
techniques it uses to manage customer PII.
2. Each offering shall use industry best practices to define data minimization
objectives, and identify industry best practices to meet these objectives such as (de-
identification).
3. The Data minimization objectives and mechanisms are reviewed at least annually.

1. Obtain the documented procedure in place for deletion of PII

2. Verify that the mechanisms to delete PII are implemented in the offering. Each
offering shall only obtain and retain PII needed for the use of the service.
3. Evaluate the offering if either it deletes PII or renders it in a form which prohibits
identification or re-identification of PII principals, as soon as the original PII is no
longer necessary for the identified purpose(s). An example of this is when a customer
requests for deletion, the PII shall be adequately removed or re-identified with the
customer.
4. Check if temporary files created as a result of processing PII are also deleted when
original PII is no longer required

1. Each offering shall identify the use of PII and ensure that PII is not retained longer
than necessary for the purposes for which PII is processed.
1. Each offering shall have a document to check whether it addresses methods to the
access, correction, and disposal of PII has effectively put in place controls to ensure
appropriate mechanisms are implemented within the offering
2. Evaluate the documentation around following Data Subject Rights:
• Access to the PII
• Correction of the PII
• Disposal of the PII

3. PII shall never be accessed or corrected without the customer's knowledge.

Furthermore PII shall only be deleted upon the customer request.
4. Validate these policies and procedures are reviewed annually.

1. Each offering shall evaluate the relevant basis and legal basis for transfers of PII
between jurisdictions, external entities, and internal entities. Each offering shall
adhere to local laws and international laws.

2. Evaluate the Data Processing agreements/Binding Corporate Rules for cross-border

data transfer.

3. Each offering shall adhere to the document, and be able to. demonstrate
adherence to the document. For example, each offering shall follow and demonstrate
compliance to local transfer laws of GDPR.

4. This document shall be reviewed at least annually and updated accordingly.

1. Each offering shall retain documentation of all requests, transfers, and disclosures
of PII to and from third parties
2. The documentation shall include the following:
• what PII has been disclosed
• whom is the PII disclosed to
• what time thee PII is disclosed
• purpose of PII disclosure
• contractual obligations of third-parties to support future requests related to
obligations to the PII principals

3. Each offering is responsible for validating all requests, all transfers, and all
disclosures of PII to third parties are appropriate, and any inappropriate requests are
denied.
4. All requests shall kept and retained in a central repository.
5. If necessary or contractually obligated, corresponding customers and parties may
be notified of the request, transfers, and disclosures.

1. Each offering only obtains and processes PII in a method agreed upon with the
customer via individual contract, MSA, or Terms of Service.
2. Offerings shall not collect or handle PII outside of the agreement, or obtain
extraneous PII that is not needed for the use of the service.
1. Perform a review of the regulatory compliance process to assess if following
processes have been designed at minimum:
• Process is established to track and manage all applicable privacy legal and
regulatory requirements
• Process involves reviewing on a periodic basis and/ or whenever there are changes
in the privacy landscape
• Repercussions of non-compliance to such privacy requirements, are articulated and
widely known to the relevant stakeholders within the organization
• Instruments are in place that enforce and invoke the liability

2. Verify internal or external audit testing results to ensure compliance to the terms
of services and any other agreements(such as privacy agreements) with customers

3. Verify records supporting offering's ability to demonstrate compliance with

obligations are available for customers. This can be via organization Trust Portal
and/or providing SOC reports, ISO certifications, or other accreditations.

1. Each offering shall identify and document instances where automatic processing of
PII may occur.
2. Once identified, validate if any automatic processing of PII that can have a legal or
similarly significant effect.
3. Validate if the decisions that can be taken based on the automatic processing of PII
that can have a legal or similarly significant effect, do not occur without human
review or approval of the Customer/Controller in order to avoid vulnerable data
subjects.
4. shall customers have specific requests/agreements regarding the automatic
processing of PII, these requests/agreements shall be adhered to.

1. Ensure that there is a documented procedure for PII accuracy which addresses the
following:
• PII is accurate;
• PII is complete;
• PII is up-to-date as is necessary for the purpose for which it is processed,
throughout the lifecycle of PII

2. The offering shall have no users with the ability to modify Customer PII. If needed,
the offering can also ask the customer to revalidate the PII details at a scheduled
cadence.

1. Each offering identifies instances where PII is transmitted over a data-transmission

network.
2. Each offering validates for each instance where PII is transmitted over a data-
transmission network, there is a method in place to validate data reaches its
intended destination.
3. Validate if PII/SPI is protected at motion by deploying encryption protocols, i.e. SSL.
4. Validate if PII/SPI sent over any electronic transmission such as email, an end to
end email encryption is in place.
1. Each offering reviews all requests for disclosures for customer data or PII. Each
offering shall determine if the request is legally binding at all.
2. Each request shall be documented and kept in a central repository. The
documentation shall include an assessment of the request, and result of it.
3. shall a request be legally binding, the offering notifies the customer via a secure
channel of the request and disclosure of customer data or PII, and includes the
corresponding party it is being sent to.

1. Maintain the documented legally binding requests for disclosure of customer PII
2. Ensure PII disclosures other than the ones identified as legally binding with
customers are rejected and maintain records of the same.
3. Ensure that customers are consulted before making any PII disclosures and
accepting any contractually agreed requests for PII disclosures. All PII disclosures
between organization and the customer are reviewed with the customer prior to
releasing any PII.
4. Validate PII disclosures made are legally binding requests or only post consultation
with customer, and maintain records of the same.

1. Ensure there is a documented formalized process that the personal information

collected is used
• in conformity with the purposes identified in the privacy notice
• in agreement with the consent received from the individual
• in compliance with applicable laws and regulations

2. Ensure that PII collected from other sources was obtained fairly and lawfully

3. Ensure customers are notified about PII collected from other sources than what
user provided

1. Each offering shall identify their role and responsibility in processing PII. If third
party vendors/suppliers are involved in the processing of PII, each offering shall
identify each party's responsibility in processing PII as well.
2. Validate the roles and responsibilities are documented, and included in
agreements with any third party vendors/suppliers.
3. Each offering shall validate the third party vendor/supplier has sufficient controls
over the processing of PII, and validate the vendor/supplier effectively implements
the controls on an annual basis. Such validation can come from an external
supplier/vendor report, SOC report, attestation, etc.
4. Each offering shall define roles and responsibilities between them and
corresponding customers as well for the processing of PII.

1. Obtain relevant organizational policy/ and or legal documentation that addresses

cross-border data transfer requirements and has effectively put in place controls to
ensure safe transfer of data as per the legal and regulatory requirements
2. Ensure the legal and regulatory requirements are identified and documented
3. Ensure relevant documentations related to countries and offerings to which PII
data can be transferred are maintained
4. Ensure relevant documentation is maintained on the transfer / storage of PII data
5. Ensure each offering follows legal and regulatory requirements documented when
transferring PII. Such regulatory requirements can include GDPR requirements, and
more.
1. Ensure dedicated independent Data Protection Officer (DPO) is appointed
2. Maintain documented roles and responsibilities (R&R) of the designated DPO
3. Ensure that as a part as a part of R&R implementation:-
• DPO reports all the issues related to PII to the management covered and records of
the same are maintained.
• DPO is a point of contact and responsible for communications with supervisory
authorities covered and records of the same are maintained.
• DPO communicates to top-level management and employees of the organization of
their obligations regarding processing PII and records of the same are maintained.
• DPO reviews and provides advice on privacy impact assessments conducted by
organization and records of the same are maintained.

1. The offering is responsible for reviewing/identifying any breaches of PII that may
occur.
2. If there is a breach, the offering shall maintain information of latest PII breaches
3. Ensure that relevant parties to be notified of any PII breaches or of any PII
transfers between jurisdictions or of any intended changes in this regards, are
identified and documented.
4. Ensure that means to notify relevant parties to be notified of any PII breaches or of
any PII transfers between jurisdictions or of any intended changes in this regards, are
in place and maintain records of the same.
5. Ensure that relevant parties are timely notified of any PII breaches or of any PII
transfers between jurisdictions or of any intended changes in this regards and
maintain records of the same.

1. All PII processed by the offering shall not be used for marketing and advertising
purposes.
2. If used for marketing and advertising purposes, consent shall be obtained by the
customer first.
3. Services cannot include PII marketing and advertising as a condition to use their
service within its Terms of Conditions or contracts with customers.
4. Approval from customers for using PII for marketing and advertising purposes shall
be captured within a ticket, contract, and/or email before releasing PII.

1. Follow the corporate privacy policy, or ensure the offerings obligations regarding
processing of PII are documented and agreed with the customer. The agreement can
be implicit and/or included as part of terms of service, or more.
2. The offering's role and obligation to customers in regards to handling customer PII
is defined as part of the documentation.
3. The offering shall define the type of PII and information it ingests and processes it.
1. Maintain the documented roles and responsibilities for the processing of PII
2. Ensure and document the roles and responsibilities, including the following:
• PII protection and security requirements
• When the offering is acting on behalf of itself and does not require instruction from
the Customer/Controller
• When the offering is acting as a proxy for the Customer/Controller and does not
require additional permissions or instructions
• When the offering requires instruction and permissions from the customer
3. Ensure that the offering resources are appropriately trained for the identified roles
and responsibilities, corresponding records are also maintained.

1. Ensure PII is only processed based on the agreed upon terms of service and
contractual agreement
2. Any changes to the processing of customer PII shall have a prior customer
approval
3. Ensure PII processed under a contract is not used for marketing and advertising
purposes without prior consent from the customer. Additionally, the offering's teams
shall not make providing such consent a condition for receiving the service

1. Ensure there is a documented process in place for PII infringement which covers
the following:
• Notifying customer/controller if in any case a specific processing instruction given
by the customer infringes a legislation and/or legal regulation;
• Seeking additional legal counsel in case if any infringement occurs (if needed) prior
to fulfilling the customer's instructions/request

2. Each offering shall review all processing instructions for legislation and/or
regulation infringements. Legal shall be included in these reviews if needed.

1. If customer PII is processed by the offering and subcontractors are used for
processing of PII ensure:
2. Offering maintains a list of sub-contractors used for processing of PII
3. Customers are notified or informed on the use of subcontractors
4. The offering will also validate the legal and contractual requirements prior to using
subcontractors to process PII as well. Within the contract or if legally subcontractors
cannot be used, this shall be adhered to. In addition, if any additional legal or
contractual procedures exist with the customer, these shall be adhered to as well.

Need to consider legal and contractual requirements too.

1. Ensure obligations of the offering on behalf of customer/controller shall be

documented and maintained
2. Ensure the offering provides details and information regarding how they are
achieving their security obligations to customers. This can be done via a newsletter,
front facing webpage, SOC report, etc.
3. The offering reviews and considers legal and contractual requirements to the
customer and provides documentation showing compliance to those legal and
contractual requirements
4. Ensure information request from controller/customer around their obligations in
terms of design and operating effectiveness is shared timely as per the request, post
review of authenticity as well as applicability and corresponding records are
maintained.
1. If an offering has subcontractors who process customer PII ensure there is
documented information in place that covers the following at a minimum in case of a
change in subcontractor processing PII (addition or replacement of subcontractor)

• Any change in the subcontractor(addition or replacement) who processes PII, is

notified to customer/controller
• Rights to the controller/customer to object any changes in subcontractor who
process PII
• Notify the customer/controller of alternatives or service discontinuity possibility in
case if any objection is received

1. Ensure documentation of controls and mechanisms to provide customer access to

their own log records for the in-scope system components
2. Ensure records of the all requests received are maintained
3. Ensure review is conducted of the requests, and basis authenticity as well as
applicability of the request is confirmed upon request of log records.
4. Ensure documented process is followed out, and log records are provided to
customers in a secure manner.

1. Document and maintain the Privacy Information Security Management

System(PIMS) Risk Assessment Methodology and ensure it includes guidance on the
following aspects:
• Identification of potential threats related to the processing of PII
• Rating the significance of the risks associated with the identified threats
• Mitigation strategies for the identified risks
• Documentation and communication of the identified risks, as well as possible
vulnerabilities within the cloud service provider and their impacts
• Regular review and approval by the upper management, or its designated
representative(s)

2. Ensure PIMS Risk Assessment is conducted regularly(annually) or earlier in case of

any changes in the environment, to ensure effective management of privacy risks
and corresponding documentation is maintained.

3. Validate the Methodology is reviewed annually and updated if needed.

1. Document and maintain the Privacy Information Security Management System Risk
Assessment Methodology with the requirement to conduct a privacy risk assessment
on an annual basis including risk mitigation strategies and acceptable levels defined
based on organization risk criteria pertaining to risks associated with processing PII.
2. Ensure that the Privacy Risk assessments are performed on an annual basis taking
into consideration that threats and changes (environmental, regulatory and
technological) to service commitments are identified and the associated risks are
formally assessed and corresponding records are maintained.
3. Ensure review of the privacy risk assessments and corresponding records are
maintained.
4. Ensure PIMS Risk Assessment is conducted regularly(annually) or earlier in case of
any changes in the environment, to ensure effective management of privacy risks
and corresponding documentation is maintained.

1. Ensure communication about the results of privacy risk assessments conducted

annually to management and corresponding records corresponding records are
maintained.
2. Ensure review meetings are conducted for finalization of controls to mitigate risks
identified during privacy risk assessments and corresponding records are maintained.

1. Create a documented PII restoration procedure and a schedule for restoration of PII
2. Ensure PII restoration testing is performed at least annually
3. Review the PII restoration testing process and ensure that the details of the
restoration tests are logged including following:
• Who performed the restoration testing
• Description of the restored PII
• Integrity check performed on the restored PII
• Any failures are followed up and resolved as part of the restoration test

1. Security incident management policy and procedure shall be documented,

reviewed and updated based on learning(s).
2. Incident management policy and procedure provide information on the roles and
responsibilities of different individuals at the time of incident in order to provide an
effective response
1.Privacy and minimizepolicy
incident management the impact of an incident.
and procedure shall be documented, reviewed
and updated based on learning(s).
2. Incident management policy and procedure provide information on the roles and
responsibilities of different individuals at the time of incident in order to provide an
effective response and minimize the impact of an incident.
1. Ensure Security Incident Management policy and procedure are defined and
documented
2. Ensure policy covers requirements for handling and reporting security incidents for
all organization employees
3. Ensure communication channel has been established and communicated to aid
employees by offering advice and assistance to handling security incidents. This
channel shall also serve as a means for organization employees to report security
incidents
4. In certain scenarios, organization Employee details shall be kept anonymous and
protected, and legal shall be consulted depending on the severity of the security
incident
1. Security incident management policies and procedures shall be documented,
reviewed and updated based on learning(s).
2. Logging capability shall be enabled and logs shall be generated for different
devices in the environment. Generated logs shall be fed into a (Push/Pull) SIEM
solution or any other monitoring tool for review/ analysis and tracking of logs. Review
of each event shall include an analysis if the event resulted in an offerings security
commitment failure and/or incident.
3. Regular review and update of the use cases in the SIEM/Monitoring solution shall
be done in order to limit the false positive(s).
4. Security Incident Management tracker shall be maintained having complete details
pertaining categorization, investigation and remediation/ closure of the event(s)
classified as an incident(s).
5. Events shall be created for all events relating to security, confidentiality and
availability
1.Privacy incident management policies and procedures shall be documented,
reviewed and updated based on learning(s).
2. Logging capability shall be enabled and logs shall be generated for different
devices in the environment. Generated logs shall be fed into a (Push/Pull) SIEM
solution or any other monitoring tool for review/ analysis and tracking of logs.
3. Regular review and update of the use cases pertaining to PII protection in the
SIEM/Monitoring solution shall be done in order to limit the false positive(s).
1. Document and maintain the requirements for event logging of cloud services as a
customer in terms of approved organization policy and procedure
2. organization services that are a cloud service customer (i.e. services that utilize
AWS, Azure, GCP, and/or other service providers) validate with the provider defined
requirements in terms of event logging, monitoring, alerting/communication and
corresponding action details are maintained in an audit trail. Each offering shall
ensure the cloud service provider meets the offerings and Organization's minimum
event logging requirements.
3. If insufficient event logging standards are provided, such as length of logs, details
of logs, etc. each offering shall work with the provider to see if the standards can be
met. If standards cannot be met, the provider shall be further analyzed for feasibility
and use.

1. Each offering shall be able to provide an audit log or logging capabilities of each
customer instance if needed.
2. The offering documents and maintains the requirements and specifications of
event logging capabilities which can be provided to cloud service customers upon
request
3. Ensure requests from the cloud service customer related to logging capabilities are
validated and recorded / documented.
4. Ensure logging capabilities are provided to its cloud service customers as per the
request.
5. Ensure log data is provided to a customer securely, and that only the
corresponding customer can review the log data requested.
6. Offerings can provide customers an audit log of activity as part of their service.
Each customer shall be given the ability to view their own history/audit log
corresponding to their own account. Customers shall not be given access to other
customer account logs.

1. The cloud service provider shall establish a process for responding to intellectual
property rights complaints.
2. The process shall be reviewed annually, and updated accordingly.
1. Ensure at least the following audit trail entries are recorded in the audit logs for all
system components for each event occurring in the cardholder data environment :
• User identification
• Type of event
• Date and time
• Success or failure indication
• Origination of event
• Identity or name of affected data, system component, or resource

1. Policy and procedure document(s) corresponding to vendor risk management

governing different steps of vendor lifecycle(Onboarding, review and offboarding)
shall be documented and implemented for all vendor(s).
2. List of all critical vendors (suppliers) shall be maintained as well as reviewed and
updated at a regular frequency.
3. Security compliance related requirements/clauses shall be addressed in the
contract(s) for all vendor(s).

1. Ensure documentation in terms policy and/or procedure around the vendor/

supplier management in order to manage supplier/vendor risks.
2. Maintain a list of all high dependency /critical suppliers. High dependency / critical
suppliers can be identified as any supplier that effects the security, confidentiality,
and availability of the offering
3. Ensure for all the suppliers in the above list exit strategies and alternate supplier
relations are in place to ensure continuity of services

1. Corporate team enforces a relevant policy to manage the information security

aspects for the third-parties related to organization. It shall cover the security aspects
in complete life-cycle of a third-party, encompassing activities from selection of a
service provider to disengagement of the third-party (or service provider)
2. Offerings need to ensure the defined process is followed and relevant
documentation is maintained
3. Offerings need to ensure they obtain all relevant third party suppliers (vendors)
attestation/assurance reports for their respective in scope vendors
4. Evaluate third party assurance reports and ensure controls within third party
assurance reports are reviewed by management at least annually
5. Evaluate identified control gaps in third party assurance reports and ensure
significant changes, and incidents are reviewed for impact and included in risk
assessment, as and when required
1. Ensure that the contracts and agreements are in place with third-party IT
outsourced suppliers
2. Additionally, ensure that it's clearly defined within the contracts/agreements that
the cybersecurity managed services centers for monitoring and operations shall be
completely present inside the Kingdom of Saudi Arabia

1. Obtain sample requests received from National Cybersecurity Authority to remove

software or services provided by third-party providers
2. Evaluate appropriateness of these requests
3. Ensure that the third-party software or service is removed only post successful
evaluation of National Cybersecurity Authority request for removal

1.Security incident management policies and procedures shall be documented,

reviewed and updated based on learning(s).
2. Logging capability shall be enabled and logs shall be generated for different
devices in the environment. Generated logs shall be fed into a (Push/Pull) SIEM
solution or any other monitoring tool for review/ analysis and tracking of logs.
3.Regular review and update of the use cases in the SIEM/Monitoring solution shall be
done in order to limit the false positive(s). Cases shall be reviewed to see if it has
1. Document
effected and maintain
an offerings ability privacy
to meetincident management
its security policy
commitments to highlighting
customers. If it does,
following aspects:
the incident shall be marked, reviewed, remediated timely, and corresponding parties
• Monitoring, logging and tracking privacy related incidents as well as maintaining
corresponding records
• Requirement to perform root cause analysis of incidents to identify if an incident
lead to a loss or breach of personal information , evaluate and perform mitigation
steps as well as maintain corresponding records
• Internal and external communications to communicate all affected parties and
maintaining corresponding records

2. Ensure incident communication channel is in place for users to report privacy

related incident as well as breaches and corresponding records are maintained.
3. Review all incidents that maybe reported internally and externally to validate if
there are any confirmed incidents effecting Organization's commitments to privacy.
4. Maintain a privacy Incident Management tracker with all the details around privacy
incidents and breaches.
5. Review all incidents that may affect Organization's commitments to privacy and
validate they are followed up upon, and tracked to completion. If needed, legal
maybe involved as well.
1. Obtain relevant policy that enforces the incident response plan/program
2. Contact the corporate Incident Response (IR) team to understand the requirements
that shall be met for incident response plan testing
3. Coordinate with corporate IR team to test the IR plan at least annually
4. Ensure the relevant test plan documentations and results are created and
maintained

1. Ensure system capacity monitoring is performed on a regular basis and capacity

monitoring report is generated for applications
2. Ensure if there are any capacity issue related findings, appropriate system changes
are implemented to ensure capacity can always meet the demand
3. If needed, ensure system capacity is increased to meet demand.

1. Finalize/Scope systems/tools that are critical to ensure that your main product/
platform's confidentiality, availability, and security is maintained as intended
2. Define availability metrics that are based on internal organization requirements
and service commitments as it relates to availability made to your customers
3. Obtain approval for these metrics from team leader or any other appropriate team
member
4. Configure your monitor to reflect defined availability metrics
5. If the monitoring tool(s) allow, configure it to send alerts to authorized team
members from your team
6. Define thresholds for these alert configurations
7. Validate that critical systems/tools are being monitored and alerts are triggered as
predefined thresholds are met
8. Check for any issues, follow up and resolution need to occur, as applicable
9. Ensure changes to predefined criteria, and availability metrics are always approved
before being configured into the monitoring system
1. Documentation around capacity management shall be maintained highlighting as
well as implementing following aspects:
• Budgets for infrastructure capacity are established based on analysis of historical
business activity, growth projections and corresponding records are maintained.
• Purchases are made against the established budget, plans are updated at least
annually and corresponding records are maintained.

2. Each offering shall evaluate their infrastructure capacity needs on an annual basis
and obtain a budget and funding needed to expand the infrastructure capacity if
needed.
3. Once the budget is funding is obtained, the infrastructure capacity shall be
expanded to meet demand.

1. Evaluate organization Master Services Agreements (MSAs) detailing the business

user commitments to their customers in terms of the product's service, how the
information is handled, and any legal documentation
2. Within the MSA, the focus will be around service commitments that are made to
the customer of product/platform, especially around security, availability,
confidentiality, and privacy (as applicable)
3. Check if MSA is maintained, reviewed, signed in case of any changes. The MSA
maybe combined with the Terms of Service.

1. Ensure documentation in terms policy and/or procedure around the vendor/

supplier management in order to manage supplier/vendor risks.
2. Maintain list of all suppliers
3. Ensure for all the suppliers who will have access to confidential information in the
above list information sharing agreements signed with organization and agreements
includes confidentiality commitments applicable to that entity (e.g. Non-disclosure
agreement). Agreements shall be agreed upon prior to using the supplier.
1. Verify whether consent is obtained for Organization Terms of Service (ToS) prior to
collecting customer or personal information. Consent can be obtained inherently as
an option.
2. Record consent when ToS is updated
3. An agreement maybe by signature, acknowledgement, use, or other method
(explicit or non-explicit).

1. All customer assets that reside in a cloud service provider's premise are
documented and updated accordingly.
2. Upon request or termination of the cloud service agreement, the customer assets
are promptly returned in a timely manner.
3. The return of assets are documented and information regarding the returned asset
is provided to the customer.
4. Details of the return are kept and maintained in a central repository.

1. Obtain organization payment process documentation

2. Check the payment process and ensure that organization does not store the
following information:
• full track credit card data;
• credit card authentication information;
• credit card verification code, or
• credit personal identification number (PIN)

1. If a Organization's service manages, stores, or transmits cardholder data on behalf

of customer, ensure a written acknowledgement is provided to customers that
organization will be responsible to protect cardholder data and the cardholder data
environment

1.Policy and procedure document(s) corresponding to malware protection shall be

documented and implemented.
2.All assets/devices in the production environment shall be synchronized with the
antimalware technology/solution as per the golden configuration and as a part of
synchronization agent shall be installed on each and every device to regularly push
update(s) .
3.Antimalware technology/solution shall be integrated with SIEM solution in order to
ensure logs are being fed(Pull/Push) to SIEM or any other monitoring solution for log
analysis, event management and incident management.
1. Ensure anti-malware technologies like antivirus software are in place for real time
protection from malwares on all workstations/ devices in scope and are capable of
detecting, removing, and protecting against all known types of malicious software
and malicious code.
2. Ensure the anti-virus programs are actively running and cannot be disabled or
altered by users.
3. Ensure antivirus definitions are updated on a regular basis or as per business
requirements.
4. Validate any malicious malware detected is logged and purged by the program.

1. Obtain Organization's antivirus process documentation

2. Ensure that the antivirus deployments generates audit logs
3. Ensure that the audit logs generated by antivirus are retained at least for a year
4. Additionally, ensure older audit logs are immediately available for analysis

1. Ensure that the appropriate mechanisms are in place to restrict users from
disabling or altering antivirus mechanisms
2. Ensure access to disable or alter antivirus mechanisms is granted to users, post
approval from management

1. Ensure that organization utilizes sandboxing technique to detect or block

potentially malicious emails

1.Policy and procedure document(s) corresponding to vulnerability management shall

be documented and maintained.
2.Internal and external network vulnerability scanning shall be done at a regular
frequency in order to ensure closure of vulnerabilities identified in past as well as
identification of new vulnerabilities in the environment.
3.Tracker of vulnerabilities identified in the internal as well as external scans and
1.Policy and procedure
corresponding document(s)
classification, corresponding
timelines to vulnerability
(as per classification), management
plan and shall
responsibility
be
for documented
closure shall and maintained.
be maintained.
2.Penetration testing and network scanning shall be done at a regular frequency in
order to ensure closure of vulnerabilities identified in past as well as identification of
new vulnerabilities in the environment.
3.Tracker of vulnerabilities identified in the internal as well as external scans and
corresponding
1. Each offeringclassification, timelines
shall subscribe (as interest
to special per classification), plan and responsibility
groups/bulletins/email alerts
for closure
internal shall be maintained.
or external in order to receive updates in terms security bulletins and / or
email alerts from forums like CERT, ISACA etc. and maintain corresponding records.
2. Ensure controls or necessary solutions required to safeguard infrastructure are
deployed as per latest updates and maintain corresponding records.
3. Ensure compliance against the controls to monitor the impact of emerging
technologies and security is monitored and recorded
1. The offering maintains information about how technical vulnerabilities that can
impact customers are managed
2. Details regarding management of these vulnerabilities shall be provided to
customers, and how the offering handles identified vulnerabilities.

1. The offering performs a full vulnerability scans on their application on a monthly

basis.
2. Upon every code release, the offering shall perform a vulnerability scan on the
code. If there is a vulnerability identified, the code is not released and reverted back
for changes and testing. Alternatively, if there is a solution the mitigate the
vulnerability, the code can still be deployed.
3. Any identified vulnerabilities are followed up upon, resolved, and tracked to
resolution on an on-going basis. Each vulnerability is assigned a risk rating, reviewed
and remediated. Each vulnerability shall have a corresponding ticket tracking the
progress of resolution.
4. Vulnerabilities are fixed accordingly to organization Policy per guidance - Newly
discovered software vulnerabilities are fixed according to organization Policy. The
reintroduction of similar or previously resolved vulnerabilities is prevented.

* Note - If vulnerability scans cannot be completed as part of change process (i.e.

before every code release), a daily vulnerability scan shall be performed of the
production environment.

1. Obtain Patch Management policy

2. Validate if there is a process to periodically identify and review vendor supplied
patches (AWS/Azure/etc.)
3. Validate if there is a process to identify patches provided by suppliers
4. Obtain audit log tracker for patches updated for each asset type e.g. servers, OS,
software/ applications, router, switches, firewall etc.
5. Validate if patching is performed within specified time frame as defined by patch
management policy.
6. Verify if last patching followed formal change management process and if roll back
strategy for patches was identified and documented

1.Policy and procedure document(s) around receiving, testing and implementation of

security related patch(s) to organization software shall be documented and
implemented.
2.Implementation status tracker of the security related patch(s) across the Software
devices in the environment shall be maintained in order to ensure devices are
protected from threats.
1. Verify if the offering maintains a description of the systems, environment and
boundaries of the product in scope
2. Evaluate if all necessary information is provided in the description (e.g. description
of services, tools used, boundaries of service, etc.)
3. Verify if the documented description includes versioning and maintains history of
changes that may arise due to critical changes to the systems, processes or
environment.
4. Verify if the documented description was communicated to authorized internal and
external users (channels may include external public facing webpages).
5. Verify the description of system/boundaries are accurate and up-to-date.

1. Document and maintain a communication policy that includes information for

notifying incidents to external parties including following aspects:
• information about external party dependencies/ affected external parties
• criteria for notification to external parties as required by [the organization] policy in
the event of a security breach
• contact information for authorities (e.g., law enforcement, regulatory bodies, etc.)
• provisions for updating and communicating external communication requirement
changes

2. Ensure notifications have been sent to external parties in case of any security
breach and maintain corresponding records.
3. Ensure if required relevant authorities are contacted in case of any security
incident and maintain corresponding records.
4. Ensure review is conducted periodically and maintain corresponding records.
5. Ensure all incident communication is performed as per defined communication
policy and maintain corresponding records.
6. Maintain a tracker of all the incidents/ breaches and corresponding action including
external communication details.
1. If the offering is a cloud service customer, they shall validate all the locations/areas
the provider's services are provided. If there are multiple locations, the customer
shall identify which areas specific to their instances and services are provided.
2. Once identified, the customer shall identify relevant authorities and local
authorities governing the cloud service provider instance, and ensure they can be
reached in case of any incidents that may arise between the service provider and
customer.

1. Identify and document the inventory of software license contracts corresponding to

different software.
2. Ensure that management approved procedures for license maintenance and usage
are in place and maintained
3. Ensure that monitoring is in place to check the compliance effectiveness with
usage restrictions defined as part of software license maintenance as well as usage
contracts.
4. Ensure monitoring records of period review/audits are maintained to ensure
adherence to the requirements of the software license contracts and usage
restrictions.
5. Licenses and contracts are reviewed as needed, and increased supply of licenses
and contracts are obtained if needed to meet use/demand.
1. Offerings shall never write into customer's data unless for legal or emergency
situations.
2. Shall an offering+E259 read or write cloud customer's data, they shall verify if
communication strategies are in place to inform the cloud service customer within 72
hours whenever internal or external staff read or write to cloud customers' data
during processing, storage or transmission.
3. Check if information regarding the access is sufficiently detailed to enable the
client to assess the risks of the access.
4. If any deadline (end date) for access is included in access request, provide
evidence that the access for such users were removed on time
5. All access to customer data needs to be sufficiently logged and recorded in a
system of record.

1. Maintain the records of investigation requests from government agencies and

corresponding response.
2. Identify and maintain details of the subject matter expert to perform legal
assessment and provide guidance on response to the request.
3. Ensure analysis performed to identify legal/ applicability basis of the requirements
in order to decide response.
4. No customer information, PII, or offering details shall be provided to the
government agencies until the government agency investigation request is confirmed
and approved by legal, and subject matter experts at organization.
5. Shall information be provided to government agencies, relevant teams and
customers are notified of the investigation request and information provided.

1. Identify all trusted connections between a supplier and the offering. This can
include any supplier handling sensitive customer information, and/or can affect the
availability, confidentiality, and security of a product.
2. Validate prior to using the trusted connection and supplier, the following
documentation is in place:
• agreement with supplier
• security requirements with supplier
• nature of transmitted information
3. Legal shall be involved in these conversations and agreements with the supplier.
4. the offering shall validate the supplier is adhering to the agreement and
maintaining their security posture.

1. Maintain the list of authorized and trained individuals who are allowed to post
public information. Those who manage organization owned public facing websites
and sharepoints shall be restricted.
2. Ensure public information is posted only by authorized and trained individuals and
maintain the corresponding records.
3. Ensure review of content is performed and approval of content is obtained prior to
publishing and maintain the corresponding records.
4. Ensure periodic reviews are performed for information on public systems for
nonpublic information, and is removed upon identification and corresponding records
of review as well as action performed is maintained.
5. Corresponding personnel are notified shall non-public or private information
appears publicly depending on the gravity of the information (i.e. application code,
financials, customer details, etc.).
1. Cloud service providers shall identify any legal jurisdictions that govern the cloud
service, such as GDPR.
2. Such jurisdictions are provided to cloud service customers. They can be provided
through multiple venues via a public page, email, etc.

1. Obtain penetration testing calendar and reports prepared for organization services
operating in Saudi (KSA)
2. Ensure that penetration tests are conducted on a semi-annual basis for in-scope
environments
3. Ensure timely closure of vulnerabilities identified in penetration testing reports

1. Obtain penetration testing calendar

2. Ensure that penetration testing covers the following requirement :
• Entire (CDE) perimeter and critical data systems shall be in scope of testing
• Testing verifies that CDE perimeter segmentation is operational
• Testing is performed from both inside and outside the CDE network
• Testing validates segmentation and scope reduction controls (e.g., tokenization
processes)
• Network layer penetration tests shall include components that support network
functions as well as operating systems
• Testing is performed with consideration of threats verified on an on-going basis
from external alerts, directives, and advisories
• Testing is performed with consideration of vulnerabilities reported to each
Organization.
• Risk ratings are assigned to discovered vulnerabilities, which are tracked through
remediation
3. Review penetration testing reports and ensure timely closure of identified
vulnerabilities

IRAP Unique Controls

1. Develop and implement a trusted insider program and review the program
periodically. A trusted insider program is a policy/procedure/method defining roles
and responsibilities to anyone who has been given access to business systems and
physical premises, and each user's security responsibilities.
2. Obtain legal and regulatory advice when developing and implementing a trusted
insider program

1. Verify if a Chief Information Security Officer has been formally appointed i.e.
appointment letter, communication mail, organizational chart, any charter
document(s) etc.
2 Verify if roles and responsibilities of the CISO have been formally documented,
established and communicated to the CISO.
3 Verify if management review meetings are conducted and involve CISO to guide
and oversee the cyber security program.
4. CISO's and their steering committee shall meet on a regularly basis at least
annually.
1. Establish a reporting process (including timelines, delegates and reporting
channel) to report any compromise or suspected compromise of cryptographic
equipment or associated keying material to the Chief Information Security Officer or
one of their delegates
2. Change keying material in case it is compromised or suspected of being
compromised

1. All offerings pursuing IRAP are responsible for identifying a sponsor.

1. Identify areas (IT assets) where customer and personal information is stored
2. Validate various monitoring processes and security solutions and in place for
monitoring of Customer and Personal Information for data spillage
3. Validate whether security solutions such as Data Leakage Prevention (DLP) is
implemented and is monitored periodically for movement of customer and personal
information
4. Verify if a post incident process/ guidance document exists for handling the event
of data spillage.
5. For best practice, test the monitoring method/solution at least once a year to
ensure the monitoring of data spillage is working as intended

1. Verify whether following requirements have been implemented for video and
calling infrastructure:
• Video conferencing or IP telephone traffic have encrypted and non-replayable
authentication scheme.
• Authentication and authorization is in place for all call related activities such as
individual logins for IP Phones, call setup, changing settings, and accessing voicemail.
• IP phones are configured to authenticate to call controller upon registration. Auto-
registration, along with all other unused and prohibited functionalities are disabled.
• Unauthorized devices are blocked by default.

2. Validate whether requirements are documented, reviewed and approved on a set

cadence (at least annually) for accuracy and relevance.

1. Verify whether authentication and authorization mechanism is implemented for

individual logins of IP Phones used for SECRET or TOP SECRET conversations.
1. Verify if fax machine and multi-function device (MFD) policy is established/enforced
and includes the following requirements:
• Separate fax machines and MFDs are used for sending classified information.
• Messages are encrypted to an appropriate level depending on information
sensitivity.
• The sender of a fax message makes arrangements for the receiver to collect the fax
message as soon as possible after it is sent and for the receiver to notify the sender if
the fax message does not arrive in an agreed amount of time.
• A direct connection from an MFD to a digital telephone system is not enabled unless
the digital telephone system is authorized to operate at the same sensitivity or
classification as the network to which the MFD is connected.
• MFDs connected to networks are not used to copy documents above the sensitivity
or classification of the connected network.
• Fax machines and MFDs are located in areas where their use can be observed.

1. Validate if Secret or Top Secret data is authorized to be stored, processed or

communicated via mobile devices.
2. Validate if mobile device management/teleworking/ trusted device policy includes
controls implemented to ensure mobile devices do not store, process and
communicate Secret or Top Secret data. In case of exception, prior approvals shall be
taken from ACSC.
3. For mobile devices with such exception, validate whether prior approval was taken
from ACSC.

1. Obtain Mobile device management/ teleworking/ trusted device policy and verify if
following controls for privately-owned mobile devices having access to official or
classified systems or data have been implemented:
• ACSC approved platform for MDM is in use,
• All security configuration in accordance with ACSC guidance
• Separation of official and classified data from any personal data is enforced (e.g.
containerization)

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate if Privately-owned mobile devices are prohibited from accessing SECRET
or TOP SECRET systems or data via. mobile device management configurations
1. Obtain Mobile device management/ teleworking/ trusted device policy and verify if
following controls for organization-owned mobile devices having access to official or
classified systems or data have been implemented:
• ACSC approved platform for MDM is in use,
• All security configuration in accordance with ACSC guidance

1. Obtain Mobile device management/ teleworking/ trusted device policy and verify if
encryption of mobile devices are in line with Australian Signals Directorate Approved
Cryptographic Algorithm.
2. For sample mobile devices, verify if the cryptographic algorithm in use is in line
with Australian Signals Directorate Approved Cryptographic Algorithm. More
information: https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-
cryptography

1. Obtain Mobile device management/ teleworking/ trusted device policy and verify if
controls are in place to restrict the range of Bluetooth communications between
mobile devices and other Bluetooth devices to less than 10 meters by using class 2 or
class 3 Bluetooth devices.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if controls are in place to disable/block Bluetooth
functionality on highly classified mobile devices.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if mobile devices are configured to remain
undiscoverable to other Bluetooth devices except during Bluetooth pairing.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if Bluetooth pairing is performed using Bluetooth version
•1 or later (as applicable)

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if conditions for Bluetooth use are documented and
enforced (as applicable) i.e. Bluetooth pairing is performed in a manner such that
connections are only made between intended Bluetooth devices.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if conditions for Bluetooth use are documented and
enforced (as applicable) i.e. Bluetooth pairings are removed from mobile devices
when there is no longer a requirement for their use.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate in the MDM tool, if controls are in place to prohibit Paging, Multimedia
Message Service, Short Message Service and messaging apps to communicate
sensitive or classified data.

1. Obtain Mobile device management/ teleworking/ trusted device policy and verify
conditions for mobile device use in public locations are documented and enforced (as
applicable) i.e. Sensitive or classified data is not viewed or communicated in public
locations unless care is taken to reduce the chance of the screen of a mobile device
being observed.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate if requirements to for application of privacy filter to the screens of SECRET

and TOP SECRET mobile devices are implemented.
1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate that conditions for mobile device use in public locations are documented
and enforced (as applicable) i.e. Sensitive or classified phone calls are not conducted
in public locations unless care is taken to reduce the chance of conversations being
overheard.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate that conditions for mobile device use are documented and enforced (as
applicable) i.e. Mobile devices are kept under continual direct supervision when being
actively used.

1. Obtain Mobile device management/ teleworking/ trusted device policy

2. Validate that conditions for mobile device use are documented and enforced (as
applicable) i.e. Mobile devices are carried or stored in a secured state when not being
actively used.

1. Verify if process for mobile device emergency sanitization is documented and

enforced.
2. Validate controls implemented for mobile device emergency sanitization (e.g.
remote wiping)

1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if personnel
are advised of privacy and security risks when travelling overseas with mobile
devices.
1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
requirements for travelling overseas with mobile devices to high/extreme risk
countries are implemented:
• personnel are issued with newly provisioned accounts and devices from a pool of
dedicated travel devices which are used solely for work-related activities
• personnel are advised on how to apply and inspect tamper seals to key areas of
devices
• personnel are advised to avoid taking any personal devices, especially if rooted or
jailbroken.

1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
requirements for travelling overseas are implemented:
• record all details of the devices being taken, such as product types, serial numbers
and International Mobile Equipment Identity numbers
• update all applications and operating systems
• remove all non-essential accounts, applications and data
• apply security configuration settings, such as lock screens
• configure remote locate and wipe functionality
• enable encryption, including for any media used
• backup all important data and configuration settings.
1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
precautions for travelling overseas are documented:
• never leaving devices or media unattended for any period of time, including by
placing them in checked-in luggage or leaving them in hotel safes
• never storing credentials with devices that they grant access to, such as in laptop
bags
• never lending devices to untrusted people, even if briefly
• never allowing untrusted people to connect other devices or media to their devices,
including for charging
• never using designated charging stations, wall outlet charging ports or chargers
supplied by untrusted people
• avoiding connecting devices to open or untrusted Wi-Fi networks
• using an approved Virtual Private Network to encrypt all device communications
• using encrypted mobile applications for communications instead of using foreign
telecommunication networks
• disabling any communications capabilities of devices when not in use, such as
cellular data, wireless, Bluetooth and Near Field Communication
• avoiding reuse of media once used with other parties’ devices or systems
• ensuring any media used for data transfers are thoroughly checked for malicious
code beforehand
• never using any gifted devices, especially media, when travelling or upon returning
from travelling.

1. Obtain Teleworking/ trusted device policy/ Code of conduct/ incident management

policy and verify if following requirements are documented for personnel reporting of
potential compromise of mobile devices, media or credentials to their organization as
soon as possible, especially if they -
• provide credentials, decrypt devices or have devices taken out of sight by foreign
government officials
• have devices or media stolen that are later returned
• lose devices or media that are later found
• observe unusual behavior of devices.

1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
conditions for returning from overseas are documented:
• sanities and reset devices, including all media used with them
• decommission any physical credentials that left their possession during their travel
• report if significant doubt exists as to the integrity of any devices following their
travel.
1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
conditions for returning from high/extreme risk countries are documented:
• reset user credentials used with devices, including those used for remote access to
their Organization's systems
• monitor accounts for any indicators of compromise, such as failed login attempts.

1. Review network zoning policy and verify if controls are in place to ensure
administrator workstations are placed into a separate network zone to user
workstations.
2. Validate that network is segmented to ensure that administrator workstations are
connected to a separate network than that of regular user workstation network

1. Review network zoning policy and verify if controls are in place to ensure
management traffic is only allowed to originate from network zones that are used to
administer systems and applications.
2. Validate that the management traffic is required and configured (respectively) to
originate from network areas that are dedicated to administer systems/applications

1. Review network security/ wireless/ remote access policy and validate how
administrative access are undertaken
2. Verify if jump servers are used for administrative activities and are prevented from
communicating to assets and traffic not related to the administrative activities.

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of high risk vulnerabilities
3. Validate that a proper process is in place to triage identified extreme risk
vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for applications and drivers
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if high risk vulnerability treatment/ patching is performed within specified
time frame (within 48 hours).

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of high risk vulnerabilities
3. Validate that a proper process is in place to triage identified high risk
vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for applications and drivers
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if high risk vulnerability treatment/ patching is performed within specified
time frame (within two weeks).
1. Obtain vulnerability assessment and patch management policy
2. Verify timelines for treatment/ patching of low risk vulnerabilities
3. Validate that a proper process is in place to triage identified high risk
vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for applications and drivers
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if high risk vulnerability treatment/ patching is performed within specified
time frame (within a month).

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of extreme high risk vulnerabilities
3. Validate that a proper process is in place to triage identified extreme high risk
vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for operating systems and firmware
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if high risk vulnerability treatment/ patching is performed within specified
time frame (within 48 hours).

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of high risk vulnerabilities
3. Validate that a proper process is in place to triage identified high risk
vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for operating systems and firmware
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if high risk vulnerability treatment/ patching is performed within specified
time frame (within two weeks).

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of low risk vulnerabilities
3. Validate that a proper process is in place to triage identified low risk vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for operating systems and firmware
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if low risk vulnerability treatment/ patching is performed within specified
time frame (within a month).
1. Obtain vulnerability assessment and patch management policy
2. Verify patching timelines for high assurance ICT equipment
3. Verify patching performed for high assurance ICT equipment is performed as per
approved methods and timeframes prescribed by the ACSC.

More information: https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-

ict-equipment

1. Verify if web applications have implemented Content-security-policy, HSTS and X-

frame-options response headers.

More information:
https://www.cyber.gov.au/acsc/view-all-content/publications/protecting-web-
applications-and-users
1. Review SDLC, MBSS, and/or Application Security Verification Standard (ASVS)
guidelines and validate if development of web applications follow OWASP Application
Security Verification Standard.

1. Verify if database servers and web servers are functionally separated, physically or
virtually.
2. Configure routers, firewall configurations to ensure that database, web servers are
functionally separated

1. Verify if database servers that require network connectivity are placed on a

different network segment to an Organization's workstations.

1. Validate If only local access to a database is required, networking functionality of

database management system (DBMS) software is disabled or directed to listen
solely to the localhost interface.

1. Obtain Vendor provided guidance for installing the DMBS

2. Validate if Database Management System (DBMS) software is installed and

configured according to vendor guidance. All temporary files for installation are
removed after installation complete, and all unneeded features are disabled.

1. Obtain Vendor provided guidance for installing the DMBS

2. Validate if DBMS software runs as a separate account that follows least privileges
concept for access rights. The DBMS software shall not have to ability to read local
files from the server.
1. Validate if all queries to databases from web applications are filtered for legitimate
content and correct syntax.

1. Validate if parameterized queries or stored procedures are used for database

interaction instead of dynamically generated queries.

1. Validate if web applications are designed to provide as little error information as

possible to users about database schemas.

1. When users access non-approved webmail services they are effectively bypassing
email content filtering controls as well as other security controls that may have been
implemented on email gateways and servers.

2. While web content filtering controls may mitigate some security risks (e.g. some
forms of malicious attachments), they are unlikely to address specific security risks
relating to emails (e.g. spoofed email contents).

1. On a sample basis, validate if protective markings are applied to emails containing

highly sensitive information.
2. Verify if protective markings were applied manually and not through and automatic
tool
3. It is important that protective markings reflect the highest sensitivity or
classification of the subject, body and attachments of emails.

1. Protective markings are disabled for users on systems that are not authorized to
process, store or communicate said markings.

1. Protective marking tools do not allow users replying to or forwarding an email to

select a protective marking that is lower than previously used for the email.

1. Email servers shall have the following requirements configured/designed:

• Configuration/ policy implemented on email servers to block inappropriate
protective markings.
• Emails blocked by email server that involve inappropriate protective markings.
• Notification is provided to sender and recipient of blocked emails.

1. Where applicable, emails containing AUSTEO, AGAO or REL data are only sent to
named recipients and not to groups or distribution lists unless the nationality of all
members of the distribution lists can be confirmed.

1. An authenticated and encrypted channel is configured to allow email to be routed

via a centralized email gateway.
1. Where backup or alternative email gateways are in place, they are maintained at
the same standard as the primary email gateway.

1. Email servers only relay emails destined for or originating from their domains.

1. opportunistic TLS encryption is enabled on email servers that make incoming or

outgoing email connections over public network infrastructure.

1. MTA-STS is enabled to prevent the transfer of unencrypted emails between

complying servers.

1. SPF is used to specify authorized email services (or lack thereof) for all domains. If
an email server is not in the SPF record for a domain, SPF verification will fail.

1. When specifying email servers, hard fail SPF record shall be used. If an email
server is not in the SPF record for a domain, SPF verification will fail.
1. SPF is used to verify the authenticity of incoming emails. If an email server is not in
the SPF record for a domain, SPF verification will fail.
1. Incoming emails that fail SPF checks are blocked or marked in a manner that is
visible to the recipients.
1. Email services shall have the following requirements configured/designed:
• DKIM signatures are enabled on emails originating from an Organization's domains
and received emails are verified
• Email distribution list software used by external senders is configured such that it
does not break the validity of the sender’s DKIM signature.
• DMARC records are configured for all domains such that emails are rejected if they
fail SPF or DKIM checks.

1. Email content filtering controls are enabled for email bodies and attachments.

1. Configuration is in place for emails arriving via an external connection where the
source address uses an internal domain name are blocked at the email gateway.

1. VLANs are not used to separate network traffic between organizations' networks
and public network infrastructure, or networks belonging to different security
domains.

1. VLANs belonging to different security domains are terminated on separate physical

network interfaces.

1. VLANs belonging to different security domains, or networks of different

classifications, do not share VLAN trunks.
1. Network devices implementing VLANs are managed from the most trusted
security. domain.
1. IPv6 tunnelling is disabled for dual stack-network devices and Information and
Computer Technology (ICT) equipment.
2. Network security devices that support IPv6 are used on Dual-stack networks.

1. IPv6 tunnelling is disabled on all network devices and Information Computer

Technology (ICT) equipment.
2. IPv6 tunnelling is blocked by network security devices at externally-connected
network boundaries.

1. Dynamically assigned IPv6 addresses are configured with Dynamic Host

Configuration Protocol version 6 in a stateful manner with lease data stored in a
centralized logging facility.

1. Servers maintain effective functional separation with other servers allowing them
to operate independently.
1. Servers minimize communications with other servers at both the network and file
system level.
1. Inbound network connections and outbound network connections to anonymity
networks are blocked.
1. The administrative interface on wireless access points is disabled for wireless
network connections.
1. Default SSID of wireless access points are changed and are enabled on all wireless
networks.
2. The SSID of a non-public network shall not be associated with the organization.

1. Static addressing is not used for assigning IP addresses on wireless networks.

2. Only dynamic IP address shall be assigned for wireless networks.

1. MAC address filtering is not used to restrict which devices can connect to wireless
networks.

1. 802.1x authentication with EAP-TLS, using X.509 certificates is used to perform

mutual authentication for wireless networks. All other EAP methods disabled on
supplications and authentication servers.

1. Device and user certificates shall have the following requirements

configured/designed:
• Both device and user certificates are required for accessing wireless networks.
• Device and user certificates are not stored on the same device and are issued on
smart cards with access PINs.
• User or device certificates are protected by encryption.

1. If PMK caching is used, the PMK caching period shall not be set to greater than
1440 minutes (24 hours).
1. Communications between wireless access points and a RADIUS server are
encapsulated with an additional layer of encryption.

1. ASD approved cryptography is used to protect the confidentiality and integrity of

all wireless network traffic.
1. Wireless access points enable the use of the IEEE 802.11w-2009 amendment to
protect management frames.
1. Instead of deploying a small number of wireless access points that broadcast on
high power, a greater number of wireless access points that use less broadcast power
are deployed to achieve the desired footprint.

1. The effective range of wireless communications outside an Organization's area of

control is limited by implementing RF shielding on facilities in which SECRET or TOP
SECRET wireless networks are used.

1. All wireless access points are Wi-Fi Alliance certified.

1. A cloud service provider is used for hosting online services.

1. When using environments that require high availability, Content Delivery Networks
shall have the following requirements configured/designed
• Content Delivery Networks that cache websites are used and the IP address of the
webserver under the Organization's control is avoided.
• The origin server is restricted to the CDN and an authorized management network.

1. Domain names for online services are protected via registrar locking and
confirming domain registration details are correct.

1. High Assurance Cryptographic Equipment (HACE) is used to protect SECRET and

TOP SECRET data when communicated over insufficiently secure networks, outside of
appropriately secure areas or via public network infrastructure.

1. All connections between security domains implement mechanisms to inspect and

filter data flows for the transport and higher layers as defined in the OSI model.

1. All network gateways in different security domains shall have the following
requirements configured/designed:
• log network traffic permitted through the gateway
• log network traffic attempting to leave the gateway
• are configured to save event logs to a secure logging facility
• provide real-time alerts for any cyber security incidents, attempted intrusions and
unusual usage patterns.

1. Gateways are subject to rigorous testing, performed at irregular intervals no more

than six months apart, to determine the strength of security controls.
1. All Demilitarized zones in different security domains shall have the following
requirements configured/designed:
• Demilitarized zones are used to broker access to services accessed by external
entities
• mechanisms are applied to mediate internal and external access to less-trusted
services hosted in these demilitarized zones.

1. System administrator roles for gateway administration shall have the following
requirements met:
• Gateway administrators shall be formally trained to manage gateways.
• All system administrators of gateways are cleared to access the highest level of
data communicated or processed by the gateway.
• All system administrators of gateways that process Australian Eyes Only (AUSTEO)
or Australian Government Access Only (AGAO) data are Australian nationals.
• Roles for the administration of gateways are separated.

2. For gateways between networks in different security domains, a formal

arrangement exists whereby any shared components are managed by the system
managers of the highest security domain or by a mutually agreed third party.

1. Once connectivity is established, system owners become stakeholders for all

connected security domains.

1. Only authenticated users and services including ICT equipment which are
authorized can use the gateway.
2. Multi-factor authentication is used to access gateways.

1. Cross domain solution (CDS) is implemented when connecting a SECRET or TOP

SECRET network to any other network from a different security domain.

1. While designing the cross domain section (CDS), following requirements shall be
met:
• there is a process in place to notify and consult ACSC when designing and
deploying a CDS.
•All directions provided by the ACSC are complied with.
1. There is a process in place to notify and consult ACSC when introducing additional
connectivity to a CDS (such as adding a new gateway to a common network)
2. ACSC is consulted on the impact to the security of the CDS.
3. Directions provided by the ACSC are complied with
1. CDS between a highly classified network and any other network have the following
requirements configured/designed:
• protocol breaks at each layer of the OSI model
• content filtering and separate independent security-enforcing components for
upward and downward data flows

1. Verify if all users are trained on the secure use of CDS.

2. Verify if only authorized parties are granted access to CDS.
3. Evaluate if all personnel shall receive necessary briefings before being granted
access to systems.
4. Verify if the logon banners and awareness messages were sent to the users to use
a CDS securely.

1. Verify if the event logging policy is established, defined and documented.

2. Evaluate if the sample of security events generated by a CDS is taken at least
every 3 months and assessed against the security policies.
3. Check if CDS have comprehensive logging capabilities to establish accountability
for all actions performed by users.

1. Obtain evaluation report of firewall.

2. Check if firewall is evaluated when used between an AUSTEO or AGAO network and
a foreign network.

1. Obtain evaluation report of firewall.

2. Check if firewall is evaluated when used between an AUSTEO or AGAO network and
another Australian controlled network.

1. Obtain evaluation diode report for controlling the data flow.

2. Verify if evaluated diode is used for controlling the data flow of unidirectional
gateways between organizations' networks and public network infrastructure.

1. Obtain high assurance diode report for controlling the data flow.
2. Verify if high assurance diode is used for controlling the data flow of unidirectional
gateways between SECRET and TOP SECRET networks and public network
infrastructure.

1. Obtain evaluation diode report for controlling the data flow.

2. Verify if evaluated diode is used for controlling the data flow of unidirectional
gateways between networks.

1. Obtain high assurance diode report for controlling the data flow.
2. Verify if high assurance diode is used for controlling the data flow of unidirectional
gateways between SECRET or TOP SECRET networks and any other network.

1. Obtain evaluation diode report.

2. Verify if evaluated diode is used between an AUSTEO or AGAO network and a
foreign network at the same classification.

1. Obtain evaluation diode report for controlling the data flow.

2. Verify if evaluated diode is used between an AUSTEO or AGAO network and
another Australian controlled network at the same classification.
1. Obtain monitoring report to monitor the volume of data being transferred across a
diode.
2. Verify if a diode monitors the volume of the data being transferred to control data
flow in unidirectional gateways.
3. Verify if an alert is sent to an organization to potential malicious activity if the
volume of data suddenly changes from the norm.

1. Verify if web usage policy is implemented and developed.

2 Check if all web access (including internal servers) is conducted through a web
proxy.
3. Evaluate if web proxies authenticates users and provides logging that includes:
• address (uniform resource locator)
• time/date
• user
• amount of data uploaded and downloaded
• internal and external IP addresses

1. Verify if web content filtering is in place.

2. Evaluate if web content filtering controls are applied to outbound web traffic where
applicable.

1. Evaluate the list of allowed websites to restrict the client-side active content.
2. Verify client-side active content, such as Java, is restricted to a list of allowed
websites.

1. Verify if legal advice is sought for the inspection of TLS traffic by internet
gateways.
2. Identify a solution that decrypts and inspects all TLS traffic as per content filtering
security controls
3. Obtain a list of websites to which encrypted connections are allowed, with all other
TLS traffic decrypted and inspected as per content filtering security controls.

1. Verify if a list of allowed websites, using either domain name or IP address, is

implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic
communicated through internet gateways.
2. Validate if a list of allowed websites is not implemented, then a list of allowed
website categories and a list of blocked websites shall be implemented.
3. Verify if the list of blocked websites is updated on a daily basis.
4. Validate if dynamic domains where domain names can be registered anonymously
for free are blocked.
1. Evaluate if an effective content filter is implemented to reduce the likelihood of
malicious content.
2. Verify if the data imported into a security domain is filtered by a content filter.
3. Verify if security assessment is performed of content filters to ensure they mitigate
content-based threats and cannot be bypassed.

1. Verify if all suspicious, malicious and active content is blocked from entering a
security domain.
2. Identify data by a content filtering process.
3. Evaluate if suspicious content is blocked until reviewed and approved for transfer
by a trusted source other than the originator.

1. Analyze email and web content in a sandbox to detect suspicious behavior

including network traffic, new or modified files, or other configuration changes.

1. Perform content validation on all data passing through a content filter to identify
malformed content.
2. Verify if potentially malicious content is blocked by using content validation.
3. Examples of content validation includes but not limited to:
• ensuring numeric fields only contain numeric numbers
• ensuring content falls within acceptable length boundaries
• ensuring Extensible Markup Language (XML) documents are compared to a strictly
defined XML schema.

1. Perform content conversation and transformation for all ingress or egress data
transiting a security domain boundary and to mitigate the threat of content
exploitation.
2. Examples of content conversation includes but not limited to:
• converting a Microsoft Word document to a Portable Document Format (PDF) file
• converting a Microsoft PowerPoint presentation to a series of image files
• converting a Microsoft Excel spreadsheet to a comma-separated values file
• converting a PDF document to a plain text file.

1. Verify if content sanitization is performed on suitable file types if content

conversion is not appropriate for data transiting a security domain boundary.
2. Examples of content sanitization includes but not limited to:
• removal of document properties in Microsoft Office documents
• removal or renaming of JavaScript sections from PDF files
• removal of metadata from within image files.

1. Verify if the contents from archive/container files are extracted and are subjected
to content filter checks.
2. Verify if the content filtering process recognizes archived and container files will
ensure the embedded files they contain are subject to the same content filtering
measures as un-archived files.
1. Verify if controlled inspection of archive/container files is performed.
2. Perform controlled inspection of archive/container files to ensure that content filter
performance or availability is not adversely affected.
3. Obtain Inspection report of archive/container files.

1. Verify if notifications or alert are generated for the container files that cannot be
inspected.
2. Verify if files that cannot be inspected are blocked.

1. Verify if a process is in place where system owner consultation and legal advice is
sought before allowing a targeted cyber intrusion activity to continue on a system for
the purpose of collecting further data or evidence.
2. Validate if such process is documented and appropriate approvals are obtained

1. Verify network traffic logs generated by firewalls and intrusion detection and
prevention systems (IDS and IPS)
2. Verify whether full network traffic is stored and if network traffic of 7 days post
intrusion will be available.

1. Verify whether following hardening requirements have been implemented for video
and calling infrastructure:
• Video conferencing or IP telephone traffic follow through a gateway with video-
aware and/or voice-aware firewall
• Video conferencing and IP telephony calls are established using a secure session
initiation protocol.
• Video conferencing and IP telephony traffic is separated physically or logically from
other data traffic. Workstations that use video and IP phone traffic use VLANs or
similar mechanisms to maintain separation between video conferencing, IP telephony
and other data traffic.
• If IP phones are used in public areas, their ability to access data networks,
voicemail and directory services are prevented.
• Video conferencing and IP telephony calls are conducted using a secure real-time
transport protocol.

2. Validate whether hardening guidelines are reviewed and approved on a set

cadence (at least annually) for accuracy and relevance.

1. Verify if the integrity of evidence gathered during an investigation is maintained by

investigators by the following processes;
• recording all of their actions
• creating checksums for all evidence
• copying evidence onto media for archiving
• maintaining a proper chain of custody.
1. Verify if cloud customers and service providers maintain 24x7 contact details for
each other to report cyber security incidents.
2. Validate if additional out-of-band contact details are in use by cloud customers and
service providers when normal communication channels fail.

1. Verify if all cyber security incidents are reported to the Australian Cyber Security
Centre (ACSC).
1. Verify if commercial and government gateway services have undergone a joint
security assessment by ACSC and Infosec Registered Assessors Program (IRAP)
assessors at least every 24 months.

1. Verify if cloud service providers and their cloud services have undergone a security
assessment by an IRAP assessor at least every 24 months.

1. Evaluate if only community or private clouds are used for outsourced SECRET and
TOP SECRET cloud services.

1. Check if the process for control of Australian systems is documented and followed.
2. Verify if the control of AUSTEO and AGAO systems for processing, storing or
communicating data is maintained by the Australian citizens working for the
Australian Government.

1. Check if the process for control of Australian systems is documented and followed.
2. Verify if AUSTEO and AGAO systems is only accessed from facilities under the sole
control of the Australian Government.

1. Verify if the Common Criteria EAL requirements is in place.

2. Verify if a complete PP-based evaluation product is selected in preference to EAL-
based evaluation product for procuring an evaluated product.

1. Verify if 64-bit version of the operating system is used when developing a Microsoft
Windows SOE to improve the security functionality over older releases.

1. Verify if ACSC and vendor guidance is implemented to assist in securely

configuring various operating systems.
1. Identify the best practices for the use of Microsoft operating systems and Microsoft
supported applications.
2. Verify if the latest version of Microsoft’s EMET is implemented on workstations and
servers and configured with both operating system mitigation measures and
application-specific mitigation measures. (if applicable)
3. Verify if Microsoft’s exploit protection functionality is implemented on workstations
and servers, (if applicable)
4. Verify if PowerShell version is higher than 2.0 and is configured to Constrained
Language Mode.
5. Verify if PowerShell is configured to use module logging, script block logging and
transcription functionality.
6. Verify if PowerShell script block logs are protected by Protected Event Logging
functionality.
7. Verify if Microsoft’s Attack Surface Reduction rules are implemented. (if applicable)

1. Evaluate if the hardening application configurations is in place.

2. Verify if ACSC and vendor guidance is implemented to assist in hardening the
configuration of Microsoft Office, web browsers and PDF viewers.

1. Evaluate if the hardening application configurations is in place.

2. Verify if web browsers are configured to block or disable support for Flash content,
Java and web advertisements from the internet.

1. Evaluate if the hardening application configurations is in place.

2. Verify if any unrequired functionality in Microsoft Office, web browsers and PDF
viewers is disabled.

1. Evaluate if the hardening application configurations is in place.

2. Verify if the use of Microsoft Office, web browser and PDF viewer add-ons is
restricted to organization approved add-ons.

1. Evaluate if the application hardening process is in place.

2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office is configured to prevent activation of Object Linking, Embedding
packages, and is configured to disable Flash content.
• Microsoft Office macros are only allowed to execute in documents from Trusted
Locations where write access is limited to personnel whose role is to vet and approve
macros.
• Microsoft Office macros in documents originating from the internet are blocked.
• Microsoft Office macro security settings cannot be changed by users.
1. Verify if applications that are no longer supported by vendors with patches or
updates for security vulnerabilities are updated or replaced with vendor-supported
versions.
2. Check if operating systems for workstations, servers and ICT equipment that are
no longer supported are updated or replaced with vendor-supported versions.

1. Verify if a formal inventory process for authorized RF (Radio Frequency) and IR

(Infrared) devices is established and in place.
2. Evaluate if a formal inventory for authorized RF and IR devices in SECRET and TOP
SECRET areas is maintained and regularly audited.
3. Validate if unauthorized RF and IR devices are not allowed to be brought into
SECRET and TOP SECRET areas.

1. Identify the unauthorized RF devices which are not allowed to be brought into
SECRET and TOP SECRET areas.
2. Verify if security measures are implemented to detect and respond to unauthorized
RF devices in SECRET and TOP SECRET areas.
3. Obtain a security register for unauthorized RF devices to understand the security
risks associated with the introduction of such devices.

1. Verify if wireless keyboards and wireless mice meet the security requirements.
2. Check if Bluetooth and wireless keyboards shall not be used for confidential
systems, secret systems, and top secret systems, unless it is in a RF screened
building.

1. Verify if wireless keyboards and wireless mice meet the security requirements.
2. Check if infrared ports are positioned in a way when using infrared keyboards to
prevent line of sight and reflected communications from travelling into an unsecured
space.
3. Validate if the following activities are prevented when using infrared keyboards:
• multiple infrared keyboards for different systems being used in the same area
• other infrared devices being used in the same area
• infrared keyboards operating in areas with unprotected windows.

1. Verify if cabling infrastructure is installed by an endorsed cable installer to the

relevant Australian Standards to ensure personnel safety and system availability.

1. Verify if Fiber-optic cables are used for cabling infrastructure instead of copper
cables to offer the highest degree of protection from electromagnetic emanation
effects.
1. Verify if a cable labelling process and supporting cable labelling procedures are
documented, developed and implemented.
2. Validate if a cable register is established, maintained and regularly audited.
3. Check if a cable register contains the following fields for each cable:
• cable identifier
• cable color
• sensitivity/classification
• source
• destination
• location
• seal numbers (if applicable).
4. Verify if cables are labelled at each end with sufficient source and destination
details to enable the physical identification and inspection of the cable.
5. Verify if building management cables are labelled with a minimum size of 2.5 cm x
1 cm, and attached at five-meter intervals.

1. Validate if floor plan diagrams is established, maintained and regularly audited.

2. Check if floor plan diagrams contains the following fields for each cable:
• cable paths (including ingress and egress points between floors)
• cable reticulation system and conduit paths
• floor concentration boxes
• wall outlet boxes
• network cabinets.
3. Verify if floor plan diagrams are tracking all cabling infrastructure changes
throughout the life of a system.
1. Verify if cables for foreign systems installed in Australian facilities are labelled at
inspection points.
2. Check if cable colors are used as following:
• Top Secret level information system cables are Red and are fully inspectable for
their entire length. Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1
cm, attached at five-meter intervals and marked as ‘TS RUN’.
• Secret level information system's cables are Salmon Pink and are fully inspectable
for their entire length.
• All other information system's cables (Official level and Protected level Information
Systems) are color coated using any color other than Red (Top Secret) and Salmon
Pink (Secret).
3. Verify if non-conforming cable colors are banded with appropriate cable colors and
are labelled at inspection points.
4. Check if building management cables are labelled with their purpose in black
writing on a yellow background at least 2.5cm x 1cm large. These labels shall be
attached every 5 meter interval.
5. Verify if cables are inspectable at a minimum of five-meter intervals in non-shared
government facilities.

1. Validate if fiber optic cables is in place.

2. Verify if fiber optic cables comply by the following requirements:
• Fibers in the sheath only carry a single cable group based on the information
protection level of the information system. (Top Secret, Secret, Official, and
Protected)
• For Fiber cables containing subunits, each subunit only carries cables from a single
cable group.

1. Verify if cable groups sharing a common cable reticulation system have a dividing
partition or a visible gap between the cable groups.

1. Verify if cables are run in an sealed cable reticulation system in shared facilities to
prevent access and enhance cable management.
1. In shared facilities, the following items shall be fitted with clear plastic:
• Conduits
• Front Covers of Ducts
• Cable Trays in Floors and Ceilings
• Any other type of associate fittings for ducts, and cable trays

1. In shared facilities, unique and identifiable SCEC endorsed tamper-evident seals

shall be used to seal all removable covers on all TOP SECRET cable reticulation
systems.
1. In shared facilities, all plastic conduit joints are sealed via a visible smear of
conduit glue, and all TOP SECRET conduit runs are connected by threaded lock nuts.

1. In shared facilities, TOP SECRET cables shall not be allowed to run in party walls.

1. In shared government facilities, where wall penetrations exit a TOP SECRET area
into a lower classified space, TOP SECRET cables that flow through these wall
penetrations are encased in conduit with all gaps between the TOP SECRET conduit
and wall filled with an appropriate sealing compound.

1. In shared non-government facilities, where wall penetrations exit into a lower

classified space, cables that flow through these wall penetrations are encased in
conduit with all gaps between the conduit and wall filled with an appropriate sealing
compound.

1. Cables from cable trays to wall outlet boxes shall be run in flexible or plastic
conduit
1. If a cable group contains cables belonging to different systems, wall outlet boxes
have connectors on opposite sides of the wall outlet box.

1. Cabling boxes shall have the following requirements configured/designed:

• Different cables groups do not share a wall outlet box.
• Wall outlet boxes denote the systems, cable identifiers and wall outlet box
identifier.
• OFFICIAL and PROTECTED wall outlet boxes are colored neither salmon pink nor
red.
• Wall outlet box covers are clear plastic.
• SECRET wall outlet boxes are colored salmon pink.
• TOP SECRET wall outlet boxes are colored red.

1. If TOP SECRET fiber-optic fly leads exceeding 5 meters in length are used to
connect wall outlet boxes to ICT equipment, they are run in a protective and easily
inspected pathway that is clearly labeled at the ICT equipment end with the wall
outlet box's identifier as well.

1. Cable reticulation systems leading into cabinets are terminated as close as

possible to the cabinet.

1. In TOP-SECRET areas, cable reticulation systems leading into cabinets in a secure

communications or server room are terminated as close as possible to the cabinet.

1. In TOP-SECRET areas, cable reticulation systems leading into cabinets not in a

secure communications or server room are terminated as close as possible to the
cabinet.
1. Cables are terminated in individual cabinets to prevent accidental or deliberate
cross-patching and makes inspection of cables easier. Alternatively, for small
systems, they can be terminated in one cabinet with a division plate to delineate
cable groups.
1. TOP SECRET cables are terminated in an individual TOP SECRET cabinet.

1. Different cable groups are not terminated on the same patch panel.

1. There is a visible physical separation between TOP SECRET cabinets and cabinets
of lower classifications for reducing the chance of cross-patching.
1. TOP SECRET and non-TOP SECRET patch panels are physically separated by
installing the panels in separate cabinets.

1. Due to spatial constraints where lower classification than TOP SECRET patch panels
be located in the same cabinet as a TOP SECRET patch panel:
• a physical barrier in the cabinet is to be provided to separate patch panels
• only personnel holding a Positive Vetting security clearance shall have access to the
cabinet
• approval from the TOP SECRET system’s authorizing officer is obtained prior to
installation.

1. The Australian Security Intelligence Organization (ASIO) is consulted prior to

penetrating an audio secured space. All ASIO recommendations are complied with.

1. A power distribution board with a feed from an Uninterruptible Power Supply is

used to power all TOP SECRET Information and Computer Technology (ICT)
equipment.

1. In TOP SECRET areas of shared non-government facilities, a power distribution

board with a feed from an Uninterruptible Power Supply is used to power all TOP
SECRET Information and Computer Technology (ICT) equipment.

1. System owners deploying SECRET or TOP SECRET systems with Radio Frequency
(RF) transmitters inside or co-located with their facility contact the ACSC for an
emanation security threat assessment, and perform the following.
2. Perform emanation security threat assessment.
3. Identify emanation security threats.
4. Verify if any additional installation criteria is implemented derived from the
emanation security threat assessment.

1. System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency

(RF) transmitters that will be co-located with SECRET or TOP SECRET systems of a
higher classification contact the ACSC for an emanation security threat assessment,
and perform the following.
2. Perform emanation security threat assessment.
3. Identify emanation security threats.
4. Verify if any additional installation criteria is implemented derived from the
emanation security threat assessment.
1. System owners deploying SECRET or TOP SECRET systems in shared facilities shall:
2. Perform emanation security threat assessment.
3. Identify emanation security threats.
4. Verify if any additional installation criteria is implemented derived from the
emanation security threat assessment.

1. If system owners are deploying systems overseas, they shall contact the Australian
Cyber Security Centre (ACSC) for emanation security threat advice.
2. Any additional installation criteria from the emanation security threat advice is
implemented.

1. If system owners are deploying systems or military platforms overseas, they shall
contact the Australian Cyber Security Centre (ACSC) for emanation security threat
assessment.
2. Any additional installation criteria from the emanation security threat assessment
is implemented.

1. As part of a project's life cycle, an emanation security threat assessment shall be

sought as soon as possible.
2. Identify emanation security issues.
3. Implement controls to address the risks identified as part of the emanation security
threat assessment.

1. ICT equipment shall meet industry and government standards relating to

electromagnetic interference/electromagnetic compatibility.
2. Validate the industry standards relating to electromagnetic
interference/electromagnetic compatibility and adhere to these standards.

1. A Telephone Systems policy is established, documented and maintained that

documents the following:
Evaluate if the Telephone Systems policy meets the following requirements:
• Personnel are made aware of the sensitivity of information that they may discuss,
along with their classification levels.
• Personnel are made aware of security risks of non-secure lines.
• Telephone lines that permit different levels of conversation have a visual indicator.
• Telephone systems used for sensitive or classified conversations encrypt all traffic
that passes over external systems.
• Cordless telephone systems are not used for sensitive or classified conversations.
• Traditional analog phones are used in public areas.
1. Telephone Systems are configured to meet the following requirements:
• Speakerphones are not used in Top Secret unless the telephone system is located
in a room rated as audio secure only personnel involved in discussions are present in
the room.
• In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all
telephones that are not authorized for the transmission of TOP SECRET information.
• In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets
are used to meet any off-hook audio protection requirements.
• Off-hook audio protection features are used on telephone systems in areas where
background conversations may exceed the sensitivity or classification that the
telephone system is authorized for communicating.
• IP phone and video conferencing workstations shall match the data classification
level of their area.
• Microphones (including headsets and USB handsets) and webcams are not used
with non-SECRET workstations in SECRET areas or non-TOP SECRET workstations in
TOP SECRET areas.

1. If the offering is procuring high assurance ICT equipment, it shall contact the
Australian Cyber Security Centre (ACSC) for any equipment-specific delivery
procedures.
2. The offering shall adhere to these procedures.

1. High assurance ICT equipment is installed, configured, administered and operated

in accordance with guidance produced by the ACSC.
2. Obtain the ACSC guidelines and ensure they are adhered to.

1. An ICT equipment management policy is developed and implemented detailing

how to install, configure, administer, handle, classify and label ICT equipment.
1. ICT equipment is classified based on the highest sensitivity or classification of data
that it is approved for processing, storing or communicating.
2. ICT equipment is classification shall be updated accordingly and evaluated on a
periodic basis to validate it is up-to-date.

1. ICT equipment and media shall be labelled with protective markings reflecting its
sensitivity or classification.
2. ICT equipment and media labels are updated accordingly and evaluated on a
periodic basis to validate it is up-to-date.

1. Before applying labels to external surfaces of high assurance ICT equipment, the
Australian Cyber Security Centre (ACSC)'s approval is obtained.
2. Approvals are retained in a repository, and ICT equipment is labeled according to
the approval provided.
1. The ICT equipment management policy will detail how ICT equipment is handled.
2. ICT equipment handling shall adhere to this policy, and any transfers, changes to
equipment shall be documented, and appropriately sanitized if needed.

1. All high assurance ICT equipment repairs shall be documented and retained.
2. Prior to any repairs occurring, ACSC's approval is obtained first, and their guidance
is followed.

1. A process is documented and followed for cleared personnel to escort uncleared

technicians during maintenance or repair activities.
2. If an uncleared technician is used to undertake maintenance or repairs of ICT
equipment, the technician is escorted by someone who:
• is appropriately cleared and briefed
• takes due care to ensure that data is not disclosed
• takes all responsible measures to ensure the integrity of the ICT equipment
• has the authority to direct the technician
• is sufficiently familiar with the ICT equipment to understand the work being
performed.

1. All maintenance and repair activities for ICT equipment shall be document and
retained.
2. After a maintenance and repair activity has been completed, documentation
showing the ICT equipment was inspected to confirm it retains its approved software
configuration is documented.
3. All unauthorized modifications to the ICT equipment shall be reversed immediately.

1. ICT equipment sanitization and disposal processes and procedures are established,
documented and maintained.
2. Labels and markings that can associate the ICT equipment with its original use, are
removed prior to disposal.
3. All ICT equipment that is disposed of shall be documented and evidence provided
that any owner, sensitivity, classification and other markings were disposed of prior
to disposal.

1. ICT equipment sanitization and disposal processes and procedures are established,
documented and maintained.
2. When disposing of ICT equipment that was specifically designed or modified to
meet emanation security standards, ACSC shall be contacted for requirements
relating to secure disposal.
3. ACSC instructions are adhered to, and documentation of the disposal is recorded.

1. ICT equipment, including associated media, that is located overseas, and has
processed or stored AUSTEO or AGAO data shall be sanitized in situ.
2. Documentation of the ICT equipment being sanitized in situ shall be retained.

1. ICT equipment, including associated media, that is located overseas, and has
processed, stored, or communicated AUSTEO or AGAO data that cannot be sanitized
in situ is returned to Australia for destruction.
2. Records of ICT equipment returned to Australia for destruction shall be retained.

1. Sanitization and disposal procedures of printers and multifunction devices is

established, documented and maintained.
2. At least three pages of random text with no blank areas are printed on each color
printer cartridge or MFD print drum in order to sanitize or removal of any media.
1. Sanitization and disposal procedures of printers and multifunction devices is
established, documented and maintained.
2. MFD print drums and image transfer rollers are inspected and destroyed if there is
remnant toner which cannot be removed or if a print is visible on the image transfer
roller.

1. Printer and MFD platens are inspected and destroyed if any images are retained on
the platen.
1. Printers, MFDs, and fax machines are periodically evaluated and checked to ensure
no pages are trapped in the paper path due to a paper jam.

1. Printer cartridges or MFD print drums are destroyed when unable to sanitize as per
electrostatic memory devices.

1. Printer ribbons in printers and MFDs are removed and destroyed.

1. Sanitization process and procedures of Televisions and computer monitors is

established, documented and maintained.
2. Televisions and computer monitors with minor burn-in or image persistence are
sanitized by displaying a solid white image on the screen for an extended period of
time.
1. Televisions and computer monitors are destroyed that cannot be sanitized.

1. Sanitization process and procedures of Network devices is established,

documented and maintained.
2. Memory in network devices is sanitized using the following processes, in order of
preference:
• following device-specific guidance provided by the ACSC
• following vendor sanitization guidance
• loading a dummy configuration file, performing a factory reset and then reinstalling
firmware.

1. If the paper tray of the fax machine is removed, prior to the paper tray being re-
installed, a fax message with a minimum length of four pages shall be transmitted
first, to allow a fax summary page to be printed.

1. Rewritable media is sanitized after each data transfer when transferring data
manually between two systems belonging to different security domains.
2. Evidence of the sanitization is documented and retained.

1. Ensure policies and procedures are documented as well as maintained for volatile
media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• Volatile media is sanitized either by removing power from the media for 10
minutes.
• Read back verification is done post sanitization

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the volatile media sanitized.
• Volatile media is sanitized either by removing power from the media for 10
minutes.
• Read back verification is done post sanitization
1. Ensure policies and procedures are documented as well as maintained for volatile
media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• SECRET and TOP SECRET volatile media is sanitized by overwriting it at least once
in its entirety with a random pattern followed by a read back for verification.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the volatile media sanitized.
• SECRET and TOP SECRET volatile media is sanitized by overwriting it at least once
in its entirety with a random pattern followed by a read back for verification.

1. Ensure policies and procedures are documented as well as maintained for volatile
media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• The host-protected area and device configuration overlay table of non-volatile
magnetic media is reset prior to sanitization

2. Ensure following and corresponding evidences/ artefacts are maintained:

• Records of the volatile media sanitized
• The host-protected area and device configuration overlay table of non-volatile
magnetic media is reset prior to sanitization

1. Ensure policies and procedures are documented as well as maintained for volatile
media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• Non-volatile magnetic media is sanitized by overwriting the media at least once (or
three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern
followed by a read back for verification.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the volatile media sanitized
• Non-volatile magnetic media is sanitized by overwriting the media at least once (or
three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern
followed by a read back for verification.

1. Ensure policies and procedures are documented as well as maintained for volatile
media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
•The ATA secure erase command is used, in addition to using block overwriting
software, to ensure the growth defects table (g-list) is overwritten

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the volatile media sanitized
• The ATA secure erase command is used, in addition to using block overwriting
software, to ensure the growth defects table (g-list) is overwritten
1. Ensure policies and procedures are documented as well as maintained for Non-
volatile media sanitization highlighting that:-
• Records are maintained for the Non-volatile EPROM media sanitized
• Non-volatile EPROM media is sanitized by applying three times the manufacturer’s
specified ultraviolet erasure time and then overwriting it at least once in its entirety
with a random pattern followed by a read back for verification.
• Non-volatile EEPROM media is sanitized by overwriting it at least once in its entirety
with a random pattern followed by a read back for verification.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the Non-volatile EPROM media sanitized
• Non-volatile EPROM media is sanitized by applying three times the manufacturer’s
specified ultraviolet erasure time and then overwriting it at least once in its entirety
with a random pattern followed by a read back for verification.
• Non-volatile EEPROM media is sanitized by overwriting it at least once in its entirety
with a random pattern followed by a read back for verification.

1. Ensure policies and procedures are documented as well as maintained for Non-
volatile media sanitization highlighting that:-
• Records are maintained for the Non-volatile flash memory media sanitized
• Media is sanitized by overwriting the media at least twice in its entirety with a
random pattern followed by a read back for verification.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the Non-volatile flash memory media sanitized
• Non-volatile flash memory media is sanitized by overwriting the media at least
twice in its entirety with a random pattern followed by a read back for verification.
1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• Destruction of the media types listed below prior to disposal:
- microfiche and microfilm
- optical discs/semiconductor memory (using either furnace/incinerator, hammer mill,
disintegrator, grinder/sander or cutting destruction methods.)
- programmable read-only memory
- read-only memory
- other types of media that cannot be sanitized
- faulty media that cannot be successfully sanitized

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the media disposal
• Destruction of the media types listed below prior to disposal :
- microfiche and microfilm
- optical discs/semiconductor memory (using either furnace/incinerator, hammer mill,
disintegrator, grinder/sander or cutting destruction methods.)
- programmable read-only memory
- read-only memory
- other types of media that cannot be sanitized
- faulty media that cannot be successfully sanitized

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
•Records are maintained for the media disposal
•SCEC or ASIO approved equipment is used when destroying media prior to disposal.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

•Records of the media disposal
•SCEC or ASIO approved equipment is used when destroying media prior to disposal.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• If using degaussers to destroy media prior to disposal, degaussers evaluated by the
United States’ National Security Agency are used.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the media disposal
• If degaussers are used to destroy media prior to disposal, then degaussers are
evaluated by the United States’ National Security Agency are used
1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• Equipment used to destroy microfiche and microfilm prior to disposal is capable of
reducing microform to a fine powder, with resultant particles not showing more than
five consecutive characters per particle upon microscopic inspection

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records are maintained for the media disposal
• Equipment used to destroy microfiche and microfilm prior to disposal is capable of
reducing microform to a fine powder, with resultant particles not showing more than
five consecutive characters per particle upon microscopic inspection

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• The resulting waste for all destruction methods, except for furnace/incinerator and
degausser, is stored and handled appropriately.
• cutting destruction method result in media waste particles no larger than 9 mm.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records are maintained for the media disposal
• The resulting waste for all destruction methods prior to disposal, except for
furnace/incinerator and degausser, is stored and handled appropriately.
• cutting destruction method result in media waste particles no larger than 9 mm.

1. Ensure policies and procedures are documented and maintained highlighting that a
degausser of sufficient field strength for the coercivity of the magnetic media is used
prior to disposal.

2. Ensure that a degausser of sufficient field strength for the coercivity of the
magnetic media is used prior to disposal, and corresponding evidences/artefacts are
maintained.

1. Ensure policies and procedures are documented and maintained highlighting that a
degausser capable of the magnetic orientation (longitudinal or perpendicular) of the
magnetic media is used prior to disposal.

2. Ensure that a degausser capable of the magnetic orientation (longitudinal or

perpendicular) of the magnetic media is used prior to disposal and corresponding
evidences/artefacts are maintained.
1. Ensure policies and procedures are documented and maintained highlighting that
any product-specific directions provided by degausser manufacturers are followed
prior to disposal.

2. Ensure that any product-specific directions provided by degausser manufacturers

are followed prior to disposal and corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented and maintained highlighting that
following destruction of magnetic media using a degausser, the magnetic media is
physically damaged by deforming the internal platters by any means prior to
disposal.

2. Ensure that following destruction of magnetic media using a degausser, the

magnetic media is physically damaged by deforming the internal platters by any
means prior to disposal and corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of media is performed under the supervision of at least one person
cleared to the sensitivity or classification of the media being destroyed.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records are maintained for the media disposal
• The destruction of media is performed under the supervision of at least one person
cleared to the sensitivity or classification of the media being destroyed.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of accountable material is performed under the supervision of at
least two personnel cleared to the sensitivity or classification of the media being
destroyed.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records are maintained for the media disposal
• The destruction of accountable material is performed under the supervision of at
least two personnel cleared to the sensitivity or classification of the media being
destroyed.
1. Ensure policies and procedures are documented and maintained highlighting that
when outsourcing the destruction of media to an external destruction service, a
National Association for Information Destruction AAA certified destruction service with
endorsements, as specified in ASIO’s PSC-167, is used.

2. Ensure that when outsourcing the destruction of media to an external destruction

service, a National Association for Information Destruction AAA certified destruction
service with endorsements, as specified in ASIO’s PSC-167, is used and
corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of media storing accountable material is not outsourced.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the media disposal
• The destruction of media storing accountable material is not outsourced

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• Following sanitization, destruction or declassification, a formal administrative
decision is made to release media, or its waste, into the public domain.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the media disposal
• Post sanitization, destruction or declassification, a formal administrative decision is
made to release media, or its waste, into the public domain.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that:-
• Records are maintained for the media disposal
• Labels and markings indicating the sensitivity, classification, owner or any other
marking that can associate media with its original use, are removed prior to disposal.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Records of the media disposal
• Labels and markings indicating the sensitivity, classification, owner or any other
marking that can associate media with its original use, are removed prior to disposal.
1. Ensure policies and procedures are documented and maintained pertaining to
standard operating environments(SOEs) highlighting following:-
• List of standard operating environments (SOEs) and corresponding details used for
all workstations is maintained
• Scans are performed on SOEs for malicious content and configurations prior to
usage.
• Annual reviews and corresponding updates done on SOEs

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• List of standard operating environments (SOEs) and corresponding details used for
all workstations is maintained
• Scans are performed on SOEs for malicious content and configurations prior to
usage.
• Annual reviews and corresponding updates done on SOEs

1. Ensure policies and procedures are documented and maintained such that
personnel who are contractors are identified as such.

2. Ensure personnel who are contractors are identified as such and corresponding
artefacts are maintained.

1. Ensure policies and procedures are documented and maintained such that
personnel who are foreign nationals are identified as such, including by their specific
nationality.

2. Ensure personnel who are foreign nationals are identified as such, including by
their specific nationality are identified as such and corresponding artefacts are
maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that foreign nationals, including seconded foreign
nationals, do not have access to systems that process, store or communicate AUSTEO
or REL data unless effective security controls are in place to ensure such data is not
accessible to them.

2. Ensure following and corresponding artefacts are maintained:-

• List of foreign nationals including seconded foreign nationals and list of systems
that process, store or communicate AUSTEO or REL data as well as corresponding
implemented security controls testing results for effectiveness.

• Periodic review of users with the access to the systems in the above list in order to
ensure that access is only provisioned for foreign nationals including seconded
foreign nationals if effective security controls are in place.
1..Ensure policies and procedures are documented and maintained corresponding to
access management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have access to systems that process, store or communicate AGAO
data unless effective security controls are in place to ensure such data is not
accessible to them.

2. Ensure following and corresponding artefacts are maintained:-

• List of foreign nationals excluding seconded foreign nationals and list of systems
that process, store or communicate AGAO data as well as corresponding
implemented security controls testing results for effectiveness.

• Periodic review of users with the access to the systems in the above list in order to
ensure that access is only provisioned for foreign nationals excluding seconded
foreign nationals if effective security controls are in place.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems, applications and data
repositories.

2. Ensure following and corresponding artefacts are maintained:-

• List of foreign nationals excluding seconded foreign nationals and list of systems,
applications and data repositories.

• Periodic review of users with the access to the systems, applications and data
repositories in the above list in order to ensure that no match with the list of foreign
nationals excluding seconded foreign nationals

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that foreign nationals, including seconded foreign
nationals, do not have privileged access to systems that process, store or
communicate AUSTEO or REL data.

2. Ensure following and corresponding artefacts are maintained:-

• List of foreign nationals including seconded foreign nationals and list of systems
that systems that process, store or communicate AUSTEO or REL data.

• Periodic review of the users with the privileged access to the systems in the above
list to ensure no match with the users in the list of foreign nationals including
seconded foreign nationals
1. Ensure policies and procedures are documented and maintained corresponding to
access management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems that process, store or
communicate AGAO data.

2. Ensure following and corresponding artefacts are maintained:-

• List of foreign nationals excluding seconded foreign nationals and list of systems
that process, store or communicate AGAO data is maintained.

• Periodic review of the users with the privileged access to the systems in the above
list to ensure no match with the users in the list of foreign nationals excluding
seconded foreign nationals

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that upon identifying malicious activities, access to
systems, applications and data repositories are removed or suspended within 24
hours.

2. Ensure following and corresponding artefacts are maintained:-

• Malicious activities monitoring as well as identification (alerting) is in place in terms

of records/logs/reports
• Periodic review to ensure access to systems, applications and data repositories is
removed or suspended within 24 hrs. upon identifying malicious activities in terms of
records/logs/reports
1. Ensure policies and procedures are documented and maintained corresponding to
access management on the maintenance of records which are secured for the
lifetime of each system covering following:-

• All personnel authorized to access the system, and their user identification
• Who provided authorization for access
• When access was granted
• The level of access that was granted
• When access, and the level of access, was last reviewed
• When the level of access was changed, and to what extent (if applicable)
• When access was withdrawn (if applicable).

2. Ensure for all the live systems in the environment as part of implementation of
access management documentation records are maintained and secured throughout
the lifetime of system covering following:-

• All personnel authorized to access the system, and their user identification
• Who provided authorization for access
• When access was granted
• The level of access that was granted
• When access, and the level of access, was last reviewed
• When the level of access was changed, and to what extent (if applicable)
• When access was withdrawn (if applicable).

1. Ensure policies and procedures are documented and maintained corresponding to

access management with regards to temporary access highlighting that personnel
are granted temporary access to a system, effective security controls are put in place
to restrict their access to only data required for them to undertake their duties.

2. Ensure when personnel are granted temporary access to a system, effective

security controls are put in place to restrict their access to only data required for
them to undertake their duties and corresponding artefacts are maintained in terms
of the periodic review effectiveness of the effectiveness of security controls put in
place for restricting access as per the responsibilities/ duties.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that temporary access is not granted to systems
that process, store or communicate caveated or sensitive compartmented
information.

2. Ensure that as a part of implementation of the access management documentation

and corresponding controls temporary access is not granted to systems that process,
store or communicate caveated or sensitive compartmented information and
corresponding artefacts are maintained.
1. Ensure policies and procedures policies and procedures are documented and
maintained corresponding to access management on the usage of emergency access
to systems highlighting that tested at least once when initially implemented, and
each time fundamental information technology infrastructure changes occur.

2. Ensure that emergency access to systems tested at least once when initially
implemented, and each time fundamental information technology infrastructure
changes occur. Additionally corresponding artefacts are maintained.

1. Ensure policies and procedures policies and procedures are documented and
maintained corresponding to access management on the usage of break glass
accounts highlighting following:-
• Break glass accounts are only used when normal authentication processes cannot
be used and only for specific authorized activities.
• Usage of the break glass account is monitored and audited to confirm that access
as well usage was appropriate.
• Once access is no longer required, the access credentials for the break glass
account are updated to prevent unauthorized access.
• Once credentials are changed, the break glass account access is tested again.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• Break glass accounts are only used when normal authentication processes cannot
be used, only for specific authorized activities.
• Logging as well as monitoring of break glass accounts while usage in order to
ensure usage as well as access was appropriate.
• When access is no longer required, the access credentials for the break glass
account are updated to prevent unauthorized access.
• Once credentials are changed, the break glass account access is tested again.

1. Ensure policies and procedures are documented and maintained corresponding to

password management highlighting that minimum password requirements for multi-
factor authentication is of 10 characters on TOP SECRET systems.

2. Ensure that as a part of implementation of the password management

documentation within the configuration settings minimum password requirements for
multi-factor authentication is of 10 characters on TOP SECRET systems. Additionally,
corresponding artefacts/ evidences are also maintained.
1. Ensure policies and procedures are documented and maintained corresponding to
service account creation highlighting that service accounts are created as group
managed service accounts.

2. Ensure that as a part of implementation all service accounts are created as group
managed service accounts, same is validated by periodically reviewing the list of
service accounts and comparing the same with the list of managed service account.
Additionally corresponding artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

authentication highlighting that authentication methods susceptible to replay attacks
are disabled.

2. Ensure that as a part of implementation of the authentication documentation and

corresponding controls, authentication methods implemented are not susceptible to
replay attacks and corresponding artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

authentication highlighting that LAN manager and NT LAN manager authentication
methods are disabled.

2. Ensure that as a part of implementation of the authentication documentation and

corresponding controls, LAN manager and NT LAN manager authentication methods
are disabled and corresponding artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

privileged access management highlighting that users associated with privileged
accounts are members of the protected users security group.

2. Ensure that as a part of implementation of the policies and procedures

corresponding to privileged access management:-
• Users having privileged accounts are members of the protected users security
group

• Periodic validation between privilege account users and protected user security
group members is done and corresponding artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

password management highlighting that credentials are stored separately from
systems to which they grant access.

2. Ensure that as a part of implementation of the password management

documentation credentials are stored separately from systems to which they grant
access and corresponding artefacts/ evidences are also maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

password management highlighting stored passwords/passphrases are secured by
ensuring they are hashed, salted and stretched.

2. Ensure that as a part of implementation of the password management

documentation stored passwords/passphrases are secured by ensuring they are
hashed, salted and stretched. Additionally, corresponding artefacts/ evidences are
also maintained.
1. Ensure policies and procedures are documented and maintained corresponding to
password management highlighting that passwords/passphrases are changed if:-
• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network
• they are discovered being transferred in the clear across a network
• membership of a shared account changes
• they have not been changed in the past 12 months.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• List of privileged users and allocated dedicated administrator workstation
• Privileged users via allocated dedicated sampled administrator workstation cannot
communicate to assets not related to the administrative activities

1. Ensure that a system administration process, with supporting system

administration procedures, is developed/ documented, maintained(regular review &
approval) and implemented.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that privileged users use a dedicated administrator
workstation which cannot communicate to assets not related to the administrative
activities, or use separate privileged and unprivileged operating environments when
performing certain tasks

2. Privileged users shall only use privileged operating environments for performing
privileged tasks, and all other activity shall use the unprivileged operating
environments.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that privileged users are assigned an unprivileged
administration account for authenticating to their dedicated administrator
workstation.

2. Ensure following and corresponding evidences/ artefacts are maintained:-

• List of privileged users and corresponding assigned unprivileged administration
account
• Unprivileged administration account is assigned to privileged users for
authenticating to their dedicated administrator workstation.
1. Ensure policies and procedures are documented and maintained corresponding to
access management highlighting that file-based access controls are applied to
database files and periodic review as well as update of the corresponding access
privileges/ rights is also conducted.

2. Ensure that file-based access controls are applied to database files, periodic review
as well as update of the corresponding access privileges/ rights is also conducted and
corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

password/passphrases management for authentication highlighting that passphrases
stored in databases are hashed with a uniquely salted Australian Signals Directorate
Approved Cryptographic Algorithm..

2. Ensure that for secure password/passphrases storage, passphrases stored in

databases are hashed with a uniquely salted Australian Signals Directorate Approved
Cryptographic Algorithm and corresponding evidences/artefacts are maintained.

1. Assign privileged users with a dedicated privileged account, to be used solely for
tasks requiring privileged access

1. Obtain Access Management process and policy

2. Systems, applications, and data repositories shall be configured such that:
• Access to data repositories, and privileged/unprivileged access to systems and
applications is disabled after they have not been used for an period of 45 days.

1. Verify split tunnelling is disabled on all network devices when accessing an

Organization's network via a VPN connection

1. Ensure policies and procedures are documented and maintained corresponding to

account permissions highlighting that privileged and unprivileged accounts
(excluding backup administrators) do not have permissions in place to modify, delete,
or access other accounts or their own account's backups.
2. Verify privileged and unprivileged accounts (excluding backup administrators) do
not have the ability to modify, delete, or access other accounts or their own account's
backups.

1. Ensure policies and procedures are documented as well as maintained highlighting

that trusted sources for SECRET and TOP SECRET systems are limited to people and
services that have been authorized as such by an Organization's Chief Information
Security Officer.
2. Validate all sources with access to SECRET and TOP SECRET systems were
approved by the CISO prior to gaining access

1. Obtain Log management procedure

2. Ensure changes to privileged accounts and groups are logged
3. Retain logs and ensure it's available for review whenever required
1. Ensure policies and procedures are documented and maintained corresponding to
account permissions highlighting that backup administrator accounts (excluding
backup break glass accounts) do not have permissions in place for modifying or
deleting backups.
2. Verify backup administrator accounts (excluding backup break glass accounts) do
not have the ability to modify or delete backups.

1. Access to privileged accounts shall be limited. Privileged accounts can be defined

as any account with direct access to production, or ability to make direct changes.
2. Such Privileged accounts shall not be used to access the internet, email, and web
services.
3. Accounts used to access the internet, email, and web services shall have limited
access (i.e. no direct edit access), and dedicated accounts for them. These accounts
shall be closely monitored to validate no inappropriate changes are made.

1. Ensure policies and procedures are documented and maintained corresponding to

access management highlighting that privileged operating environments cannot be
virtualized within unprivileged operating environments

2. Verify privileged operating environments cannot be virtualized within unprivileged

operating environments

1. Obtain Access Management process and policy

2. Systems, applications, and data repositories shall be configured such that
privileged access to systems, applications, and data repositories is automatically
disabled after a period of twelve months unless revalidated.

1. Ensure policies and procedures are documented and maintained corresponding to

password management highlighting that:
• Passphrases used for single-factor authentication are at least 4 random words with
a total minimum length of 14 characters, unless more stringent requirements apply.
• Passphrases used for single-factor authentication on SECRET systems are at least 5
random words with a total minimum length of 17 characters.
• Passphrases used for single-factor authentication on TOP SECRET systems are at
least 6 random words with a total minimum length of 20 characters.

2. Ensure that as a part of implementation of the password management

documentation within the configuration settings minimum password requirements
include:
• Passphrases used for single-factor authentication are at least 4 random words with
a total minimum length of 14 characters, unless more stringent requirements apply.
• Passphrases used for single-factor authentication on SECRET systems are at least 5
random words with a total minimum length of 17 characters.
• Passphrases used for single-factor authentication on TOP SECRET systems are at
least 6 random words with a total minimum length of 20 characters.
Additionally, corresponding artefacts/ evidences are also maintained.

1. Ensure media management policy is documented, maintained(regular review &

approval), implemented and corresponding records/ artefacts are also maintained.

1. Ensure removable media usage policy is documented (regular review & approval),
maintained, implemented and corresponding records/ artefacts are also maintained.
1. Ensure policies and procedures are documented and maintained corresponding to
media management and removable media usage highlighting that any media
connected to a system with a higher sensitivity or classification, then media is
reclassified to the higher sensitivity or classification, unless the media is read-only or
the system has a mechanism through which read-only access can be ensured

2. Ensure that any media connected to a system with a higher sensitivity or

classification, then media is reclassified to the higher sensitivity or classification,
unless the media is read-only or the system has a mechanism through which read-
only access can be ensured and corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

media management and removable media usage highlighting that to reclassify media
to a lower sensitivity or classification, the media is sanitized (unless the media is
read-only) and a formal administrative decision (in consultation with data owners) is
made to reclassify the media.

2. Ensure that to reclassify media to a lower sensitivity or classification, the media is

sanitized (unless the media is read-only) and a formal administrative decision (in
consultation with data owners) is made to reclassify the media. Additionally,
corresponding evidences/artefacts are maintained.

1. Ensure policies and procedures are documented and maintained corresponding to

media management and removable media usage highlighting that media is
encrypted.

2. Ensure that media is encrypted and corresponding evidences/artefacts are

maintained.
1. Ensure policies and procedures are documented and maintained corresponding to
media management and removable media usage highlighting that media is only used
with systems that are authorized to process, store or communicate based on the
sensitivity or classification of the media.

2. Ensure that media is only used with systems which are authorized to process, store
or communicate based on the sensitivity or classification of the media and
corresponding evidences/artefacts are maintained.

1. The media management and removable media usage policy documentation covers
disabling of automatic execution features for media in the operating system of
systems
2. The system's operating system is configured to disable any automatic execution
features for media
1. The media management and removable media usage policy documentation covers
no-write permissions to media without a valid and approved business requirement for
its use
2. Write permissions to media is disabled via device access control software unless
an approved business justification is in place for its use
3. Review business requirement for writing to media on a periodic basis to ensure
media is prevented from being written to if the business requirement is no longer
valid or if there is no business requirement for its use

1. The media management and removable media usage policy documentation covers
transferring of data manually between two systems belonging to different security
domains
2. When transferring data manually between two systems of different security
domains, either of the below is considered:
• write-once media is used
• the destination system is configured to ensure read-only access

1. Obtain the consumer guide (if it exists) for evaluated encryption software in use
2. If it exists, follow the sanitization and post-sanitization requirements stated in the
consumer guide

1. Operating system hardening guidelines and documentation is established and

maintained
2. Operating system hardening reports are maintained for successful hardening
3. Operating system configuration gap assessments reports are created and gaps are
closed in time
4. Deviations/exceptions to the established system hardening guidelines are
documented and approved
5. Operating system hardening guidelines include the below:
• Unused operating system accounts, software, components, services and
functionality are removed or disabled
• Standard users are prevented from bypassing, disabling or modifying security
functionality of operating systems
• Standard users are prevented from running script execution engines, including:
- Windows Script Host (cscript.exe and wscript.exe)
- PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
- Command Prompt (cmd.exe)
- Windows Management Instrumentation (wmic.exe)
- Microsoft HTML Application Host (mshta.exe)
• Local administrator accounts are disabled
• Application control is implemented on all workstations to restrict the execution of
executables, software libraries, scripts and installers to an approved set
• Application control is implemented on all servers to restrict the execution of
executables, software libraries, scripts and installers to an approved set
• Unique domain accounts with local administrative privileges, but without domain
administrative privileges, are used for workstation and server management
1. Where applicable, application security best practices are documented and
maintained, and the following are covered:
• Application controls are implemented using cryptographic hash rules, publisher
certificate rules or path rules
• Validate cryptographic hash rules, publisher certificate rules and path rules used for
application control at least annually
• When implementing application control using path rules, file system permissions
are configured to prevent unauthorized modification of folder and file permissions,
folder contents (including adding new files) and individual files that are approved to
execute
• All users (with the exception of privileged users when performing specific
administrative activities) cannot disable, bypass or be exempted from application
controls
• Standard users are prevented from bypassing, disabling or modifying security
functionality of applications

1. Where applicable, implement application control using publisher certificate rules

such that both publisher names as well as product names are used

1. Where applicable, configure application control to generate event logs

2. Where applicable, event logs for failed execution attempts include the following at
minimum:
• name of the blocked file
• date/time stamp
• username of the user attempting to execute the file

1. HIPS is installed on all workstations and high value servers, such as:
• authentication servers
• Domain Name System (DNS) servers
• web servers
• file servers
• email servers
2. The network architecture diagram depicts host-based intrusion prevention system
implemented within the infrastructure

1. Disable communication interfaces of workstations and servers that allow DMA

(Direct Memory Access)
2. Where not required, remove or prevent physical connections to ports allowing high
speed access (that permit direct memory access) to prevent external devices from
being connected

1. Where applicable, the configuration of the software-based isolation mechanism is

hardened by taking into consideration the following:
• removing unneeded functionality
• restricting access to the administrative interface used to manage the isolation
mechanism
• applying timely patches to the isolation mechanism and underlying operating
system
• ensuring the isolation mechanism is from a vendor that applies secure coding
practices
Where applicable,
1. The physical server and all computing environments running on the physical server
are of the same classification for SECRET or TOP SECRET workloads
2. The physical server and all computing environments running on the physical server
are within the same security domain

1. Approved algorithms (Australian Signals Directorate Approved Cryptographic

Algorithm) are used for encryption software when the organization wishes to reduce
the physical storage or handling requirements for ICT equipment or media containing
sensitive data.
There are 3 categories of AACAs - asymmetric algorithms, hashing algorithms, and
symmetric encryption algorithms:
• Approved asymmetric algorithms include the below, however ECDH and ECDSA is
recommended in preference to DH and DSA:
- Diffie-Hellman (DH) for agreeing on encryption session keys
- Digital Signature Algorithm (DSA) for digital signatures
- Elliptic Curve Diffie-Hellman (ECDH) for key exchange
- Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
- Rivest-Shamir-Adleman (RSA) for digital signatures and passing encryption session
keys or similar keys
• Approved hashing algorithm is SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
• Approved symmetric encryption algorithms include:
- AES 128, 192 and 256 bits
- 3DES using 3 distinct keys

1. Encryption software that has completed a Common Criteria evaluation against a

Protection Profile is used when encrypting media that contains OFFICIAL, Sensitive or
PROTECTED data. No other methods of encryption shall be used.

1. HACE (High Assurance Cryptographic Equipment) is used when encrypting media

that contains SECRET or TOP SECRET data. No other equipment shall be used for
encrypting media that contains SECRET or TOP SECRET data.

1. For data at rest, HACE is configured to implement full disk encryption, or partial
encryption where access controls will only allow writing to the encrypted partition
1. AACA (Australian Signals Directorate Approved Cryptographic Algorithm) is used
for encryption of AUSTEO (Australian Eyes Only) and AGAO (Australian Government
Access Only) data at rest, in addition to any other encryption already in place
There are 3 categories of AACAs - asymmetric algorithms, hashing algorithms, and
symmetric encryption algorithms:
• Approved asymmetric algorithms include the below, however ECDH and ECDSA is
recommended in preference to DH and DSA:
- Diffie-Hellman (DH) for agreeing on encryption session keys
- Digital Signature Algorithm (DSA) for digital signatures
- Elliptic Curve Diffie-Hellman (ECDH) for key exchange
- Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
- Rivest-Shamir-Adleman (RSA) for digital signatures and passing encryption session
keys or similar keys
• Approved hashing algorithm is SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
• Approved symmetric encryption algorithms include:
- AES 128, 192 and 256 bits
- 3DES using 3 distinct keys

1. Sensitive data is communicated over public network infrastructure and through

unsecured spaces through cryptographic equipment or encryption software that
implements an ASD Approved Cryptographic Protocol (AACP). The AACPs are:
• Transport Layer Security (TLS)
• Secure Shell (SSH)
• Secure/ Multipurpose Internet Mail Extension (S/MIME)
• OpenPGP Message Format
• Internet Protocol Security (IPsec)
• Wi-Fi Protected Access 2 (WPA2)
• Wi-Fi Protected Access 3 (WPA3)

1. Classified data is communicated over official networks, public network

infrastructure and through unsecured spaces via cryptographic equipment or
encryption software that has completed an Common Criteria evaluation against a
Protection Profile

1. AUSTEO (Australian Eyes Only) and AGAO (Australian Government Access Only)
data is protected via an ASD Approved Cryptographic Protocol (AACP) when
communicated across the network infrastructure. The AACPs are:
• Transport Layer Security (TLS)
• Secure Shell (SSH)
• Secure/ Multipurpose Internet Mail Extension (S/MIME)
• OpenPGP Message Format
• Internet Protocol Security (IPsec)
• Wi-Fi Protected Access 2 (WPA2)
• Wi-Fi Protected Access 3 (WPA3)
1. Cryptographic equipment and software use only ASD Approved Cryptographic
Algorithms (AACA) or high assurance cryptographic algorithms
There are 3 categories of AACAs - asymmetric algorithms, hashing algorithms, and
symmetric encryption algorithms:
• Approved asymmetric algorithms include the below, however ECDH and ECDSA is
recommended in preference to DH and DSA:
- Diffie-Hellman (DH) for agreeing on encryption session keys
- Digital Signature Algorithm (DSA) for digital signatures
- Elliptic Curve Diffie-Hellman (ECDH) for key exchange
- Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
- Rivest-Shamir-Adleman (RSA) for digital signatures and passing encryption session
keys or similar keys
• Approved hashing algorithm is SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
• Approved symmetric encryption algorithms include:
- AES 128, 192 and 256 bits
- 3DES using 3 distinct keys

1. When using asymmetric public key algorithms, use Elliptic-curve Diffie–Hellman

(ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA) where possible,
instead of Diffie Hellman (DH) and Digital Signature Algorithm (DSA)

1. Ensure the below when using Diffie Hellman (DH) for agreeing on encryption
session keys:
• A modulus of at least 2048 bits is used
• Modulus and associated parameters are selected according to NIST SP 800-56A
Rev. 3

1. Ensure the below when using Digital Signature Algorithm (DSA) for digital
signatures:
• A modulus of at least 2048 bits is used
• Modulus and associated parameters are generated according to Federal Information
Processing Standard (FIPS) 186-4 (Digital Signature Standard)

1. When using elliptic curve cryptography, use a curve from Federal Information
Processing Standard (FIPS) 186-4 (Digital Signature Standard) NIST recommended
elliptic curves

1. Use a base point order and key size of at least 224 bits when using Elliptic-curve
Diffie–Hellman (ECDH) key agreement protocol for agreeing on encryption session
keys

1. Use a base point order and key size of at least 224 bits when using Elliptic Curve
Digital Signature Algorithm (ECDSA) for digital signatures

1. Use a modulus of at least 2048 bits when using RSA for digital signatures, and
passing encryption session keys or similar keys
2. Use a key pair for passing encrypted session keys that is different from the key
pair used for digital signatures when using RSA for digital signatures, and passing
encryption session keys or similar keys
1. Ensure symmetric cryptographic algorithms such as DES or AES are not used in
Electronic Codebook (ECB) mode

1. Where Triple Data Encryption Standard (3DES) is used, use 3 separate keys (i.e.,
ensure the DES algorithm is run 3 times with 3 independent and distinct keys)
1. Use ASD approved cryptographic algorithms (AACAs) for protection of highly
classified data when used in an evaluated implementation
2. Algorithms are given preference in line with the Commercial National Security
Algorithm (CNSA) suite

1 Algorithms are chosen with preference to the Commercial National Security

Algorithm (CNSA) Suite algorithms and key sizes. This includes:
• AES with 256 bit keys
• ECDH with Curve P-384
• ECDSA with Curve P-384
• SHA with 384 bits
• DH with minimum 3072 bit modulus
• RSA with minimum 3072 bit modulus

1. Cryptographic equipment and software use only ASD Approved Cryptographic

Protocols (AACPs) or high assurance cryptographic protocols.
The AACPs are:
• Transport Layer Security (TLS)
• Secure Shell (SSH)
• Secure/ Multipurpose Internet Mail Extension (S/MIME)
• OpenPGP Message Format
• Internet Protocol Security (IPsec)
• Wi-Fi Protected Access 2 (WPA2)
• Wi-Fi Protected Access 3 (WPA3)
2. Disable the use of unapproved protocols, or alternatively maintain usage policies
advising users not to use unapproved protocols

1. Establish and maintain documentation for usage of Transport Layer Security in

communication systems
2. Ensure that communication systems follow the below requirements:
• The latest version of TLS is used
• AES in Galois Counter Mode is used for symmetric encryption
• Only server-initiated secure renegotiation is used
• DH or ECDH is used for key establishment
• The ephemeral variant is used and anonymous DH is not used
• SHA-2-based certificates are used
• Cipher suites are configured to use SHA-2 as part of the Message Authentication
Code and Pseudo-Random Function
• PFS is used for TLS connections
• TLS compression is disabled
1. The use of SSH version 1 is disabled
2. Public key-based authentication is used for SSH connections
3. When SSH-agent or other similar key caching programs are used:
• it is only on workstations and servers with screen locks
• key caches are set to expire within four hours of inactivity, and
• agent credential forwarding is enabled only when SSH traversal is required

1. Where applicable, implement the following configuration settings for the SSH
daemon:
• only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than 60 seconds (LoginGraceTime
60)
• disable host-based authentication (HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts yes)
• disable the ability to login directly as root (PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no)
• disable connection forwarding (AllowTCPForwarding no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).

1. Do not use versions earlier than 3.0 of Secure/Multipurpose Internet Mail Extension
(S/MIME)
1. IPsec configuration and usage abide by the following requirements:
• Tunnel mode is used for IPsec connections; however, if using transport mode, an IP
tunnel is used. PFS is used for all IPsec connections
• The ESP protocol is used for IPsec connections
• IKE is used for key exchange when establishing an IPsec connection
• If using ISAKMP in IKE version 1, aggressive mode is disabled
• A security association lifetime of less than four hours, or 14400 seconds, is used
• HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm
• The largest modulus size possible for all relevant components in the network is
used when conducting a key exchange
• The use of XAuth is disabled for IPsec connections using IKE version 1

1. Due to the sensitive nature of High Assurance Cryptographic Equipment (HACE),

when using HACE, communications security and equipment-specific doctrine
produced by the Australian Cyber Security Centre (ACSC) for the management and
use of HACE is complied with
1. Store cryptographic equipment in a room that meets the requirements for a server
room based on the sensitivity or classification of the data the cryptographic
equipment processes

1. Separate areas in which High Assurance Cryptographic Equipment (HACE) is used

from other areas and designate the area as a cryptographic controlled area

1. Maintain and implement a list of allowed content types

2. Verify integrity check on content (where applicable) and block content if
verification fails
3. If data is signed, validate the signature before the data is exported

1. Ensure all encrypted content, traffic and data is decrypted and inspected to allow
content filtering

1. When sharing peripherals between systems, make use of an evaluated peripheral

switch
1. Use of an evaluated peripheral switch used for sharing peripherals between
SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems shall
complete a high assurance evaluation.

1. When an evaluated peripheral switch is used for sharing peripherals between

SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems
belonging to different security domains, ensure it completes a high assurance
evaluation.

1. When sharing peripherals between official systems, or classified systems at the

same classification, that belong to different security domains, make use of an
evaluated peripheral switch

1. Use an evaluated peripheral switch when accessing a system containing AUSTEO

or AGAO data and a system of the same classification that is not authorized to
process the same caveat

1. Perform the following activities when exporting data from a SECRET or TOP
SECRET system:
• data format checks and logging
• monitoring to detect overuse/unusual usage patterns
• limitations on data types and sizes
• keyword searches on all textual data.

1. Develop, maintain and implement a documented process and supporting

procedures to manage exporting AUSTEO and AGAO data
2. Prevent exporting of AUSTEO and AGAO data in both textual and non-textual
formats to foreign systems
1. When exporting data from an AUSTEO or AGAO system:
• Undertake keyword searches on all textual data
• Quarantine any identified data until reviewed and approved for release by a trusted
source other than the originator

1. Enable data transfer logs to record all data imports and exports from systems
2. Partially audit data transfer logs at least monthly
3. Fully audit data transfer logs at least monthly
4. Maintain evidence for full and partial audit of data transfer logs

1. Perform testing for partial restoration of backups on a quarterly or more frequent

basis
2. Perform testing for full restoration of backups:
• at least once when initially implemented, and
• each time fundamental information technology infrastructure changes occur

1. When storing backups:

• store the backups offline, or online but in a non-writable and non-erasable manner
• store the backups in multiple geographically-dispersed locations

1. Ensure time period for retaining event logs are documented via appropriate
monitoring and logging policies
2. Retain event logs for a minimum of 7 years in accordance with the National
Archives of Australia’s Administrative Functions Disposal Authority Express Version 2
publication
1. Ensure time period for retaining DNS and proxy logs are documented via
appropriate monitoring and logging policies
2. Retain DNS and proxy logs for at least 18 months

1. Obtain relevant organizational policy/standard

2. Ensure that the policy is implemented appropriately
3. Ensure that the log management policy is reviewed at least annually and updated
as necessary or on any major changes
4. Ensure revision histories and review periods are defined appropriately within the
log management policy
5. Event log auditing processes, and supporting event log auditing procedures, are
developed and implemented covering the scope and schedule of audits, what
constitutes a violation of security policy, and actions to be taken when violations are
detected, including reporting requirements.

1.Policy and procedure document(s) corresponding to vulnerability management shall

be documented and maintained.
2.Vulnerability scanning shall be done at a regular frequency (at least biweekly) in
order to ensure closure of vulnerabilities identified in past as well as identification of
new vulnerabilities in the environment.
3.Tracker of vulnerabilities identified in the scans shall be maintained to identify
missing patches/updates for applications.
1.Policy and procedure document(s) corresponding to vulnerability management shall
be documented and maintained.
2.Vulnerability scanning shall be done at a regular frequency (at least weekly) in
order to ensure closure of vulnerabilities identified in past as well as identification of
new vulnerabilities in the environment.
3.Tracker of vulnerabilities identified in the scans shall be maintained to identify
missing patches/updates for security vulnerabilities in office productivity suites, web
browsers and their extensions, email clients, PDF software, drivers, firmware, and
operating systems of workstations and servers and network devices, and security
products.

1. Obtain policy and procedure document(s) corresponding to intrusion remediation

activities.
2. Validate intrusion remediation activities are conducted in a coordinated manner
during the same planned outage

1. The device management and removable media usage policy documentation covers
a restriction on unauthorized removable media and devices connecting to
workstations and servers.
2. Verify unauthorized removable media and devices are prevented from being
connected to workstations and servers via the use of device access control software
or by disabling external communication interfaces in operating systems.

1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that the resulting media waste particles from the destruction of
TOP SECRET media is stored and handled as:
• OFFICIAL if less than or equal to 3 mm
• SECRET if greater than 3 mm and less than or equal to 9 mm

1. Ensure Windows Defender Credential Guard and Windows Defender Remote

Credential Guard are enabled.
1. organization monitors all Internet-facing services, office productivity suites, web
browsers and their extensions, email clients, PDF software, Adobe Flash Player, and
security products that are on workstations and mobile devices that have access to
the organization network/applications.
2. Any Internet-facing services, office productivity suites, web browsers and their
extensions, email clients, PDF software, Adobe Flash Player, and security products
that are no longer supported by vendors are immediately removed.
3. Review and removal is done via automated process via having a list of unapproved
software that is continuously maintained.

1. Ensure policies and procedures are in place corresponding to planning and

coordination of intrusion remediation activities.
2. Verify that previous planning and coordination of intrusion remediation activities
was conducted on a separate system to that which had been compromised.

1. Ensure FT (802.11r) is disabled unless authenticator-to-authenticator

communications are secured by an ASD Approved Cryptographic Protocol.
1. Ensure policies and procedures are documented as well as maintained for media
disposal highlighting that the resulting media waste particles from the destruction of
SECRET media is stored and handled as:
• OFFICIAL if less than or equal to 3 mm
• PROTECTED if greater than 3 mm and less than or equal to 6 mm
• SECRET if greater than 6 mm and less than or equal to 9 mm

1. Verify if creating child processes in PDF viewers is disabled.

1. Obtain vulnerability assessment and patch management policy

2. Verify timelines for treatment/ patching of high risk vulnerabilities
3. Validate that a proper process is in place to triage identified vulnerabilities
4. Validate if there is a process to periodically identify and review vendor supplied
patches
5. Obtain audit log tracker for patches updated for internet-facing services, office
productivity suites, web browsers, extensions, email clients, PDF software, operating
systems of workstations and internet facing services, security products, and all other
applications.
6. Obtain and verify VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
7. Validate if vulnerability treatment/ patching is performed within specified time
frame.

1. Obtain mobile and portable device management policy

2. All provisioned mobile devices prevent personnel from installing or uninstalling
non-approved applications once provisioned.

1. Obtain documented policies and procedures in place corresponding to Microsoft's

'recommended driver block rules'
2. Verify configuration shows that Microsoft's 'recommended driver block rules' are in
place

1. Evaluate if the application hardening process is in place.

2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office macros digitally signed by an untrusted publisher cannot be
enabled via the Message Bar or Backstage View.
• Microsoft Office macro security settings cannot be changed by users.
3. Verify Microsoft Office’s list of trusted publishers has been reviewed and validated
on an annual or more frequent basis.
1. Evaluate if the application hardening process is in place.
2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office macros are only allowed to execute in documents from Trusted
Locations where write access is limited to personnel whose role is to vet and approve
macros, within sandboxed environments, or that are digitally signed by a trusted
publisher.
• Microsoft Office macro security settings cannot be changed by users.

1. Evaluate if the application hardening process is in place.

2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office macros are blocked from making Win32 API calls.
• Microsoft Office macro security settings cannot be changed by users.

1. Obtain Log management procedure

2. Ensure Microsoft Office macro events are logged
3. Retain event logs and ensure it's available for review whenever required
4. Ensure all macro event logs are replicated and stored on a centralized server.
5. Ensure appropriate mechanisms are implemented for protecting integrity of logs
and to prevent/detect logs modified/tampered at the storage location.

1.Policy and procedure document(s) corresponding to vulnerability management shall

be documented and maintained.
2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office macro antivirus scanning is enabled.
• Microsoft Office macro security settings cannot be changed by users.

1. Evaluate if the application hardening process is in place.

2. Verify if Microsoft Office products installed on workstation is following the best
practice configurations at the minimum:
• Microsoft Office is configured to prevent the creation of child processes.
• Microsoft Office is configured to be blocked from creating executable content.
• Microsoft Office is configured to be blocked from injecting code into other
processes.
.

1. Verify Internet Explorer 11 is disabled or removed across the organization via the
configuration of group policy
1. Obtain Teleworking/ trusted device policy/ Code of conduct and verify if following
precaution for travelling overseas is documented:
• If unable to carry or store mobile devices in a secured state, they are physically
transferred in a security briefcase or an approved multi-use satchel, pouch or transit
bag.

1. Verify application control is configured to restrict the execution of executables,

software libraries, scripts, installers, compiled HTML, HTML applications, drivers, and
control panel applets to an organization-approved set.
1. Ensure policies and procedures are documented and maintained highlighting that
electrostatic memory devices are destroyed using either furnace/incinerator, hammer
mill, disintegrator or grinder/sander.

1. Verify if PowerShell is configured to use module logging, script block logging and
transcription functionality.
2. Verify if PowerShell script block logs are protected by Protected Event Logging
functionality.
3. Verify if Microsoft’s Attack Surface Reduction rules are implemented. (if applicable)
4. Retain event logs and ensure it's available for review whenever required
5. Ensure all macro event logs are replicated and stored on a centralized server with
restricted access to only authorized personnel.

1. Obtain Log management procedure

2. Ensure allowed and blocked Microsoft Office macro executions are logged
3. Retain event logs and ensure it's available for review whenever required

1. Obtain and review the documented procedures for transfer of data from SECRET or
TOP SECRET systems
2. Validate that the data is transferred post obtaining approvals from the authorized
sources
3. Verify that the list of approvers to authorize SECRET or TOP SECRET transfer is
maintained and communicated to relevant personnel
4. Validate that the list of authorized approvers is reviewed periodically, and only this
list of authorized approvers can approve data transfers.

1.Policy and procedure document(s) corresponding to vulnerability management shall

be documented and maintained.
2.Vulnerability scanning shall be done at a regular frequency (at least daily) in order
to ensure closure of vulnerabilities identified in past as well as identification of new
vulnerabilities in the environment.
3.Tracker of vulnerabilities identified in the scans shall be maintained to identify
missing patches/updates for internet-facing services and operating systems of
internet-facing services.

1. Verify a software bill of materials is produced and available for all softwares
available to consumers
1. Validate a 'security.txt' file is hosted for all internet-facing organizational domains
to assist in the responsible disclosure of security vulnerabilities in organizations'
products and services.

1. Ensure .NET Framework 3.5 is disabled or removed.

ublic Release V1.0
A SOC 2 Trust Services Criteria, ISO/IEC 27001:2013, ISO/IEC 27017:2013, ISO/IEC 27017:2015, ISO/IEC
y Data Security Standard (PCI-DSS v3.2.1), Information System Security Management and Assessment
CC), and The Federal Risk and Authorization Management Program (FedRAMP Li-SAAS).

dards SaaS products. The CCF is purely guidance, and each organization must review, evaluate, and tailor

Control Supporting Audit Artifacts

1. Provide org chart to showcase independence of the audit team members
2. Provide the list of controls/scope that were audited
3. Provide the internal audit report showing the results (findings), date when
control self-assessment was completed
4. Provide evidence of review and approval by the management of the
control self-assessment report
5. Provide the internal audit report of a previous self-assessment, and
resolution of previous findings
6. Provide remediation tracking documents (e.g. Tickets) showing
remediation actions, owner and closure date

1. Provide following documentation

• Log Management
• Firewall standard
• Configuration standard
• Incident management
• Monitoring procedure
• Change management

2. Provide reports of reviews conducted every quarter

1. Provide audit procedure for customer requested audits

2. Provide sample communication shared with customers and where
applicable, the mandated auditor regarding customer requested audit
procedure

1. Examine application threat and vulnerability scans

2. Provide tickets related to identified application scan results
3. Provide resolution to identified application vulnerabilities
4. Provide log management tool dashboard details and show evidence that it
is reviewed on a monthly basis
1. Provide the legal and regulatory documentations relating to offering+E8
obligations in different countries
2. Provide the evidence or examples that legal and regulatory documents are
updated annually
3. Provide evidence the Guidance Template has been completed

1. Obtain documentation of review of European and international standards

that are applicable to the product.
2. Validate all standards that are applicable are adhered to by the offering.
3. Validate any certificates used by the offering around systems, products,
equipment are certificates recognized by the National Scheme for the
Evaluation and Certification of Information Technology Security. This can be
certifications around encryption, equipment, security, etc.

1. Provide the BC / DR documentation

2. Provide recent BC/ DR test documentation (tracking ticket)
3. Provide remediation tickets for issues identified as part of the BC/DR test
4. Validate the BC/DR ticket has details around lessons/learned as well.

1. Documented BCMS process with applicable business continuity related

legal and regulatory requirements
2. Show evidence of identified legal and regulatory requirements related to
continuity of product and service
3. Documented evidence showing legal and regulatory requirements are
reviewed at least annually

1. Provide the Business Continuity Management documentation.

2. Provide recent BIA test documentation (tracking ticket) including all
services in scope and procedures tested.
3. Provide remediation tickets for issues identified as part of BIA test.
4. Provide previous BIA test for timeliness.
5. Check for remediation tickets for issues identified and observe that they
are tracked to completion.
1. BCMS roles and responsibilities document
2. Evidence of individuals been assigned to defined roles in BCMS roles and
responsibilities
3. Evidence of business contingency contact details communication to all
applicable stakeholders/ audience+D12:D13

1. Provide screenshot showing region/ location of data residency for services

provided in KSA

1. Validate the offering has systems and databases that reside in the EU to
host Spanish Customer data and electronic identification and signature
details as well.

1. Validate the offering maintains documentation around any data

localization laws and/or requests from the EU/EU Countries.
2. If there are data localization laws that have been requested, the offering
shall have systems and databases that reside in the EU to host customer
data.

1. Validate the offering maintains documentation around any data

localization laws and/or requests from Japan.
2. If there are data localization laws that have been requested, the offering
shall have systems and databases that reside in Japan to host customer data.
1. Provide the network architecture diagram of the system / solution
2. Provide the screenshots of the deployment of the system / solution across
availability zones
3. Validate the resumption of operations at alternate facility is tested and
doable.

Note: Large scale offerings shall have this in effect. Smaller offerings that
have budget constraints may not necessarily have the resources to execute
this. If an offering does not have a multi-location strategy, they shall
1. Log management
adequately procedure/policy
have a documented document
process and SLA to bring up production
2. The offering logs storage and retention schedules
3. Sample audit log snapshots for logs stored for a period of one year with
one year of data immediately available for analysis
4. Configuration showing that logs are stored for a period of one year
5. Validate sufficient audit log storage requirements are met (i.e. sufficient
log storage shall be kept to meet legal and contractual obligations)

1. Provide sample alerts sent to staff when the audit logging process failed
2. Provide evidence of logging failures being addressed to resume system
logging
1. Show the configuration of full backups for data stores housing sensitive
customer data and personal information, and validate full backups occur at
least monthly.
2. Validate that the backup is complete and accurate.
3. Obtain a job history log of the backup, and identify any failures that have
occurred.
4. Check for remediation tickets for backups that have failed, and observe
that they are tracked to completion and resolution.
5. Evidence that backup restoration tests have been performed to validate
backups can be restored, at least annually.

1. Provide screenshots of database replication configurations to secondary

data centers
2. Provide screenshots of retention configurations
3. Provide screenshots of notification configurations for failures
4. Provide population of failures, and sample failures, and obtain resolution of
failure. Population of failures shall include details around parameters/query
used to generate failure listing as well (and includes date and timestamp).
1. Backup capabilities document with evidence of below specifications
provided to the cloud service customer as applicable:
• Scope and schedule of backups
• Backup methods and data formats
• Encryption of backup data
• Retention periods for backup data
• Integrity verification of backup data
• Procedures and timescale of data restore
• Location of backup data.

2. Demo of a test customer instance, if possible, to show how customers can

view information around backup capabilities an configure their own instance.
1. Provide backup management policy/procedures
2. Provide evidence showing secondary/alternate location is
used/implemented for storing backups

1. Provide backup management policy/procedure

2. Provide relevant organizational email security policy
3. On a sample basis, provide screenshot showing successful email backups
taken
4. Provide screenshots or evidences to showcase alerts are configured to
notify administrators if backup/replication fails
5. Provide evidence showing appropriate actions taken on repeated failed
backups

1. Provide the SDLC methodology document

2. Provide a sample SDLC tracking ticket
3. Provide a sample methodology update ticket (i.e. annual review evidence)
4. Provide change history and previous review date for timeliness.

1. Provide the ticket reviewing any changes made by service providers.

2. Provide the notification settings of any changes made by service
providers.
3. Identify any inappropriate changes that were identified and validate they
were tracked and followed up on.
1. Provide Change management policy
2. Provide asset register/assets in production
3. Provide sample change tickets that were created changes to service and
supporting infrastructure
4. Validate if security impact analysis is performed for sample changes
5. Validate if appropriate approvals were obtained for sample changes at
various stages of change management process
6. Validate appropriate testing was performed prior to the change being
pushed to production. No failed testing changes shall be pushed to
production.
7. Validate sufficient Segregation of duties is maintained. I.e. if developers
have access to production to make direct changes, how will in appropriate
changes be identified (i.e. review process, settings, etc.)?

1. Provide Change management policy

2. Scope/list of authorized internal users
3. Provide sample change request tickets
4. For sample change tickets, provide evidence that system changes were
communicated to identified authorized internal users via. a ticketing system
or any other formal channel of communication (shall be documented)

1. Provide evidence of defined communication policy

2. Scope/list of customers
3. Provide sample change request tickets for critical changes
4. For sample change tickets, provide evidence that System changes were
communicated to identified authorized internal users via. a ticketing system
or any other formal channel of communication (shall be documented). An
alternative notification channel would be a public facing availability page, or
news page that notifies customers of major changes such as patches,
updates to service, change in location, etc.

1. Provide and obtain the configuration management system in place, and

how it is configured to monitor system configurations.
2. Provide evidence that system configurations are deployed consistently
throughout the production environments, this can be done via version control
#, last update date, or more.
1. Provide the walkthrough of file integrity monitoring (FIM) tool
2. Provide process/procedure documented for file integrity monitoring tool
(FIM)
3. Provide configuration of FIM tool that evidently shows that system
administrators will get notifications of potential unauthorized changes to the
production system
Example - if there is an rule engine built into the FIM tool that captures
deviation in the configuration, the system administrators shall be notified of
such deviation in configurations
4. Provide the sample notifications sent from FIM tool to system
administrators of potential unauthorized changes made to the production
system
5. Provide list of system administrators that shall be notified about such
unauthorized changes
6. Identify if any inappropriate changes were made, and if they were followed
up and reversed.

1. Provide a list of personnel authorized to migrate changes to production

2. Provide the IAM configuration details permitting authorized personnel and
preventing unauthorized personnel
3. Provide the screenshots of permissions of authorized personnel
4. Provide point in time review of appropriateness of users, and validating
1. Provide
that documented
no users policies
are developers governing
with the appropriate
direct access to migrate use an installation
changes.
of software Organization workstations
2. Provide evidence of communication of policies governing the appropriate
use an installation of software on organization workstations
3. Provide evidence of annual review being done for policies governing the
appropriate use an installation of software on organization workstations
4. Attempt to download blacklisted applications, and validate such
applications cannot be downloaded.
5. Screenshot of system alert
6. Other considerations:
• Who has access to install software on workstations?
• Who owns admin of workstations ?
• How is install of software prevented an detected ?

1. Obtain a sample of changes pushed to production.

2. Demonstrate that changes can be rolled-back if needed.
3. Obtain screenshot showing production instances have versioning enabled.
4. Provide documented version history with key updates/changes for each
product, and validate that previous versions can be restored if needed.

1. Provide walkthrough of mechanism used to detect direct changes to

integrity of customer data and personal information
2. Provide relevant process documentations
3. Provide evidence showing actions taken to resolve confirmed unauthorized
changes to data
1. Validate the use of any utility programs from the offering.
2. Validate changes to the utility programs follow a change process of having
approval and testing prior to any changes.
3. Validate if any utility programs have access to production.
4. If a utility program has direct access to production to modify, validate on a
monthly basis changes are reviewed for appropriateness.

1. Provide the Worldwide Badging Policy and Restricted Access Authorization

policy
2. Walkthrough all security measures such as camera monitoring, front desk
sign in, badging and more.
3. Validate if there have been any incidents during the period, and how the
report of incidents is generated (including time and date timestamp)
1.Provide the Global Business Resiliency (GBR) Program Policy and Physical
and Environmental Security Standard
2. Provide evidence that data centers and organization offices are secured,
monitored, maintained with fail-over mechanisms. Observe how supply of
utilities and other communication is secured, maintained, and monitored.
3. Obtain the most recent fail over mechanism test, and obtain action
items/tickets of issues identified.
4. Obtain and sample the tickets around issues identified and tracked to
resolution.
1. Provide documented policies/procedures for building an implementing
environmental security measures an safeguards to protect the premises or
buildings
2. Provide walkthrough of premises or buildings that house sensitive or
critical information
3. Provide evidence of appropriate implementation an review of
environmental security measures an safeguards to protect the premises or
buildings that house sensitive or critical information against environmental
threats or threats caused by humans (i.e. political riots, floods, earthquakes,
etc.)

1. Obtain the ticket or page that identifies all assets that store customer data
is identified and documented.
2. Validate that geographical locations of each asset is included.
3. Obtain guidance or documentation showing where the customer data
resides is legally appropriate in the geographic location it is stored.
4. Review the communication channel is up-to-date and appropriately
communicates geographic locations that customer data is stored.
1. Provide a list of personnel with access to organization Data Centers.
2. Obtain corresponding ticket and/or approval for data center access.
3. Validate data centers shall have badge access to enter and any other
validation methods such as front desk personnel.
4. Validate each ticket includes details around access account type,
privileges granted, business purposes, start date, duration, approval.
5. Validate access is programmed to match ticket details (start date,
duration, account type).
6. Validate access is automatically terminated upon duration expiry.

1. Please provide Organization's Worldwide Badging Policy

2. Please provide the System configuration of the automated feed from the
HR system to the badging system, and removal of access upon termination
3. Please provide evidence of removal of badge access for sample of
terminated employees.
4. Reconcile temporary badges to the inventory of temporary badges to
validate all temporary badges were accounted for and returned to existing
facility appropriately.
5. Obtain list of users who have not used access for more than 2 months, and
validate access has been terminated.
1. Obtain the most recent Physical Access Control review.
2. Validate completeness and accuracy of the user listing by reviewing
screenshots and user logs attached.
3. Identify any inappropriate users identified, and validate their access was
terminated. Review any inappropriate activity that may have occurred by the
inappropriate user, and remediate accordingly.
4. Obtain previous quarterly reviews and validate timeliness of the review.

1. Provide documented policies/procedures for managing visitor's physical

access
2. Obtain evidence of monitoring in place while provisioning physical access
to visitors
3. Obtain evidence of escorting while allowing physical access to visitors
4. Provide records maintained for physical access provided to visitors
5. Obtain evidence of secure storage of visitor access records

1. Provide relevant documentation related to Electronic Surveillance policy/

CCTV surveillance
2. Provide screenshot showing retention timelines of surveillance feed data
1. On a sample basis, inspect physical devices that capture payment card
data to check devices are not tampered
2. Provide evidence that physical devices are inspected on quarterly basis to
ensure the devices are not tampered

1. Provide evidence such as national IDs/ passports of cybersecurity

personnel working in Kingdom of Saudi Arabia to affirm their citizenship
status

1. Provide documented policies/procedures in place for transfer of assets

2. Provide evidence of approvals obtained from authorized committees or
bodies of the cloud provider, prior to allowing the transfer of devices,
hardware, software or data to external premises
3. Obtain evidence of appropriate device tagging and classification on
sample basis
4. Provide list of approvers authorized to allow device, hardware, software or
data transfer to external premises
5. Obtain evidence of review performed on the list of authorized `approvers
6. List of authorized approvers

1. Provide documented policies/procedures in place for asset onboarding

2. Provide evidence of approvals obtained from authorized committees or
bodies of the cloud provider prior to installation of new assets into the secure
premises. Obtain population of new assets (can be via system generated
report with screenshot of parameters used to obtain report) and select a
sample of new assets and verify approval.
3. Obtain evidence of asset tagging an classification
4. Provide list of approvers authorized to allow installation of new assets into
the secure premises
5. Obtain evidence of review performed on the list by authorized approvers
1. Provide documented asset maintenance policies an instructions with
technical an organizational safeguards
2. Provide evidence to demonstrate the remote maintenance), deletion,
updating an re-use of assets.
3. Provide evidence that the policy/standard has been followed by selecting
samples and validating assets were followed policy/standard of maintenance,
deletion, updating, and re-use of asset.

1. Provide policies an documentation in place to establish safe and secure

work environment
2. Provide evidence of annual review performed on safe and secure work
environment policies an documentation
3. Validate and observe the safe and secure work environment
policies/standards have been adhered to in the office or where applicable.

1. Provide documented procedures in place to authorize an maintain secure

building access
2. Provide evidence of implementation of access controls an installation of
access devices
3. Provide documented records maintained for access granted
4. Provide evidence of records created for visitor access an verify that
visitors are escorted
5. Provide evidence of monitoring done by software authorization controls
6. Provide list of authorized personnel with access to the premises or
buildings in-scope
1. Provide the data classification policy documentation
2. Provide the most recent review of the policy, and previous review for
timeliness.
3. For each offering, validate that the offering is appropriately following the
Data Protection Policy guidelines, and data is appropriately secured and
restricted. Samples of data maybe selected to validate it is appropriately
secure and restricted.

1. Provide the details of tools used to gather inventory details

2. Provide the tools used to store inventory details
3. Provide documentation of full inventory list.
4. Provide a sample inventory update ticket and review to validate all system
1. Obtain
assets arethe page and/or
reviewed ticket identifying all cloud service production
annually.
assets. This includes assets where the production instance sits and/or where
customer information resides.
2. Validate the asset listing is complete and accurate and labelled
accordingly (i.e. what the asset is used for).
3. Validate each asset has a designated owner, and is labelled according to
Organization's standards.

1. Provide inventory of system assets, that include production instances,

locations, production tools, etc.
2. Provide evidence that the cloud service customer data an data derived
from the services are explicitly identified by the cloud service provider

1. Obtain the public facing page or announcement detailing the services

offered by the organization service, information collected, and any additional
details such as locations, etc. Look to make sure details of the service are
provided to customer.
1. Provide documented policies and procedures in place for data
classification
2. Provide evidence of annual review performed on data classification policies
an documentation
3. Provide evidence of communication of the data classification policies an
documentation

1. Provide relevant code of conduct documentation

1. Provide evidence showing asset inventory includes details about all in-
scope card holder related systems, devices, and media

1. Provide asset inventory for authorized wireless access points

1. Provide the support system used to handle customer requests.

2. Test the system to validate all customer issues/requests are captured.
3. Provide details of resolution once customer issues/requests are submitted
and identification of issue/request owner.
4. Obtain population of customer issues/requests.
5. Sample test customer issues/requests and validate they were tracked to
completion in a timely manner, and escalated if necessary.
1. Obtain the data flow diagram of the service, and validate the accuracy of
the diagram.
2. Validate the last review date and previous review date to validate
timeliness.
3. Validate that the data flow diagram is complete and accurate, and reflects
the production environment and tools accordingly.

1. Haphazardly select production data (i.e. customer ID) and query for it in
non-production environments such as test environments to validate
production data does not reside in non-production systems or environments.

1. Provide cloud service agreements signed with customers including GDPR

clauses

1. Obtain the relevant polices and standards regarding retention and disposal
procedures of organization data. Validate they were reviewed in a timely
manner.
2. Haphazardly select certain assets and validate the policy and standards
are followed (i.e. shredders, etc.)
1. Provide documented policies and procedures in place for electronic media
handling and disposal
2. An asset register/inventory shall be obtained that includes a list of all
electronic media destroyed.
3. Provide evidence certification of destruction for each device destroyed or
disposed, or evidence that the asset was appropriately destroyed.

1.Identify the repository or ticketing system with all customer requests for
deletion.
2. Select a sample of customer deletion requests, and query the production
instance for the customer details (i.e. customer ID, data, etc.) to validate the
customer details were purged upon request.
3. Review tickets to validate communication was provided to customer
confirming deletion of their account and information.

1. Obtain the relevant polices and standards regarding retention and disposal
procedures of customer data. Validate they were reviewed in a timely
manner.
2. Haphazardly select certain assets and validate the policy and standards
are followed (i.e. encryption of customer data, termination of customer data
upon request, etc.)
1. Obtain production instances that are using SDN solutions.
2. Validate SDN protection procedures (i.e. encryption, routing measures,
authentication, etc.) exist and are in-place over these networking solutions.
3. Provide hardening requirements of SDN system, and validate they are
implemented.

1. Provide documented policies and procedures in place for electronic media

handling and disposal
2. Obtain evidence or communications showing hard copy materials shall be
purged in a secure manner. Alternatively, evidence of mechanisms to
securely dispose of hardcopy materials can be provided (i.e. designated
recycle/trash bins)

1. Validate the offering provides its cloud service customers with information
on the IPv6 support status of the service.

1. Validate cryptographic Key Custodians and Cryptographic Materials

Custodians have acknowledged in writing or electronically that they
understand and accept their cryptographic-key-custodian responsibilities
upon hire and at least annually thereafter.

1. Provide the key management policy and procedure documents

2. Provide screenshot of an annual review ticket

1. Provide the key management policy

2. Provide a sample certificate from the offering and validate that certificate
is from the approved service provider.
1. Provide documented notification to be sent to cloud service customers
when cryptography is used to protect customer data
2. Provide evidence of communication provided to cloud service customers
when cryptography is used to protect customer data

1. Provide documented policies and procedures in place for the management

of portable an removable media devices
2. Provide evidence that the ability to write to portable and removable media
is managed and/or disabled.
3. Provide evidence of encryption applied when using portable an removable
media devices - Provide screenshot by accessing the contents on the
removable media from other device
4.Provide the evidence to show that the portable an removable media
devices are monitored when in use
5. For NIST, FedRAMP, and NIST 800-171, FIPS 140-2 encryption method is
used to protect data at rest and in transit.

1. Provide evidence that data at rest and in-transit are both protected and
encrypted via approved cryptographic algorithms and methods over all
networks and production databases.
2. Validate that methods of encryption come from organization Common
Cryptography Modules, and vulnerable algorithms are not used.
3. Validate TLS1.2 at the minimum shall be used.
1. Provide Key management procedure
2. Provide evidence of access control in place to restrict access to key stores
3. Provide evidence of key change/rotation performed in the past 90 days.
4. Provide evidence for reviews undertaken for key records including access
granted by the offering.

1. Provide screenshot showing PAN data masked with only first six and last
four digit displayed
2. Provide list of users with whom full PAN details were shared
3. Provide evidence showcasing full PAN details were only shared with
authorized users with a legitimate business need

1. Provide screenshot showing full disk encryption used and logical access
being managed independently of operating system authentication
2. Provide evidence showing decryption keys are not associated with user
accounts

1. Provide Key management procedure

2. Provide evidence of adherence to PCI-DSS guidelines regarding storage of
data encryption keys

1. Provide Key management procedure

2. Provide details regarding key archival/revocation process

1. Provide Key management procedure

1. Provide details regarding manual key management operations process
2. Provide process walkthrough showing manual clear-text key management
operations are managed using split knowledge and dual control

1. Provide the Network Security Standard, Firewall, Router and Switch

Configuration Standard
2. Provide Screenshot of network/hardening checklists or methods used
1. Provide process defined for validating the network perimeter within the
environment
2. Obtain the list of authorized personnel having access to the cross-network
3. Provide network service agreement which includes security mechanisms,
service levels and management requirements of all network services

1. Validate when virtual private networks are used, hardware devices are
used for the establishment of the network. If not, obtain an understanding as
to why hardware devices were not used.

1. Provide the Risk assessment Methodology Document

2. Validate the Risk assessment methodology is reviewed annually and
updated accordingly.
1. Provide the Risk Management Standard
2. Obtain the most recent risk assessment performed, and provide the
population of identified deficiencies, discovered as a result of Risk
Assessment.
3. Obtain evidence of a fraud risk assessment as part of the annual risk
assessment.
4. Please provide corrective action plan for a sample of identified deficiencies
and remediation completion.
5. Validate the appropriate personnel and teams are involved and review the
risk assessments on an annual basis.

1. Validate that cloud service providers reviewed the risks associated with
customer supplied software within the cloud services offered by the provider
on an annual basis as part of the risk assessment. Validate the assessment
was performed timely (i.e. annual).
2. Validate all action items are followed up upon and resolved in a timely
manner.

1. Provide documentation regarding risk assessment process followed within

organization
2. Provide evidence of data types shared with a managed service provider
3. Provide data risk assessment report

1. Obtain the team directory and roles and responsibilities, that oversee the
implementation of security and control environments.
1. Obtain the most recent board of directors charter.
2. Obtain the most recent board of directors meetings minutes and validate
the timeliness of the meeting an any action items that have come out of the
meeting.

1. Provide the list of members on the audit committee and back ground.
2. Provide the audit committee charter.
3. Obtain the most recent meeting minutes and previous meeting minutes for
timeliness.
4. Review the reports and minutes for meeting discussions, and review action
items/follow up items are tied to corresponding tickets or action plans.

1. Validate that offerings have evaluated geographies with legal and

regulatory risks.
2. Validate the offerings do not operate out of, or have administrators that
reside in such geographies.
1. Identify whether or not the service is first a customer or a provider.
2. Provide an agreement between customers a providers detailing the roles
and responsibilities between the two parties. If the service is a customer, an
agreement between organization an the third-party service shall be defined.
3. Review the agreement to validate roles and responsibilities have been
clearly defined, and include aspects of data ownership, security
accountability, supplier use, data backup and recovery.

1. Provide the statement of applicability (SOA)

2. Validate it includes a review of control objectives, implemented controls,
business justification for excluded controls, and align with risk assessment.
3. Validate the last review date, to ensure the SOA was reviewed annually.

1. Provide the most recent ISMS Steering committee meeting minutes.

2. Review the meeting minutes and validate ISMS scope, risk assessment
activities, control implementation, and audit results have been
communicated. Review attendees to validate appropriate members were
included in the meeting.
3. Obtain previous ISMS steering committee meeting minutes to validate
timeliness of meeting.
4. Validate scope of ISMS Steering committee meeting is defined.

1. Provide a list of the members of the security leadership team at

organization.
2. Obtain documents showing the security leadership team's involvement in
the organization Information Security program, and validate goals an
milestones for deployment of the information security program is discussed
an defined.
1. Provide the most recent ISMS scoping document.
2. Review the document to ensure it includes ISMS boundaries.
3. Revie the last modified date to ensure it was reviewed timely.

1. Obtain a recent periodic staff meeting calendar/invite/email

communication.
2. Review the meeting details, and if there were any recordings available to
validate security threats, program performance, and resource prioritization
were included.
3. Obtain any previous meeting invites an validate that the meeting was
conducted at least annually.

1.Security requirements for which budget is required as and part of

Organization's security program and corresponding business justification are
identified documented and maintained.
2.Artefacts highlighting management review meeting was conducted and key
security requirements were discussed
3.Artefacts highlighting key stakeholders from all departments were part of
management review meetings and budget allocation was aligned with
business objectives
4. Records of Budget allocation along with corresponding business
justification as well as approval.
5.Records highlighting that spending corresponding to allocated budget is
spending of allocated budget is aligned with business justification approved
by top management
1.Provide documented information security policy/policies and corresponding
procedures ensuring coverage of the information security requirements for
the service environment in compliance with different standards as well as
frameworks.
2.Provide artefacts demonstrating that policy and procedure documents are
communicated, implemented, reviewed as well as updated if required at and
regular frequency.

1.Provide documented privacy policy/policies and corresponding procedures

ensuring coverage of the requirements pertaining to processing of personal
identifiable information for the service environment in compliance with
applicable privacy laws as well as industry standards and frameworks.
2. Provide artefacts demonstrating that policy and procedure documents are
communicated, implemented, reviewed as well as updated if required at and
regular frequency.

1. Provide cloud service customer information security policy.

1. Provide documented cloud service providers' information security policy

for the cloud service customers covering various aspects such as but not
limited to Baseline information security requirements, Multi-tenancy and
cloud service customer isolation, Access management, Lifecycle
management of service customer accounts and communication of breaches
in compliance with different standards as well as frameworks.
2. Validate if the policy was reviewed annually.
1. Provide evidence of notifying the customers about the information security
controls

1. Provide Organization's governance policies and procedures

2. List of authorized personnel for communicating policies and procedures
3. Provide evidence that the policies and standards are communicated to
authorized personnel
4. Validate the policy is reviewed annually.

1. Provide documented process to request, review and approve exceptions to

policies and procedures

1. Provide management approved policies and standards to govern the

collection, retention, and usage of metadata
2. Obtain the list of authorized personnel having access to the customer data
3. Provide deletion mechanism to ensure customer usage data is deleted
once its intended collection purpose and/or upon customer request has been
fulfilled

1. Provide a program charter that is used for the governance of PCI DSS
compliance
2. Provide defined roles and responsibilities document used for the
governance of PCI DSS compliance
3. Provide evidence that program charter and roles and responsibilities
information are communicated by the management to the appropriate
stakeholders

1. Provide the scope of GDPR

2. Provide evidence that cloud service provider (CSP) is established in a
member state of the European Union in case it is in scope of GDPR
3. Provide evidence of appointment of a representative incase if CSP is not
established in a member state of EU
1. Provide EU code of conduct guidelines
2. Provide evidence that cloud service provider transparently communicates
to customers their adherence to the EU Code of Conduct

1.Provide Code of Conduct in which all policy violations and non-compliance

including associated implications, disciplinary and legal action are
documented.
2. Provide records highlighting the following:
• All employees including new joiners provide acknowledgment for adhering
to the Code of Conduct.
• Employees are notified in case of policy violations and actions of non-
compliance that may lead to disciplinary as well as legal action and
corresponding records.
• Frequent communication and awareness mailers sent across to all
organization employees for updates to Code of Conduct.
• Validate if there have been any policy violations that have occurred, and
sample select COC violations and validate corresponding actions were
appropriate and reviewed.

1.Provide documented annual information security risk assessment results

2.Artefacts highlighting that the results of annual information security risk
assessment are discussed and finalized with the designated risk owner(s).
3.Provide documented Risk treatment plan for closure of identified risks as
per the timelines and approvals based on cost benefit analysis leading to
selection as well as development of manual and IT general controls.

1. Obtain a population of new hires.

2. For a sample of new hires, validate that they completed their background
check prior to their hire date.
1. Obtain a population of new hires.
2. For a sample of new hires, provide the documentation of the interview
feedback given during the interview process, and validate that at least one
approval was obtained prior to receiving an offer.

1. List of roles that requires national security clearances

2. Obtain list of personnel with national security clearances
3. Obtain Evidence for the personnel with national security clearances:
• screening of authorized personnel
• rescreening of authorized personnel every 5th, 10th or 15th year (based on
security clearance)
• reinvestigation on the 5th year for law enforcement an high impact public
trust level

1. Provide documented process for onboarding of contingent workers

2. Provide organization Confidential Information Agreement
3. Obtain list of new contingent workers onboarded
4. For sampled cases, provide evidence of organization Confidential
Information Agreement to ensure that the agreement is signed by contingent
workers
1. Provide documented policy which enforces that employees sign the terms
and conditions of employment and the non-disclosure agreements (PIIA), and
the non-disclosure agreement as well.
2. Obtain list of full time employees who joined during the audit period
3. For sampled cases, provide evidence of PIIA to ensure the agreement is
signed by all full time employees
4. Where PIIA is not applicable, provide evidence of an sample of signed offer
letters to full time employees with clauses relevant to non-disclosure

1. Provide Acceptable Use Policy and Code of Conduct

2. For sampled cases, provide evidence that the acceptable use policy is
communicated to all new hires and existing employees
3. For sampled cases, provide evidence that the full time employees have
read and agree to the Code of Conduct as part of their onboarding process

1. Obtain documented check-in performance management process for on-

going dialogue between managers and employees
2. Obtain evidence of the periodic reminders sent to managers for regular
check-in conversations at least annually
3. Obtain a population, and select a sample of employees for check-in.
Provide screenshots of parameters/query used if needed.
4. Obtain evidence that check-in's were performed, an additional evidence
can be evidence of performance discussion as part of compensation reviews,
V2Mom's, TeamSpace, etc.
1. Provide sample evidence/ screenshot of enabling Team Space to allow
leaders and team members to maintain constant communication an feedback

1. Provide the mobile device policy

2. Provide evidence to check whether authorized organization personnel are
enrolled in an MDM solution
3. Validate that without the enterprise Mobile Device Management (MDM)
solution, users cannot access the organization network on their mobile
devices

1. Provide organization chart defining the organizational structure an

reporting lines

1. Provide policies defining the posting of job descriptions for employees

supporting the service
2. Provide evidence of defined authorities and responsibilities for the design,
development, implementation, operation, maintenance, and monitoring of
the system
1. Provide evidence of the security awareness training
2. For sampled employees, provide the security awareness training
completion evidence
3. For RB's, each vendor is responsible for ensuring their RB's take annual
security awareness training or training of some sort for baselines. However,
the offering is also responsible for ensuring their RB's take appropriate
training when needed, and is responsible for tracking that to completion.
Validate if offerings monitor/enforces any type of security awareness training
for RB's.

1. Provide evidence of information security, privacy trainings, and other

types of trainings provided to all employees via various methods such as
Degreed, budget for training, etc.

1. Obtain list of applicable software engineers (anyone involved in the

development, maintenance, review, etc. of an offering/application)
2. For sampled employees, provide the secure coding techniques training
completion evidence
1. Provide list of organization personnel interacting with cardholder data
systems
2. For sampled cases, provide evidence of awareness training conducted for
the personnel
3. Provide evidence that the training covers the following :
• Verifying the identity of third- party personnel prior to granting them
access to modify or troubleshoot devices
• Devices shall not be installed, replaced, or returned without verification
• Be aware of suspicious behavior around devices (e.g. attempts by unknown
persons to unplug or open devices)
• Report suspicious behavior and indications of device tampering or
substitution to authorized personnel (e.g., to a manager or security officer)

1. Provide Whistleblower policy

2. Provide communication methods through which this policy is conveyed to
organization personnel
3. Provide the EthicsPoint Incident Management Report (redact confidential
information)
4. Provide evidence as to who have access to the Ethics Point portal

1. Provide the Authentication Standard to determine whether the policies

contain requirements for the creation, allocation, change, distribution and
safeguarding of passwords.
1. Provide audit logging related policies/procedures/standards and most
recent sign-off.
2. Provide the Logs of critical information system activity that is stored in
secure repository
1. Provide relevant organizational policy/standard details that enforces this
requirement
2. Provide relevant process documentations
3. Provide screenshots of IAM configurations showing access to audit logs are
limited
4. Provide some sample event logs to showcase how are all admin and
operational activities logged and captured
5. Validate if there has been any tampering in audit logs, or events that have
occurred
1. Provide evidence that all audit logs (or security logs at the minimum) can
be traced back to a user, to identify any malicious activity or support forensic
analysis.

1. Provide a walkthrough of the process used by vendors for remote access

2. Provide list of vendors/vendor accounts using remote access
3. For sampled cases, provide evidence of the remote access being enabled
only during the time period needed, disabled when not in use, and monitored
while in use

1. Provide password management policy

2. Provide snapshot of group policy management console showing password
parameters and complexity configured for each customer

1. Provide log management procedure

2. Provide evidence of logs being maintained for remote access sessions
3. Provide evidence of event logs being retained for review

1. Verify that multi-factor (MFA) token are generated and access to

production systems is only established after a secure organization VPN
connection is completed.

1. Please provide organization Logical Access Policy, Logical Access Account

Standard and Role Based Access Control Standard.
2. List of all in-scope information systems
3. List of members that are authorized to approve user access provisioning
1.
forProvide evidence
these in-scope that the offering
information systemsprovides access control ability provided
to cloud service customers
1. Validate all privileged access is reviewed on a quarterly basis or semi-
annual basis.
2. Provide the evidence approval by Manager for the user access review.
3. Validate the population of users is complete and accurate and pulled
directly from the source application.
4. Validate that all discrepancies are removed in a timely manner.

1. For a selection of service, Provide the sample accounts for the quarterly
access review been performed or not
2. Provide the evidence approval by Manager for the user access review. In
case of any discrepancy
3. Provide the user access review documentation
4. Provide tickets raised for access modifications as a result of access
reviews
5. Provide the evidence to show that Inappropriate access identified as part
of quarterly user access reviews shall be remediated within 7 days.

1. Provide snapshot showing access to system is authenticated via unique

organization ID credentials. Validate each user at organization has a unique
ID, could be via sample select, query, etc.
1. Validate if application access follows organization AD and VPN.
2. If access does not follow organization AD and VPN, provide a screenshot of
the application's password configuration
2. Validate the application's password configuration follows Organization's
policy.

1. Provide relevant organizational policy that enforces this requirement

2. Provide snapshot of group policy management console showing password
parameters and complexity configured

1. Provide evidence regarding specifications being provided to customers to

access their own instances of Organization's cloud services
2. Procedures for management of secret authentication information of cloud
services provided to cloud related product customers.
1. Validate that access to the offering's services can only be accessed via
unique ID, and ID's cannot be re-used.

1. Access Management process an password management policy

2. Snapshots for the following:
• User accounts are disabled after they have not been used for an period of
two months or after an predefined number of failed login attempts
• Locked user accounts are automatically removed after six months.

1. Provide the user session management and inactivity monitoring

documentation
2. Provide evidence of inactive session management compliance with
documented requirements
3. Verify that the session expires as per inactivity parameters defined
4. At the minimum, #2 and 3 shall be followed and tested to ensure inactivity
monitoring is enabled.

1. Provide the authentication credentials provisioning and modifying

documentation
2. Provide list of authorized personnel who verify the identity of users before
provisioning and modifying authentication credentials
3. Obtain results of verification performed by authorized personnel. This can
be done via an approval ticket, or validation of access afterwards
4. Provide the audit logs provisioned as part of provisioning and modifying
authentication credentials
5. Users shall not have multiple log-in ID's accounts to privileged systems,
faceless accounts, where impersonation could be implied. If needed, this
shall be limited to a select number of privileged users. Validate access to the
application or account cannot be accessed outside of who was provisioned
access.
1. Snapshots showcasing restrictions to limit concurrent login sessions and
the inactive user interface is not displayed when the session is terminated.
I.e. once a session is terminated, re-log in is enforced to view the information
system.

1. Access Management process

2. Snapshots showcasing inactive sessions timeout, or when the user
terminates the session. Further validate the system automatically terminates
upon inactive session time set is reached via test.

1. Evidence of systems leveraged by the U.S Federal Government presenting

an login screen that displays the following language:
• users are accessing an U.S. Government information system
• system usage may be monitored, recorded, an subject to audit
• unauthorized use of the system is prohibited an subject to criminal and civil
penalties
• use of the system indicates consent to monitoring an recording

1. User access management process covering privilege identity

management.
2. Screenshot showing privilege access to trusted data environments is
granted by authorized session manager.
3. Configuration showing session recording for user activity is recorded
4. Configuration showing tunneling to untrusted data environments is
restricted
5. List of users that have privileged logical access to trusted data
environments

1. List of applicable/in-scope information technology products

2. List of FIPS 201 Approved Products List (also available on
idmanagement.gov)
3. Validate the the offering only uses FIPS 201 Approved Products list for
Personal Identity Verification (PIV).
1. Provide with the documented password policy
2. Review application and system access to validate default passwords are
not being used.
3. Validate applications follow organization AD and VPN.
4. If not, validate application access passwords have been changed from the
default password provided if applicable.

1. Minimum baseline security standard policy or procedural document

covering considerations for collaborative computing devices
2. For such computing devices, screenshot from the dashboard reflecting
that the baseline security standard/considerations are reflected in the
configuration, like - remote activation restriction, explicit indication when
such devices or related components are in use

1.Screenshot of sample logs containing successful and failed login attempts

2. Screenshot showing notification prompt detailing acceptable use upon
login
3. Screenshot of configuration showing all successful and failed login
attempts will be logged
4. Screenshot of configuration showing who has access to view/modify logs
5. Screenshot of configuration showing message that will be displayed to
users about user obligations

1. Procedure for managing digital signature/certificates

2. List/ Tracker containing details of digital signatures in use and ownership
3. Cryptographic Controls Policy, Cryptographic Implementation Standard
4. Tasks from Product Team side to validate and confirm the authenticity
5. Validate digital signatures include timestamps and use industry standard
encryption
1. Provide log management policy/procedure
2. Provide evidence/snapshots of below details being logged for cardholder
data environments:
• individual user access to cardholder data
• administrative actions
• access to logging servers
• failed logins
• modifications to authentication mechanisms and user privileges
• initialization, stopping, or pausing of the audit logs
• creation and deletion of system-level objects
• security events
3. Provide evidence of logs being maintained for all servers and system
components that perform security functions
4. Provide evidence of logs being maintained for all critical system
components
5. Provide evidence of logs being maintained for all system components that
store, process, transmit, or could impact the security of cardholder data

1. Provide details regarding secure methods and algorithms used by

organization
2. Provide snapshots of the algorithms used for saving, displaying, and
processing passwords

1. Validate organization has access control policies in place governing access

to information, applications, and production environments.
2. Validate these policies are reviewed annually.

1. Obtain a User access management process for managing contingent

workers access.
2. List contingent workers that were terminated within the audit period
3. For sampled terminated contingent workers or contract expiration
contingent workers, provide evidence that their access was terminated within
2 business days.
4. Evidence of off-boarding ticket covering end-to-end termination process.
5. Validate badge access was removed timely.
1. User access management process
2. List employees that were terminated within the audit period from Workday
3. Sample evidences showing access revoked for a terminated full time
employee within 2 business days of termination.
4. For each sampled terminated user, list of applications they had access to
5. Updated list from SSO or individual applications (As applicable) showing
access was removed within 2 business days of termination
6. Evidence of off-boarding ticket covering end to end termination process
7. Validate badge access was removed timely as well.

1. HR exit policy/process around access termination and procedures around

collection of organization property (laptops, etc.)
2. List employees that were terminated within the audit period from Workday
3. ServiceNow or export from IT asset tracking and management system
mapping users (organization personnel) to organization IT assets assigned
4. For the sampled terminated users sample, provide evidence that covers
the following:
• Evidence when the terminated employee was notified to return the asset(s)
• Evidence when the asset(s) was returned
• If the asset was not returned within 30 business days, evidence steps taken
to ensure asset(s) was obtained
5. Updated IT asset inventory indicating returned assets along with return
date

1. User access management process for managing privileged access

2. List of terminated employees
3. Sample evidences showing privilege access revoked for a terminated
employee within 48 hours of termination.

1. Obtain list of terminated employees.

2. Validate a notification was sent to relevant personnel such as managers
regarding the termination.

1. Obtain a list of terminated employees.

2. Validate an exit interview was conducted for each relevant terminated
employee.

1. Obtain user access management process

2. List of employee reassignment/transfers from Workday
3. For sample of employee transfers/reassignment, validate access review
was documented, and access was adjusted accordingly.
4. Sample list of transferred/reassigned employees and validate access was
appropriately removed if applicable, by validating the user no longer has
access to the previous team's applications.
1. Network Monitoring policy and evidence of most recent review and signoff
2. Network architecture diagram (HLD / LLD)
3. Security Incident management process
4. Validate Organization's corporate network includes IDS and IPS systems to
monitor security breaches.
5. Validate if there have been any breaches, and if so, corresponding
documentation and follow up were completed to resolve the breach.
Corresponding parties are notified as part of the breach.

1. Provide the configuration of the integrity check of virtual machine images

at startup, restart, shutdown and abort transitional states.
2. List of administrators from the tool who will receive the alert notification
3. Provide alert notification configuration settings
4. For a Selected sample provide the potential discrepancies identified using
integrity verification and check what resolution been taken to act upon that
action.

1. Provide network architecture (HLD / LLD)

2. Provide evidence to show the network details to migrate or create virtual
machines are logically separated from other networks.

1. Validate if the offering provides virtual machines or containers to

customers for use.
2. If offered, validate customers can restrict the selection of images of virtual
machines or containers according to their specifications.
2. Validate the offering informs customers of any changes made to previous
virtual machines via communication channel, blog, webpage, or alternative
method of communication.
3. The offering shall harden the images in the virtual machine/container and
provide evidence of hardening review / compliance check performed for
images as per generally accepted industry standards.

1. Provide evidence showing system components that store cardholder data

including payment card collection devices are stored in an internal network
zone
2. Provide snapshot of internal network zone segregated from DMZ and other
untrusted networks
3. Provide list of personnel having access to the internal network zone
4. For sampled cases, provide evidence showing only authorized users have
access to the internal network zone
1. Validate how components are configured to use UTC and how clocks are
synchronized.
2. Validate whether or not the offering provides cloud service customers
information on how to synchronize local clocks with the cloud service clocks.
3. If validated, evidence of how/documentation of how customers can
synchronize clocks with the provider.

1. Provide screenshots of system configurations/time-synchronization

settings to verify that access to time data is restricted to only authorized
personnel
1. Obtain relevant standards and policies regarding managing firewalls.
2. Please provide Firewall configurations for cloud service/On Premise
3. List of users that have access to modify firewall configurations
4. Validate how firewall works and if there are any custom configurations
such
1. as blacklisted
Policy IP addresses.
and procedure document around Firewall configuration
management.
2. List of Firewall configuration reviews conducted during the ruleset review
period.
3. Artifacts pertaining to sampled Firewall configuration review meetings.
1. Validate, if used, physical firewall systems shall consist of 2 ore more
pieces of equipment made by different manufacturers, following a waterfall
model layout.
2. Validate redundant firewall systems are installed.
1. Provide snapshot of firewall configuration
2. Provide evidence showing DMZ used to limit inbound and outbound traffic

1. Provide evidence of dynamic packet filtering firewall enabled on the

network

1. Provide list of identified authorized parties

2. Provide evidence showing private IP addresses and routing information is
disclosed only to authorized parties

1. Provide the network architecture diagram of the system/solution

2. Provide screenshots of firewall and network configurations showing the
network is segmented (such as prod vs dev networks), independent
databases servers, webservers, IP addresses, etc. different types of networks
segmented
1. Network architecture diagrams
2. Validate customers cannot access other customer instances (this can be
done by creating a demo account or validating via demo with product team)

1. Provide relevant policy that enforces this requirement

2. Provide evidence that production environments and non-production
environments are segregated.

1. Wireless access policy

2. Validate the mechanisms in place to control access to Organization's
network via wireless access points, and validate access shall be limited to
only organization employees.

1. Mobile and portable device management policy

2. Sample evidence (screenshot) of mobile device management solution
installed in the mobile device
3. Validate mobile devices without sufficient encryption cannot access
Organization's internal resources

1. Mobile and portable device management policy

2. Sample evidence (screenshot) of mobile device management solution
installed in the mobile device
3. Validate users cannot change baseline security features of a mobile
device. shall the security features be modifiable, validate access to
Organization's internal resources will be removed once security features are
not sufficient.

1. Validate mobile devices are equipped with violation detectors that notify
relevant parties of any tampering that has occurred.
2. Validate if there have been any incidents that have occurred so far.
1. Provide evidence showing only one primary function implemented per
server in the production environment
2. Provide evidence of separate execution domain maintained for each
executing process by information system

1. Provide wireless access policy

2. Provide reports/results of annual access point mapping exercise
3. Provide evidence showing removal of unauthorized wireless access
points(if applicable)

1. Threat management process

2. Validate technology used to protect against DDOSS and Spam protection
mechanisms.
3. Validate access to the solution is limited.
4. Validate if there have been any incidents, and if there were any successful
incidents, validate a resolution, remediation was documented and
corresponding communication was included.

1. Asset register / asset inventory

2. Validate systems have mechanisms in place to protect offerings and
customers from DNS spoofing, unauthorized read and alternation,
alternative routing, "cross site scripting" attacks, URL and customer
information manipulation, code injection, and user impersonation.

1.Data Privacy Policy and Procedure documents

2.Validate what the offering uses PII for and validate the offering uses PII as
stated in the following documents:
• External Privacy Notice
• End user license agreements
1.Data Privacy Policy and Procedure documents
2.Screenshots of implemented controls for compliance with processing of
personal data as per the relevant lawful basis for processing of PII
corresponding to the specified purpose, such as but not limited to following:
• External Privacy Notice
1.Data Privacy Policy and Procedure documents
2.Screenshots of implemented controls for compliance with processing of
personal data when the relevant lawful basis for processing of PII is consent
corresponding to the specified purpose, such as but not limited to following:
• External Privacy Notice
• End user license agreements
1.Data Privacy Policy and Procedure documents, and validate if the offering
handles PII.
2.List of major enhancements around the PII processing operations and
corresponding reason(s) for performing as well as not performing privacy
impact assessment.
3. Validate if there have been any new PII, new processing of PII, or changes
to exiting processing of PII that occurred during audit period. Validate
corresponding privacy impact assessments completed for them.
4. List of Privacy Impact Assessments conducted during the assessment
period.

1. Provide the list of identified PII processors and customers identified.

2. Validate the agreement between PII Processors and customers have the
following controls/agreements in place that cover:
• for notice regarding the processing of their PII or changes to the processing
of their PII (including changes in sub-processors, if any)
• to modify or withdraw their consent (if consent if the lawful basis for
processing the PII)
• objection of the processing of their PII
• restriction of the processing of their PII
• to access, correct and/or erase their PII
• retrieve in a secure manner any PII or user-generated content they have
provided the offering in human and machine-readable formats
• to provide in a secure manner a copy of the PII that is processed
• to handle and respond to legitimate requests from PII principals

1. Validate each offering has evaluated corresponding legal regulations and

agreements in regards to processing PII.
2. Validate each offering goes through internal audits, and have a method of
communicating their commitment and obligations to processing of PII.
 1. Provide Privacy Data Sheet/Record of Processing activities, Data
Inventories and Data Processing Agreements/Binding Corporate Rules/ other
PII related documents
2. Review records of Privacy Data Sheet/Record of Processing activities, Data
Inventories and Data Processing agreements/Binding Corporate Rules/other
PII related documents, and validate the offering has evaluated the processing
and legal requirements around handling PII.

1. Validate each offering has evaluated corresponding legal regulations and

agreements in regards to processing PII.
2. Validate the offering provides a customer ready document detailing all the
PII requirements it shall adhere to. This can be combined with PRV-01.07 that
details how they address each requirement as well.

1. Provide the relevant process documentations maintained to ensure

protection of PII
2. Provide identified / documented legal standards as per geographical
location
3. Provide evidence of encryption standards or other measures implemented
to protect PII as per the legal standards of the geographical location
1. Obtain the guidelines/procedures in regards to handling PII with third party
suppliers.
2. Validate the third party supplier adheres to the guidelines/procedures by
validating third party agreement with them.

1. Provide the PII collection and processing documentation

2. Provide examples to verify that collection and processing of PII is limited to
identified purposes only
3. Provide application PII collection and processing activities walkthrough
4. Validate all PII collected is necessary for the service, and additional PII was
not collected.

1. Obtain the document detailing how each offering adheres to data

minimization objectives and validate it was reviewed annually.

1. Provide the documented procedure for deletion of PII

2. Sample records of PII deletion to verify that the PII and temporary files
created as a result of processing PII were deleted/rendered within the defined
timeline
3. Sample select deleted customers, and validate their PII is no longer
identifiable and/or removed.

1. Validate PII is not processed for longer than is necessary for the purposes
of providing the offering's service.
1. Obtain documentation that shows how PII is accessed, corrected, and
disposed of.
2. Validate that the documentation includes that PII shall never be accessed,
corrected or deleted without the customers consent.
3. Validate the documentation was reviewed annually.

1. Obtain each offering's documentation regarding transfer of PII between

jurisdictions, external entities, and internal entities.
2. Provide with list of countries, external entities (i.e. third-parties), and
internal entities to which PII can be transferred to
3. Validate the document was reviewed annually.

1. For all instances of requests, transfers, and disclosures of PII to third

parties, a record shall be kept.
2. Sample test all instances of requests, transfers and disclosures and
validate a record was kept. Validate the request was evaluated for
appropriateness.

1. Validate the offering only retains PII to what is needed to use the service.
2. Validate the offering does not inappropriately handle PII, such as for
marketing purposes, and/or obtain PII that is not needed to use the service.
Validate all PII requested and obtained serves a purpose for the offering.
1. Provide legal and regulatory requirements list and verify all applicable
privacy, legal and regulatory requirements have been captured. Exceptions if
any has to be reported to the senior management
2. Provide review records and verify if the list is reviewed and updated on a
regular and/ or whenever there are changes to the legal and regulatory
privacy acts
3.Provide evidence of compliance to any specific requirements, this can be
via internal or external audit reports with findings, published offering
webpages etc. to demonstrate compliance with the terms of services and any
other agreements, or real time evidence of any regulations that need to be
adhered to.

1. Obtain the document highlighting each offering's automatic processing of

PII.
2. Validate each offering's automatic processing of PII is evaluated from a
legal perspective.
3. Validate for each instances where there is automatic processing of PII, the
offering seeks the customer/controller's approval and/or has an agreement
documented in place on how to handle the automatic processing of PII.

1. Provide the relevant documentation/process in place to ensure PII

accuracy
2. Validate no users have ability to modify customer PII. Or validate there is a
process in place to have customers validate the accuracy of their PII.

1. Validate that PII is securely transmitted over a data-transmission network,

and has methods to validating the data reaches its intended destination.
1. Obtain a list of all request for disclosure of customer data or PII.
2. Validate each request was evaluated and reviewed for appropriateness,
and the legal appropriateness of the request.
3. For any legally binding requests for disclosure of customer data or PII,
validate the customer was notified via a secure channel.

1. Documented legally binding requests for disclosure of customer PII.

2.Records of PII disclosures other than the ones identified as legally binding
and notified to customers are rejected.
3.Records highlighting customers are consulted before making any PII
disclosures and accepting any contractually agreed requests for PII
disclosures that are authorized by the customer.
4.Records of PII disclosures made are legally binding requests or only post
consultation with customer and maintain records of the same.

1. Provide the PII collection and processing documentations

2. Provide application PII collection and processing activities walkthrough
3. Provide examples of recent notifications being sent to users notifying that
their personal data is collected from any other sources

1. Validate roles and responsibilities are defined between the offering and
customers and/or third party vendors and suppliers.
2. Validate appropriate controls are defined if necessary to validate the
secure processing of PII.
3. Validate the offering obtains evidence of effectiveness of controls called
out in #2.

1. Provide legal and regulatory requirement documentations

2. Provide documented evidence on PII information processed or stored
3. Provide the list of countries and offerings to which PII can be transferred to
4. Validate the offering follows the legal and regulatory requirements for
transferring PII.
1. Documented data protection officer roles and responsibilities.
2. Evidence of issues related to PII being reported to the management by the
DPO
3. Evidence of communication done by DPO to inform top-level management
and employees of the organization of their obligations regarding processing
PII
4. Evidence of communications with supervisory authority if any in case of
enquiries/ audits etc. highlighting DPO as a point of contact for
communications with Supervisory Authority.
5. Review records by DPO for privacy impact assessments conducted by the
organization

1. Provide contracts and relevant documentation that specifies the

notification process and associated implications in case of data breach, or of
any PII transfers between jurisdiction and of any intended changes in this
regard
2. Provide list of all events of any PII breaches or of any PII transfers between
jurisdictions or of any intended changes in this regards and corresponding
action in terms of notifications which were sent to relevant parties

1. Provide evidence that PII processed under a contract is not used for the
purposes of marketing and advertising without consent from the appropriate
Pll principal.
2. Records of consent taken from the appropriate PII principal prior to use of
PII for the purposes of marketing and advertising
3. Provide the PII collection and processing documentation in order to ensure
that consent for usage of PII for the purposes of marketing and advertising is
not made a condition for receiving the service.
4. Sample select any instances where PII was used for marketing and
advertising, and obtain the corresponding consent for it.

1. Provide the PII Customer obligations documentation (if they don't adhere
to corporate Privacy policy)
2. Provide relevant contractual agreements with customers or agreements
with customers
1. Provide the documented roles and responsibilities for the processing of the
PII
2. Evidence of training provided to the offering resources for the identified
roles and responsibilities

1. Provide contract between the offering and customer

2. Provide evidence that any changes to the processing of customer PII is
done post customer approval/consent only
3. Provide evidence of the process to obtain customer consent before
obtaining PII

1. Provide PII Infringement process documentation

2. Provide evidence of notification sent to users in case of PII processing
requests leads to infringement

1. Provide list of subcontractors used for processing PII

2. Provide evidence of communication sent to the customer if a
subcontractor is used for processing PII

1. Documentation around obligations of an offering on behalf of

customer/controller
2. Validate the offering provides customers/controllers with appropriate
information and access to controls via a front facing webpage, SOC report,
etc.
3. Any additional legal and contractual requirements shall be considered as
well, and validate the offering adheres to the legal and contractual
requirements stated.
1. Provide documented information on requirements for processing customer
PII
2. Provide the sample notification sent to customer/controller in case of any
change in the subcontractor processing PII
3. Provide evidence of resolution provided to objections raised by
customer/controller for any subcontractor changes

1. Documentation of controls and mechanisms to provide customer access to

their own log records for the in-scope system components
2. Artefacts demonstrating following:-
• Records of the all requests received are maintained.
• Review is conducted of all the requests and basis authenticity as well as
applicability of the request as per review appropriate action is performed.
• Implementation and review of all the controls as well as mechanisms
documented to provide customer access to their own log records for the in-
scope system components.
• sample test any customer requests if applicable, and validate logs were
provided in a secure manner.

1. Provide the documented Privacy Information Security Management System

Risk Assessment Methodology covering following aspects:
• Identification of potential threats related to the processing of PII
• Rating the significance of the risks associated with the identified threats
• Mitigation strategies for the identified risks
• Documentation and communication of the identified risks, as well as
possible vulnerabilities within the cloud service provider and their impacts
• Regular review and approval by the upper management, or its designated
representative(s)
1. Provide the documented Privacy Information Security Management System
Risk Assessment Methodology including risk mitigation strategies and
acceptable levels defined based on organization risk criteria pertaining to
risks associated with processing PII.
2. Provide latest risk assessment and treatment documentation
demonstrating implementation of methodology and are conducted annually
taking into consideration threats as well as changes (environmental,
regulatory, and technological) to service commitments are identified and the
risks related to PII processing are formally assessed

1. Evidence of communication of the results of the latest privacy risk

assessments to management conducted annually.
2.Evidence of review meetings conducted for finalization of controls to
mitigate risks identified during privacy risk assessments

1. Provide the documented procedure for performing PII restoration testing

2. Provide evidence of performing PII restoration testing as detailed logs
about restoration testing(who performed, description of PII restored and
integrity check of restored data) and corresponding communication.
3. Validate the restoration test was performed annually.

1. Policy and procedure document(s) corresponding to security incident

management.
2. Screenshots of artefacts demonstrating communications of the policies
and procedures to authorized personnel(s).
1. Policy and procedure document(s) corresponding to privacy incident
management.
2. Screenshots of artefacts demonstrating communications of the policies
and procedures to authorized personnel(s).
3. List of Privacy Incident Response team members
1. Provide the documented security incident management procedure
2. Validate resources and communication channels exist to advise
organization employees on how to handle and report security incidents.
1. Policy and procedure document(s) corresponding to security incident
management highlighting event management.
2. Artefact(s) demonstrating that for different devices in the environment
logging is enabled, logs are generated and generated logs are fed into
a(Push/Pull) SIEM solution or any other monitoring tool for review/ analysis
and tracking of logs.
3. Security incident management tracker and corresponding details
pertaining to classification, investigation and remediation/closure of events
classified as incidents.
4. Validate events around confidentiality, security, and availability are
captured. Provide all security, confidentiality, and availability events during
the examination period, and screenshots of parameters/query used to
generate the report including date and timestamp.
1. Policy and procedure document(s) corresponding to privacy incident
management highlighting event management.
2. Artefact(s) demonstrating that for different devices in the environment
logging is enabled, logs are generated and generated logs are fed into
a(Push/Pull) SIEM solution or any other monitoring tool for review/ analysis
and tracking of logs.
3.Privacy incident management tracker and corresponding details pertaining
1. Obtain offering documentation highlighting event logging requirements as
to classification, investigation and remediation/closure of events classified as
a cloud service customer.
incidents.
2. Evidence that the cloud service provider is able to meet the offering's
requirements for event logging and audit trail details.
3. Validate the audit trail and event logs are easily requestable and/or
accessible by the offering.

1. Approved documentation highlighting the requirements and specifications

of event logging capabilities which can be provided to cloud service
customers.
2. Records of all the customers requested for logging capabilities.
3. Artefacts demonstrating that requests from the cloud service customer
related to logging capabilities are validated and implemented.
4. Alternatively to 2/3, the offering can provide customers an audit log of
activity as part of their service. Customers shall be given the ability to access
this history/audit log via their own account.

1. Validate a process is defined for responding to intellectual property rights

complaints.
2. Validate if any complaints have occurred so far and if it has resulted in any
implications.
1. Provide walkthrough of incident/event management process followed for
auditable security events in CDE
2. Provide sample events recorded in the cardholder data environment
3. Provide evidence showing the following audit trail entries are recorded in
the audit logs:
• User identification is included in log entries
• Type of event is included in log entries
• Date and time stamp is included in log entries
• Success or failure indication is included in log entries
• Origination of event is included in log entries
• Identity or name of affected data, system component, or resources is
included in log entries

1. Policy and procedure document(s) corresponding to vendor risk

management governing different steps of vendor lifecycle(Onboarding,
review and offboarding)
2. List of critical vendors (suppliers)
3. Artefacts demonstrating implementation of the process corresponding to
vendor risk management for some sampled vendors across different stages.
4. Artefacts demonstrating that security requirements are addressed in the
vendor contracts via. MSA, SOW, etc.

1. List of high dependency suppliers

2. List of alternate suppliers identified
3. Documented exit strategies with high dependency suppliers and
corresponding process around vendor/supplier management.

1. Vendor review criteria(s)

(Audit/ Self-Assessment/ Independent Review reports).
2. Tracker highlighting list of critical vendors and corresponding details as
well as status of the review(Pass/Fail/Remediation/In Progress).
3. Sampled vendor review results and corresponding remediation steps in
case of findings.
1. Provide sample third-party IT outsourced suppliers contracts and
agreements clearly defining that cybersecurity managed services centers for
monitoring and operations shall be completely present inside the Kingdom of
Saudi Arabia

1. Provide sample reports of evaluations done for National Cybersecurity

Authority requests to remove software or services provided by third-party
providers
2. Provide details of third-party software or service removed upon validation
of request

1. Provide screenshots of sample tickets and communications

2. Provide details regarding incident tracking mechanism
3. Provide all security, confidentiality, and availability events during the
examination period, and screenshots of parameters/query used to generate
the report including date and timestamp. Sample test incidents and validate
they were resolved timely, and corresponding parties were notified if
necessary (external and internal).
1. Approved documentation around privacy incident management policy
highlighting following aspects:
• Logging and tracking privacy related incidents
• Requirement to perform root cause analysis of an incident to identify if the
incident lead to a loss or breach of personal information, evaluate and
perform mitigation steps
• Internal and external communications to communicate all affected parties

2. Validate communication channels in place internally and externally to

report incidents.

3. Obtain sample of privacy incidents, and validate the following:

• Monitoring, logging and tracking privacy related incidents
• Root cause analysis of incidents to identify if an incident lead to a loss or
breach of personal information and mitigation steps post evaluation
• Internal and external communications to all the affected parties
1. Provide the relevant policy in place that enforces this requirement
2. Provide test plan documentations
3. Provide evidence of completed tests with details regarding how often were
these tests performed

1. Provide example system capacity monitoring report

2. Provide process details regarding how is capacity monitoring performed on
a regular basis/cadence
3. Provide snapshot of changes implemented based on findings from capacity
monitoring report

1. Provide list of critical systems which are monitored for availability

2. Provide the list of authorized personnel for sending alerts
3. Provide follow up evidences and resolution plan, if applicable in case of
issues in availability
4. Configuration showing the alerting tool is configured as per defined criteria
and to monitor all systems that are deemed critical
5. Alerting configuration from the tool showing authorized personnel are
alerted after certain defined thresholds are me
6. Identify if there were any major availability outages or gaps, and review
follow up to resolve the issues.
1. Approved documentation around capacity management
2. Validate with offering what if capacity was reviewed annually and if
additional funding for capacity was needed.
3. If additional budget and funding was needed, validate the offering followed
up to secure or at least communicate the funding needed.

1. Provide organization Master service agreement (MSA), and validate it is

viewable by customers
2. Within the MSA, the focus will be around service commitments that are
made to the customer of product/platform, especially around security,
availability, confidentiality, and privacy (as applicable)

1. List of suppliers
2. Documented organization Legal Approved information sharing agreements
with the suppliers and corresponding process around vendor/supplier
management.
1. Obtain updated ToS (Terms of Service)
2. Provide evidence of consent obtained for updated ToS
3. An agreement maybe by signature, acknowledgement, use, or other
method (explicit or non-explicit).

1. Validate if cloud service customers have any assets that reside in the
cloud service provider's premise, and if it is documented in a central
repository.
2. Validate if there have any requests for return or termination of cloud
service agreements.
3. shall the customer have assets that reside on the provider's premise,
validate the asset was returned timely, and return of the asset was
documented and information regarding the returned asset is provided to the
customers.

1. Provide organization payment process documentation

2. Provide walkthrough of payment process and credit card data storage
process

1. Provide evidence of written acknowledgement provided to customer by

Organization's services that manage, store, or transmit cardholder data on
behalf of customer, of their responsibility to protect cardholder data and the
cardholder data environment

1.Policy and procedure document(s) corresponding to malware protection.

2.Tracker of all assets in the production environment and corresponding
status of synchronization/integration with the antimalware/antivirus
technology. Validate virus signature definitions are up-to-date and valid.
3. Validate full scans cadence of anti-virus scans on the environment for any
virus's, and validate anti-virus is completed.
4. Validate the configuration of alerts is set up to notify corresponding people
when malware is identified, or anti-virus unsuccessfully runs.
1. Provide screenshot of antivirus management console (if available)
dashboard showing overall status of all employee workstations/ devices in
scope including last scan performed, antivirus version installed, definition
update etc.
2. Provide screenshot for configuration of anti-virus solutions deployed on
workstations/ devices in scope. Screenshots shall include details such as anti-
virus program version, admin controls in place to block system user to
disable or alter configurations of the antivirus program.
3. Provide screenshot of last updated antivirus definitions and admin control
in place to block system user from disabling such updates. Validate
definitions are up-to-date.

1. Provide documentation regarding Organization's antivirus deployment

process
2. Provide sample audit logs generated by antivirus deployments
3. Provide evidence that audit logs generated by antivirus deployments are
retained for at least one year and will be available for immediate analysis if
required

1. Provide walkthrough of mechanisms/controls enforced on user's systems

to restrict user's from disabling or altering antivirus mechanisms
2. Provide evidence that user is only granted access to disable or alter
antivirus mechanisms post approval from management

1. Provide walkthrough of process in place to detect or block potentially

malicious emails
2. Provide evidence of sandboxing technique usage to detect or block
potentially malicious emails

1.Policy and procedure document(s) corresponding to vulnerability

management.
2.Last internal and external network vulnerability scan reports.
3.Tracker of vulnerabilities identified in the last internal as well as external
scans and corresponding timelines, plan and responsibility for closure.
4.Latest vulnerability scan reports in order to ensure closure of the
1.Policy and procedure
vulnerabilities document(s)
as per the plan. corresponding to vulnerability
management.
2.Last penetration testing report highlighting the identified vulnerabilities.
3.Tracker of vulnerabilities along with corresponding timelines, plan and
responsibility for closure.
4.Latest Penetration testing report in order to ensure closure of the
vulnerabilities
1. as perare
Validate offerings thesubscribed
plan. to security bulletins and/or emails from
internal or verified external resources to monitor impact of emerging
technologies and any new security risks.
1. Obtain Description of tools/application/utilities covering how technical
vulnerabilities are managed that can impact customers
2. Provide evidence of notification service subscribed with Cloud Service
Provider for notifications about management of technical vulnerabilities
undertaken by the cloud service provider. And validate how provider
communicates how it handles vulnerabilities to customers.

1. Sample 4 monthly of vulnerability scans.

2. Sample a select number of changes and validate a vulnerability scan was
performed as part of the code change.
3. Validate all vulnerabilities were assigned a risk rating, reviewed, and
remediated in a timely manner. Each vulnerability shall have a corresponding
ticket.

* Note - If vulnerability scans cannot be completed as part of change process

(i.e. before every code release), a daily vulnerability scan shall be performed
of the production environment.

1. Provide Patch Management policy

2. Provide list/scope of infrastructure (tools/applications) that support the
main product platform
3. List/Information of all the supplier provided patches for the audit period
4. All applicable internal and external vulnerabilities scanning reports
5. Provide audit log tracker for patches updated for each asset type e.g.
servers, OS, software/ applications, router, switches, firewall etc. Sample
select to validate that each asset is up-to-date with the most recent supplier
patch.

1.Policy and procedure document(s) around receiving, testing and

implementation of security related updates.
2.Tracker highlighting the threat advisories/ security bulletins received from
different sources and corresponding status of their implementation across
devices.
1. Provide documented description of the systems, environment and
boundaries of the product in scope
2. Provide evidence of communication of product description to authorized
internal and external stakeholders. This could be via an internal and external
public facing webpage or more.

1. Provide an Incident Management policy / Communication policy / crisis

communication plan that includes information for notifying incidents to
external parties including following aspects:
• Information about external party dependencies/ affected external parties.
• Criteria for notification to external parties as required by [the organization]
policy in the event of a security breach.
• Contact information for authorities (e.g., law enforcement, regulatory
bodies, etc.)
• Provisions for updating and communicating external communication
requirement changes

2. Records demonstrating following:

• Notifications have been sent to external parties in case of any security
incident/breach.
• Relevant authorities are contacted in case of any security incident/breach.
• Review is conducted periodically of the corresponding governing
documentation and updated as required.
• All incident communication is performed as per Defined communication
1. Provide list of authorities from the offering that have been identified and
policy.
their specific roles and responsibilities have been established. Relevant
authorities shall be relevant to the area/location the service is being
provided.

1. Inventory of software license contracts corresponding to different

software.
2. Procedures for license maintenance and usage are in place and
maintained
3.Ensure monitoring records of period review/audits are maintained to ensure
adherence to the requirements of the software license contracts and usage
restrictions. Licenses are increased if needed, and shall not be surpassed.
1. Provide documented communication plan to inform the cloud service
customer within 72 hours whenever internal or external staff read or write to
cloud customers' data during processing, storage or transmission.
2. List of users that have access to customer data
3. List of user account access to customer data that was requested during
the audit period
4. Validate if an audit log/trail exists of access to customer data. Validate if
any instances of access to customer data exist
5. If any deadline (end date) for access is included in access request, provide
evidence that the access for such users were removed on time
6. Validate for any instances of access to customer data exist, customers
were notified within 72 hrs.

1. Validate if there have been any investigation requests from government

agencies.
2. Validate if an analysis was performed for each investigation request.
3. Validate information was only provided upon approval from legal and
subject matter experts at organization.

1. Obtain a list of suppliers that the offering uses.

2. For all suppliers that handle sensitive customer information, and/or can
affect the availability, confidentiality, and security of a product, validate a
corresponding approval was obtained prior to using the supplier.
3. Validate the agreement includes security requirements and nature of the
transmitted information between the offering and supplier.

1. List of authorized and trained individuals who are allowed to post public
information.
2. Records of public information posted during the control review period are
posted only by authorized and trained individuals post review.
3. Records of periodic reviews performed for information on public systems
for nonpublic information, same is removed upon identification.
4. If any inappropriate or non-public information is identified on public
systems, validate corresponding personnel are notified and the material is
removed immediately.
1. Validate the cloud service provider informs cloud service customers of
legal jurisdictions governing the cloud service.

1. Provide penetration testing calendar prepared for organization services

operating in Saudi (KSA)
2. Provide penetration testing reports for tests conducted on organization
services operating in Saudi (KSA)
3. Provide evidence of penetration tests conducted on semiannual basis

1. Provide penetration testing calendar prepared for tests performed against

cardholder data environments (CDE)
2. Provide penetration testing reports for tests conducted on cardholder data
environments (CDE)
3. Provide scope and requirements documentation for penetration testing on
cardholder data environments (CDE)

1. Provide evidence of the insider threat program in place

2. Provide evidence that the program is being reviewed periodically
3. Provide evidence that legal and regulatory advice is sought regarding the
development and implementation of a trusted insider program

1. Provide proof of appointment that may include i.e. appointment letter,

communication mails, organizational chart, any charter document(s) etc.
2. Provide governance roles and responsibility document highlighting roles
and responsibilities of the CISO.
3. Provide evidence of management review meetings conducted by CISO for
cyber security program that may be in the form of Minutes of meetings
(MoMs) etc.
1. Provide evidence of communication of compromise or suspected
compromise of Cryptographic Equipment or associated keying material to the
Chief Information Security Officer or one of their delegates as soon as it
occurs
2. Provide evidence of keying material being changed when compromised or
suspected of being compromised

1. Validate the offering has identified a sponsor if they are pursuing IRAP.

1. Identify areas where customer and personal information is stored and

provide evidence of this determination
2. List of tools/applications/services/methods that are used to perform the
monitoring of data spillage
3. Validate whether security solutions such as Data Leakage Prevention (DLP)
is implemented to monitor movement of customer and personal information
4. Provide evidence of monitoring of Customer and Personal Information for
data spillage
5. Provide process/ guidance document highlighting post incident guidelines
in the event of data spillage
6. As applicable, provide a sample data spill that happened recently - provide
evidence showing all necessary steps (like removing of data/access) were
taken

1. Provide hardening guidelines for video and calling infrastructure

2. Provide evidences of hardening performed for video and calling
infrastructure
3. Provide following hardening evidences if available:
• Video conferencing or IP telephone traffic have encrypted and non-
replayable authentication scheme.
• Authentication and authorization is in place for all call related activities
such as individual logins for IP Phones, call setup, changing settings, and
accessing voicemail.
• IP phones are configured to authenticate to call controller upon
registration. Auto-registration, along with all other unused and prohibited
functionalities are disabled.
• Unauthorized devices are blocked by default.

1. Provide evidences (configuration + a sample of one) to validate

authentication and authorization is in place for individual logins of IP Phones
used for SECRET or TOP SECRET conversations..
1. Provide fax machine and multi-function device (MFD) policy.
2. Within the MFD policy, provide evidence that the following components are
covered:
• Separate fax machines and MFDs are used for sending classified
information.
• Messages are encrypted to an appropriate level depending on information
sensitivity.
• The sender of a fax message makes arrangements for the receiver to
collect the fax message as soon as possible after it is sent and for the
receiver to notify the sender if the fax message does not arrive in an agreed
amount of time.
• A direct connection from an MFD to a digital telephone system is not
enabled unless the digital telephone system is authorized to operate at the
same sensitivity or classification as the network to which the MFD is
connected.
• MFDs connected to networks are not used to copy documents above the
sensitivity or classification of the connected network.
• Fax machines and MFDs are located in areas where their use can be
observed.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Within MDM policy, provide evidence that mobile devices are not
permitted to process, store, or communicate SECRET or TOP SECRET data
and policy clearly articulates approval workflow if SECRET or TOP SECRET
data is to be process/stored/communicated.
3. Sample exceptions/ approvals taken from ACSC

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Evidence of MDM policy configured for privately-owned mobile devices.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Within MDM policy, provide evidence that mobile devices are prohibited
from accessing classified, or highly classified systems or data
3. Evidence of MDM policy configured for privately-owned mobile devices.
1. Provide Mobile device management/ teleworking/ trusted device policy
2. Evidence of MDM policy configured for organization-owned mobile devices.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Within MDM policy, provide evidence that mobile devices are required to
encrypt using at least an ASD approved cryptographic algorithm (More
information:
https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-
cryptography)
3. Evidence of cryptographic algorithm implemented for mobile devices.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Evidence of Bluetooth device restriction implemented for mobile devices.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Provide MDM configuration showing Bluetooth functionality is not enabled
on highly classified mobile devices

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Provide MDM configuration showing mobile devices are configured to
remain undiscoverable to other Bluetooth devices except during Bluetooth
pairing.
1. Provide Mobile device management/ teleworking/ trusted device policy
2. Provide MDM configuration showing Bluetooth pairing is performed using
Bluetooth version 2.1 or later.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Provide MDM configuration showing Bluetooth pairing is performed in a
manner such that connections are only made between intended Bluetooth
devices.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Provide MDM configuration showing Bluetooth pairings are removed from
mobile devices when there is no longer a requirement for their use.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Provide MDM configuration showing Paging, Multimedia Message Service,
Short Message Service and messaging apps are prohibited to communicate
sensitive or classified data.

1. Provide Mobile device management/ teleworking/ trusted device policy

2. Evidence of communication of this policy to personnel
3. Within the policy, evidence of requirements around protection of mobile
screen (like a privacy screen) for mobile devices issued by organization

1. Provide Mobile device management policy requiring the privacy filter

applications on mobile devices
2. Using a sample mobile device, demonstrate that privacy filters are applied
on the mobile devices
1. Provide Mobile device management/ teleworking/ trusted device policy
stating best practices to attend phone calls to ensure that confidential
conversations are not being overheard

1. Provide Mobile device management/ teleworking/ trusted device policy

stating best practices to attend phone calls to ensure that mobile devices are
kept under direct supervision when being used.

1. Provide Mobile device management/ teleworking/ trusted device policy

stating best practices to attend phone calls to ensure that mobile devices are
carried and/or stored in a secured state when not being used.

1. Provide Mobile device management or documentation containing mobile

device emergency sanitization process, and supporting mobile device
emergency sanitization procedures

1. Provide Teleworking/ trusted device policy/ Code of conduct

1. Provide Teleworking/ trusted device policy/ Code of conduct to ensure that

following conditions are included in the policy(ies):
• issued with newly provisioned accounts and devices from a pool of
dedicated travel devices which are used solely for work-related activities
• advised on how to apply and inspect tamper seals to key areas of devices
• advised to avoid taking any personal devices, especially if rooted or
jailbroken.

1. Provide Teleworking/ trusted device policy/ Code of conduct to ensure that

following conditions are included in the policy(ies):
• record all details of the devices being taken, such as product types, serial
numbers and International Mobile Equipment Identity numbers
• update all applications and operating systems
• remove all non-essential accounts, applications and data
• apply security configuration settings, such as lock screens
• configure remote locate and wipe functionality
• enable encryption, including for any media used
• backup all important data and configuration settings.
1. Provide Teleworking/ trusted device policy/ Code of conduct to ensure that
following conditions are included in the policy(ies):
• never leaving devices or media unattended for any period of time,
including by placing them in checked-in luggage or leaving them in hotel
safes
• never storing credentials with devices that they grant access to, such as in
laptop bags
• never lending devices to untrusted people, even if briefly
• never allowing untrusted people to connect other devices or media to their
devices, including for charging
• never using designated charging stations, wall outlet charging ports or
chargers supplied by untrusted people
• avoiding connecting devices to open or untrusted Wi-Fi networks
• using an approved Virtual Private Network to encrypt all device
communications
• using encrypted mobile applications for communications instead of using
foreign telecommunication networks
• disabling any communications capabilities of devices when not in use, such
as cellular data, wireless, Bluetooth and Near Field Communication
• avoiding reuse of media once used with other parties’ devices or systems
• ensuring any media used for data transfers are thoroughly checked for
malicious code beforehand
• never using any gifted devices, especially media, when travelling or upon
returning from travelling.

1. Provide Teleworking/ trusted device policy/ Code of conduct/ incident

management policy to ensure that the following conditions are included in
the policy(ies):
• provide credentials, decrypt devices or have devices taken out of sight by
foreign government officials
• have devices or media stolen that are later returned
• lose devices or media that are later found
• observe unusual behavior of devices.

1. Provide Teleworking/ trusted device policy/ Code of conduct policy to

ensure that the following conditions are included in the policy(ies):
• sanities and reset devices, including all media used with them
• decommission any physical credentials that left their possession during
their travel
• report if significant doubt exists as to the integrity of any devices following
their travel.
1. Provide Teleworking/ trusted device policy/ Code of conduct policy to
ensure that the following conditions are included in the policy(ies):
• reset user credentials used with devices, including those used for remote
access to their Organization's systems
• monitor accounts for any indicators of compromise, such as failed login
attempts.

1. Provide network zoning policy

2. Within the network zoning policy, provide evidence that administrator
workstations are required to be placed into a separate network zone to user
workstations (network segmentation)
3. Provide evidence of separation of these networks using firewall rules, etc.

1. Provide network zoning policy

2. Within the network zoning policy and through configuration, provide
evidence that the management traffic is required and configured
(respectively) to originate from network areas that are dedicated to
administer systems/applications

1. Provide network security/ wireless/ remote access policy

2. Provide configuration based evidence showing jump servers/boxes are
only used manage access for administrative related access and activities.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for applications and drivers
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample extreme risk vulnerability treatment ticket for
vulnerabilities identified in last VA scan to show if it was patched, updated, or
mitigated within 48 hours.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for applications and drivers
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample high risk vulnerability treatment ticket for vulnerabilities
identified in last VA scan to show if it was patched, updated, or mitigated
within two weeks.
1. Provide vulnerability assessment and patch management policy
2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for applications and drivers
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample low risk vulnerability treatment ticket for vulnerabilities
identified in last VA scan to show if it was patched, updated, or mitigated
within a month.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for operating systems and
firmware
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample extreme high risk vulnerability treatment ticket for
vulnerabilities identified in last VA scan to show if it was patched, updated, or
mitigated within 48 hours.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for operating systems and
firmware
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample high risk vulnerability treatment ticket for vulnerabilities
identified in last VA scan to show if it was patched, updated, or mitigated
within two weeks.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches updated for operating systems and
firmware
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample low risk vulnerability treatment ticket for vulnerabilities
identified in last VA scan to show if it was patched, updated, or mitigated
within a month.
1. Provide vulnerability assessment and patch management policy covering
Information and Computer Technology (ICT) assets.

2. Provide evidence that the policies' requirements are in alignment with

ACSC methods and timeframes in the context of classifying, labelling,
handling, patching of ICT equipment.

More information:
https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-ict-
equipment

1. Provide screenshots from the server of Content-security-policy, HSTS and

X-frame-options response headers implemented in web application.

1. Provide Software development life cycle (SDLC), and/or MBSS (Minimum

baseline security Standard), and/or Application Security Verification Standard
(ASVS) guidelines that are being followed while developing web applications.

1. Provide Network architecture diagram

2. Demonstrate through Routers and Firewall configurations that database,
and web servers are functionally separated

1. Provide Network architecture diagram

2. Demonstrate through Routers and Firewall configurations that database
servers are placed on a different network segment to an Organization's
workstations

1. Provide screenshot of config showing disabled functionality of database

management system (DBMS) if applicable

1. Provide configuration based evidence from the Database Management

System (DBMS) software is installed and configured according to vendor
guidance.

2. Provide a mapping or through inquiry walkthrough how all the installation

steps from vendor provided guide was followed to ensure that all temporary
files for installation were removed and other features that weren't required
were disabled

1. Provide configuration based evidence from the Database Management

System (DBMS) software is installed and configured according to vendor
guidance.

2. Provide access properties screenshot of the DBMS software to

demonstrate that it follows the least privileges concept and does not have
the ability to read local files from the server
1. Provide configuration based evidence from the Database Management
System (DBMS) software is installed and configured according to vendor
guidance.

2. Provide access properties screenshot of the DBMS software to

demonstrate that it follows the least privileges concept and does not have
the ability to read local files from the server

1. Provide evidence that parameterized queries or stored procedures are

required and are used instead of dynamically generated queries

1. Provide evidence that web applications are designed to provide as little

error information as possible to users about database schemas.

1. Provide evidence that Access to non-approved webmail services is

blocked.

1. Provide sample screenshot showing protective markings on emails

containing highly sensitive information
2. Provide email manager configuration settings to demonstrate that the
protective markings are not being applied manually and not through an
automatic tool
3. Provide best/secure email practices document demonstrating this
requirement

1. Provide evidence of protective markings being disabled on systems that

are not authorized to process, store or communicate said markings.

1. Validate that protective marking tools do not allow users replying to or

forwarding an email to select a protective marking that is lower than
previously used for the email.

1. Validate email servers have the following requirements and meet them:
• Configuration/ policy implemented on email servers to block inappropriate
protective markings.
• Emails blocked by email server that involve inappropriate protective
markings.
• Notification is provided to sender and recipient of blocked emails.

1. Validate recipient nationality using (Active Directory) prior to message

transmission.

1. Validate Email is routed through a centralized email gateway by

configuring an authenticated and encrypted channel.
1. Validate backup or alternative email gateways are maintained at the
same standard as the primary email gateway.

1. Validate email servers only relay emails destined for or originating from
their domains.
1. Provide evidence showing opportunistic TLS encryption is enabled on email
servers that make incoming or outgoing email connections over public
network infrastructure.

1. Evidence showcasing enablement of MTA-STS to prevent the transfer of

unencrypted emails between complying servers.

1. Validate that SPF is used to specify authorized email services (or lack
thereof) for all domains. If an email server is not in the SPF record for a
domain, SPF verification will fail.

1. Validate that hard fail SPF record is used when specifying email servers. If
an email server is not in the SPF record for a domain, SPF verification will fail.
1. Validate that SPF is used to verify the authenticity of incoming emails. If
an email server is not in the SPF record for a domain, SPF verification will fail.
1. Evidence showcasing incoming emails that fail SPF checks are blocked or
marked in a manner that is visible to the recipients..
1. Validate email servers have the following requirements and meet them:
• DKIM signatures are enabled on emails originating from an Organization's
domains and received emails are verified
• DMARC records are configured for all domains such that emails are rejected
if they fail SPF or DKIM checks.

1. Provide evidence showcasing email content filtering controls are enabled

for email bodies and attachments.
1. Provide evidence of configuration in place for emails arriving via an
external connection where the source address uses an internal domain name
are blocked at the email gateway.

1. Provide approved network architecture diagrams showcasing VLANs are

not used to separate network traffic between organizations' networks and
public network infrastructure, or networks belonging to different security
domains.

1. Provide approved network architecture diagrams showcasing VLANs

belonging to different security domains are terminated on separate physical
network interfaces.

1. Provide approved network architecture diagrams showcasing VLANs

belonging to different security domains, do not share VLAN trunks.
1. Provide approved network architecture diagrams showcasing Network
devices implementing VLANs are managed from the most trusted security
domain.
1. Provide evidence showcasing :
• IPv6 tunnelling is disabled for dual stack-network devices and Information
and Computer Technology (ICT) equipment.
• Network security devices that support IPv6 are used on Dual-stack
networks.

1. Provide evidence showcasing :

• IPv6 tunnelling is disabled on all network devices and Information
Computer Technology (ICT) equipment.
• IPv6 tunnelling is blocked by network security devices at externally-
connected network boundaries.

1. Validate Dynamically assigned IPv6 addresses are configured with

Dynamic Host Configuration Protocol version 6 with lease data stored in a
centralized logging facility.

1. Provide evidence showcasing servers operating independently by

maintaining effective functional separation with other servers.
1. Validate that servers minimize communications with other servers at both
the network and file system level.
1. Validate that Inbound network connections and outbound network
connections to anonymity networks are blocked.
1. Provide evidence showcasing administrative interface is disabled for
wireless network connections on wireless access points.
1. Provide evidence showcasing:
• Checks are performed to ensure SSID of a non-public network shall not be
associated with the organization.
• Default SSID of wireless access points are changed and are enabled on all
wireless networks.

1. Provide evidence that dynamic IP range of addresses are assigned for

wireless networks to confirm static addressing is not used for assigning IP
addresses on wireless networks.

1. Validate that MAC address filtering is not used to restrict which devices
can connect to wireless networks.

1. Provide evidence showcasing 802.1x authentication with EAP-TLS

implemented to perform mutual authentication for wireless networks and all
other EAP methods disabled on supplications and authentication servers.

1. Validate device and user certificates have the following requirements and
meet them:
• Both device and user certificates are required for accessing wireless
networks.
• Device and user certificates are not stored on the same device and are
issued on smart cards with access PINs.
• User or device certificates are protected by encryption.

1. Where applicable, validate PMK caching period to ensure PMK caching

period does not exceed 1440 minutes (24 hours)
1. Validate Communications between wireless access points and a RADIUS
server are encapsulated with an additional approved layer of encryption.

1. Provide evidence of ASD approved cryptography in use to protect the

confidentiality and integrity of all wireless network traffic.
1. Provide evidence that wireless access points have 802.11 w enabled to
protect management frames.
1. Validate that a greater number of wireless access points that use less
broadcast power are deployed to achieve the desired output.

1. Validate that the effective range of wireless communications outside an

Organization's area of control is limited by implementing RF shielding on
facilities in which SECRET or TOP SECRET wireless networks are used.

1. Validate that all wireless access points are Wi-Fi Alliance certified.

1. Provide evidence of online services being hosted on cloud.

1. When using environments that require high availability, Content Delivery

Networks have the following requirements and meet them:
• Content Delivery Networks that cache websites are used and the IP address
of the webserver under the Organization's control is avoided.
• The origin server is restricted to the CDN and an authorized management
network.

1. Provide screenshot of registrar lock status set for domain names for online
services with registration details.

1. Validate that High Assurance Cryptographic Equipment (HACE) is used to

protect SECRET and TOP SECRET data when communicated over
insufficiently secure networks, outside of appropriately secure areas or via
public network infrastructure.

1. Validate that mechanisms are implemented for all connections between

security domains to inspect and filter data flows for the transport and higher
layers as defined in the OSI model.

1. Validate device and user certificates have the following requirements and
meet them:
• log network traffic permitted through the gateway
• log network traffic attempting to leave the gateway
• are configured to save event logs to a secure logging facility
• provide real-time alerts for any cyber security incidents, attempted
intrusions and unusual usage patterns.

1. Provide evidence for the last 2 testing performed for gateways to

determine testing is performed at regular intervals no more than six months
apart.
1. Validate approved architecture diagram showcasing:
• Demilitarized zones are used to broker access to services accessed by
external entities
• mechanisms are applied to mediate internal and external access to less-
trusted services hosted in these demilitarized zones.

1. System administrator roles for gateway administration have the following

requirements and meet them:
• Gateway administrators shall be formally trained to manage gateways.
• All system administrators of gateways are cleared to access the highest
level of data communicated or processed by the gateway.
• All system administrators of gateways that process Australian Eyes Only
(AUSTEO) or Australian Government Access Only (AGAO) data are Australian
nationals.
• Roles for the administration of gateways are separated.

2. Provide evidence showcasing gateways between networks in different

security domains, a formal arrangement exists whereby any shared
components are managed by the system managers of the highest security
domain or by a mutually agreed third party.

1. Provide evidence that system owners become stakeholders for all the
connected security domains once connectivity is established.

1. Provide evidence showcasing:

• Only authenticated users and services including ICT equipment which are
authorized can use the gateway.
• Multi-factor authentication is used to access gateways.

1. Provide evidence of Cross domain solution (CDS) is implemented when a

SECRET or TOP SECRET networks connected to any other network from a
different security domain.

1. Provide evidence showcasing :

• A process is in place to notify and consult ACSC when designing and
deploying a CDS.
•All directions provided by the ACSC are complied with.

1. Provide evidence showcasing :

• there is a process in place to notify and consult ACSC when introducing
additional connectivity to a CDS
•ACSC is consulted on the impact to the security of the CDS.
•Directions provided by the ACSC are complied with
1. Validate CDS between a highly classified network and any other network
have the following requirements and meet them:
- isolated upward and downward network paths
- protocol breaks at each layer of the OSI model
- content filtering and separate independent security-enforcing components
for upward and downward data flows

1. Provide list of authorized personnel who are granted access to CDS.

2. For sampled users, provide evidence of the users who are trained on the
secure use of CDS.
• Records/Documents Including the most recent review and approval.
• Sample of communication mail/documents

1. Provide the Event logging policy.

2. For sampled security events generated by CDS, provide evidence that it is
done for at least every 3 months and assessed.
3. Share comprehensive logging capabilities established in CDS.
4. Sample of the log management dashboard showing security event logging
configurations
5. Sample of Alert notifications

1. Provide Evaluation report of firewall.

2. Evidence of firewall used between an AUSTEO network and a foreign
network.
3. Firewall configuration/ruleset for the in-scope networks

1.Provide Evaluation report of firewall.

2. Evidence of firewall used between an AUSTEO network and another
Australian controlled network.

1. Provide evaluation diode report.

2. Evidence of an evaluated diode used between organizations' networks and
public network infrastructure.

1. Provide high assurance diode report.

2. Evidence of an high assurance diode used between SECRET and TOP
SECRET networks and public network infrastructure.

1. Provide evaluation diode report.

2. Evidence of an evaluated diode used between networks.

1. Provide high assurance diode report.

2. Evidence of an high assurance diode used between SECRET or TOP
SECRET networks and any other network.

1. Provide evaluation diode report.

2. Evidence of an evaluated diode used between an AUSTEO or AGAO
network and a foreign network.

1. Provide evaluation diode report.

2. Evidence of an evaluated diode used between an AUSTEO or AGAO
network and another Australian controlled network.
1. Provide monitoring report of a diode to monitor the volume of data being
transferred.
2. Evidence of alert being sent to an organization if the volume of data
suddenly changes.

1. Provide web usage policy.

2. Evidence of all web access (including internal servers) is conducted
through a web proxy.
3. Provide web proxy logs report.
4. Provide evidence of notification sent to customers for critical changes that
may affect their processing.

1. Evidence of web content filter to reduces the likelihood of malicious code

infection.
2. Snapshot of web content filtering solution used to prevent an adversary
from communicating with their malicious code if deployed on network.

1. Provide web usage policy.

2. List of allowed websites to restrict the client-side active content.
3. Evidence showcasing the client-side active content such as Java, is
restricted to a list of allowed websites.

1. Evidence of a solution that decrypts and inspects all TLS traffic as per
content filtering security controls.
2. Provide a list of websites to which encrypted connections are allowed, with
all other TLS traffic decrypted.
3. Evidence for seeking legal advice for the inspection of TLS traffic by
internet gateways.

1. Provide blacklisting and whitelisting methods used for web content filters.
2. List of allowed websites, using either domain name or IP address for
(HTTP) and HTTPS traffic communicated through internet gateways.
3. List of blocked websites which cannot be used due to their content or
hosting of malicious content.
4. Evidence of blocked websites to ensure that they are updated on daily
basis.
5. Provide list of dynamic domains which can be registered anonymously for
free.
1. Evidence of an effective content filter.
2. Provide security testing/assessment reports performed of content filters.

1. Provide evidence that all suspicious, malicious and active content is

blocked from entering a security domain.
2. Provide list of data identified as suspicious by a content filtering process.
3. Provide review report by authorized personnel to check all suspicious
content is blocked.
4. Are anti-malware tools updated routinely and/or automatically?
• How often are anti-malware definitions updated?
• How often are anti-malware nodes communicating with the master node (if
this is how the AM/AV tech works).
• Are there logs for anti-malware tools that cover update versions and
security events?

1. Provide automated dynamic malware analysis report.

1. Provide content validation report.

1. Provide content conversation and transformation process to mitigate the

threat of content exploitation.
2. Evidence of content conversation and transformation performed.

1. Evidence of content sanitization process performed to mitigate the threat

of content exploitation.

1. Provide the evidence of contents that are extracted from archive/container

files.
2. Provide the extracted file.
1. Provide Inspection report of archive/container files.
2. Evidence of control inspection of archive/container files done to check the
content filter performance.

1. Provide evidence of how many files that cannot be inspected.

2.Evidence of notification sent for the files that cannot be inspected.
3. Provide evidence of the files which are blocked.

1. Provide documentation (if applicable) to validate whether system owner

consultation and legal advice was sought before allowing a targeted cyber
intrusion activity to continue on a system for the purpose of collecting further
data or evidence.
2. Within the documentation, provide further evidence pointing to the scope
of the intrusion activity, and all applicable approvals.

1. Provide sample screenshots of network traffic logs generated by firewalls

and intrusion detection and prevention systems (IDS and IPS).
2. Provide evidence through logs that full network traffic was stored for at
least 7 days after the intrusion

1. Provide hardening guidelines for video and calling infrastructure

2. Provide evidences of hardening performed for video and calling
infrastructure
3. Provide following hardening evidences if available:
• Video conferencing or IP telephone traffic follow through a gateway with
video-aware and/or voice-aware firewall
• Video conferencing and IP telephony calls are established using a secure
session initiation protocol.
• Video conferencing and IP telephony traffic is separated physically or
logically from other data traffic. Workstations that use video and IP phone
traffic use VLANs or similar mechanisms to maintain separation between
video conferencing, IP telephony and other data traffic.
• If IP phones are used in public areas, their ability to access data networks,
voicemail and directory services are prevented.
• Video conferencing and IP telephony calls are conducted using a secure
real-time transport protocol.

1. Provide evidence (recording) of all actions done by investigators.

2. Evidence of checksums created for all evidences.
3. Provide evidence that a proper chain of custody is maintained
4. Provide list of users who can access on evidence/records.
5. How to maintain custody of records/evidence.
1. Provide list of contact details maintained 24x7 by cloud customers and
service providers.
2. Provide the list of additional out-of-band contact details when normal
communication channels fail.
3. Evidence of cyber security incidents reported.
4. Provide evidence, how to communicate users for cyber security incidents
reported.

1. Provide evidence that all cyber security incidents are reported to the
ACSC.
2. Provide cyber security incident tracker maintained by the team.
1. Provide joint security assessment report of commercial and government
gateway services selected by ACSC.
2. Provide Infosec Registered Assessors Program (IRAP) assessors report.
3. Evidence to review the assessment conducted at least every 24 months.

1. Provide security assessment report of cloud service providers and their

cloud services.
2. Evidence to review the assessment conducted at least every 24 months.

1. Evidence of community and private clouds used for outsourced SECRET

and TOP SECRET cloud services.
2. Provide the outsourced cloud services register.

1. Provide documented process for the control of Australian systems.

2. Provide report where AUSTEO and AGAO systems for processing, storing or
communicating data is maintained.

1. Provide documented process for the control of Australian systems.

2. Provide evidence that AUSTEO and AGAO systems can only be accessed
under the sole control of the Australian Government.

1. Provide Common Criteria EAL requirements.

2. Provide evidence of Common Criteria evaluation which is traditionally
conducted at a specified EAL.
3. List of all evaluated products.

1. Provide snapshot of 64-bit version of the operating system while

developing a Microsoft Windows SOE.

1. Provide hardening security guides produced by Australian Cyber Security

Centre (ACSC) and vendors.
1. Provide the methods for the use of Microsoft operating systems and
Microsoft supported applications.
2. Evidence of PowerShell version, configuration language mode.
3. Provide PowerShell script block logs.

1. Provide hardening security guides of Microsoft Office, web browsers and

PDF viewers produced by Australian Cyber Security Centre (ACSC) and
vendors.

1.Provide configuration guidelines of web browsers to block or disable Java,

Flash, and web advertisements.
2. Evidence of web browsers configuration used.

1. Snapshot for any unrequired functionality in Microsoft Office, web

browsers and PDF viewers.

1. Snapshot for the use of Microsoft Office, web browser and PDF viewer add-
ons.

1. Provide the application hardening process.

2. Provide the configurations of the Microsoft office products installed on the
workstations.
1. List the applications and operating systems that are no longer supported
by vendors.
2. Provide latest application and operating system patching reports with the
updated vendor-supported versions.
3. Provide security vulnerability testing report for applications and operating
systems.
4. Application vulnerability scan reports and evidence a remediation plan for
all critical and high vulnerabilities.

1. Provide formal inventory process for authorized RF and IR devices.

2. List of authorized RF devices in SECRET and TOP SECRET areas.
3. Provide the RF device register/tracker maintained for authorized RF
devices in SECRET and TOP SECRET areas.
4. Provide list of Authorized users can access in SECRET and TOP SECRET
areas.
5. Confirm duration and the report of review access.

1. List of unauthorized RF devices in SECRET and TOP SECRET areas.

2. Provide evidence of security measures that are used to identify and
respond to unauthorized RF devices.
3. Provide the security register maintained for unauthorized RF devices to
understand the security risks associated with the introduction of such
devices.

1. Provide wireless keyboards and wireless security requirements.

2. Provide evidence that Bluetooth and wireless keyboards are not used
unless in an RF screened building.

1. Provide wireless keyboards and wireless security requirements.

2. Provide evidence that the following requirements shall be prevented when
using infrared keyboards:
• line of sight and reflected communications travelling into unsecured spaces
• multiple infrared keyboards for different systems being used in the same
area
• other infrared devices being used in the same area
• infrared keyboards operating in areas with unprotected windows.

1. Provide evidence of Cabling infrastructure installation.

1. Evidence of fiber-optic cables used for cabling infrastructure.

1. Provide cable labelling process and supporting cable labelling procedures.
2. Provide the cable register.
3. Snapshot of labelling on building management cables.

1. Provide Floor plan diagrams.

1. List of cables colors used at inspection points.
2. Evidence of cable colors that are labelled at inspection points.
3. Provide evidence of cable inspect ability in non-shared government
facilities.

1. Evidence of fiber-optic cables used in the cabling infrastructure.

2. Evidence of fiber-optic cables complying the security requirements.

1. Provide evidence of cable groups sharing a common cable reticulation

system have a partition between the cable groups.

1. Provide evidence of cables running in a sealed cable reticulation system in

shared facilities.
1. Validate in any facilities, conduits or front covers of ducts, cable trays in
floors and ceilings, and any other associated fittings are clear plastic.

1. Validate in any facilities, unique and identifiable SCEC endorsed tamper-

evident seals were used to seal removable covers on TOP SECRET cable
reticulation systems.
1. Validate in any facilities, all plastic conduit joints are sealed via conduit
glue and TOP SECRET conduit runs are connected by threaded lock nuts.

1. Validate that TOP SECRET cables do not run in party walls in shared
facilities.
1. Validate that TOP SECRET cables are encased in conduit with all gaps
between the conduit and wall filled with appropriate sealing compound in
shared government facilities where wall penetrations exit a TOP SECRET area
into a lower classified space.

1. Validate that cables are encased in conduit with all gaps between the
conduit and wall filled with appropriate sealing compound in shared non-
government facilities where wall penetrations exit into a lower classified
space.

1. Validate cables from cable trays to wall outlet boxes are run in flexible or
plastic conduit
1. Validate wall outlet boxes have connectors on opposite sides of the wall
outlet box if the cable group contains cables belonging to different systems.

1. Validate Cabling boxes have the following requirements and meet them:
• Different cables groups do not share a wall outlet box.
• Wall outlet boxes denote the systems, cable identifiers and wall outlet box
identifier.
• OFFICIAL and PROTECTED wall outlet boxes are colored neither salmon pink
nor red.
• Wall outlet box covers are clear plastic.
• SECRET wall outlet boxes are colored salmon pink.
• TOP SECRET wall outlet boxes are colored red.

1. Validate TOP SECRET fiber-optic fly leads exceeding 5 meters in length

that are used to connect to wall outlet boxes to ICT equipment, they are run
in a protective and easily inspected pathway that is clearly labelled at the ICT
equipment end with the wall outlet box's identifier.

1. Validate cable reticulation systems leading into cabinets are terminated as

close as possible to the cabinet.

1. Validate in top secret areas, cable reticulation systems leading into

cabinets in a secure communications or server room are terminated as close
as possible to the cabinet.

1. Validate in top secret areas, cable reticulation systems leading into

cabinets not in a secure communications or server room are terminated as
close as possible to the cabinet.
1. Obtain evidence of cables terminating in individual cabinets, or for small
systems, one cabinet with a division plate to delineate cable groups.

1. Provide evidence of TOP SECRET cables terminating in an individual TOP

SECRET cabinet.
1. Provide evidence of different cable groups terminating on the different
patch panels.
1. Provide evidence of visible gap between TOP SECRET cabinets and
cabinets of lower classifications.
1. Provide evidence of installing TOP SECRET and non-TOP SECRET patch
panels in separate cabinets.

1. Evidence to separate patch panels.

2. List of personnel who have access to the cabinet.
3. If a lower classification than TOP SECRET patch panels be located in the
same cabinet as a TOP SECRET patch panel:
• a physical barrier in the cabinet is to be provided to separate patch panels
• only personnel holding a Positive Vetting security clearance shall have
access to the cabinet
• approval from the TOP SECRET system’s authorizing officer is obtained
prior to installation.

1. If applicable, validate ASIO was consulted prior to penetrating an audio

secured space, and all ASIO recommendations were complied with.

1. Validate in a power distribution board with a feed from an Uninterruptible

Power Supply is used to power all TOP SECRET ICT equipment.

1. Validate in TOP SECRET areas of shared non-government facilities, a power

distribution board with a feed from an Uninterruptible Power Supply is used
to power all TOP SECRET ICT equipment.

1. Validate system owners deploying SECRET or TOP SECRET systems with

RF transmitters inside or co-located with their facility shall:
• Contact ACSC
• Provide emanation security threat assessment report.
• Provide additional installation criteria derived from the emanation security
threat assessment.

1. Validate system owners deploying OFFICIAL or PROTECTED systems with

RF transmitters that will be co-located with SECRET or TOP SECRET systems:
• Contact ACSC
• Provide emanation security threat assessment report.
• Provide additional installation criteria derived from the emanation security
threat assessment.
1. Validate system owners deploying SECRET or TOP SECRET systems in
shared facilities shall:
• Contact ACSC
• Provide emanation security threat assessment report.
• Provide additional installation criteria derived from the emanation security
threat assessment.

1. If system owners deployed systems overseas, provide evidence of

emanation security threat advice when contacting the ACSC.
2. Provide additional installation criteria derived from the emanation security
threat advice.

1. If system owners deployed systems or military platforms overseas,

provide evidence of emanation security threat assessment when contacting
the ACSC.
2. Provide additional installation criteria derived from the emanation security
threat assessment.

1. Evidence of emanation security issues identified.

2. Provide emanation security threat assessment report, and mitigation
strategies

1. Provide ICT equipment guidelines.

2. Evidence that ICT equipment meets industry and government standards
relating to electromagnetic interference.

1. Provide Telephone Systems policy.

2. Provide evidence of providing awareness of sensitivity of information and
security risks of non-secure lines.
3. Evidence of encryption the sensitive conversations.
4. Provide evidence of telephone systems used for sensitive or classified
conversations.
1. Validate that telephone systems are configured to:
• Speakerphones are not used in Top Secret unless the telephone system is
located in a room rated as audio secure only personnel involved in
discussions are present in the room.
• In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are
used on all telephones that are not authorized for the transmission of TOP
SECRET information.
• In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk
headsets are used to meet any off-hook audio protection requirements.
• Off-hook audio protection features are used on telephone systems in areas
where background conversations may exceed the sensitivity or classification
that the telephone system is authorized for communicating.
• IP phone and video conferencing workstations shall match the data
classification level of their area.
• Microphones (including headsets and USB handsets) and webcams are not
used with non-SECRET workstations in SECRET areas or non-TOP SECRET
workstations in TOP SECRET areas.

1. Evidence of delivery procedure for procuring high assurance ICT

equipment guided by ACSC.

1. Provide evidence of High assurance ICT equipment installed.

2. Provide configurations of High assurance ICT equipment and adhere to the
ACSC guidelines.

1. Provide ICT equipment management policy.

1. Evidence of classifying the ICT equipment.

2. Provide an ICT equipment register.

1. Provide marking scheme process for labelling ICT equipment.

2. Provide evidence of protective markings used for labelling ICT equipment.

1. Provide evidence of approval taken from ASAC before applying labels to

external surfaces of high assurance ICT equipment.
1. Obtain the ICT equipment management policy.
2. Obtain samples of ICT equipment handling and validate it adheres to the
policy.

1. Obtain instances where high assurance ICT equipment was repaired.

2. Validate ACSC approval was obtained prior to the repair occurring.

1. Provide documented process for cleared personnel to escort uncleared

technicians during maintenance or repair activities.

1. Provide Inspection report of ICT equipment and validate no inappropriate

changes have been made to the equipment as part of maintenance or repair
activities.

1. Provide ICT equipment sanitization and disposal processes and

procedures.
2. Evidence that labels and marking are removed prior to disposal.

1. Validate ICT equipment designed to meet emanation security standards

was disposed of appropriately via ACSC guidance.

1. Validate ICT equipment is sanitized in situ if it is located overseas and

processed/stored AUSTEO or AGAO data.

1. Validate ICT equipment that cannot be sanitized in situ if it is located

overseas and processed, stored, or communicated AUSTEO or AGAO data is
returned to Australia for destruction.

1. Provide sanitization and disposal procedures of printers and multifunction

devices.
2. Evidence of sanitization of the printer cartridge or MFD print drum.
1. Provide sanitization and disposal procedures of printers and multifunction
devices.
2. Evidence that MFD print drum is destroyed if a print is visible on the image
transfer roller.

1. Provide evidence of destruction of Printer and MFD platens if any images

are retained on the platen.
1. Validate Printers, MFDs, and fax machines have no pages that are trapped
in the paper path.

1. Validate printer cartridges or MFD print drums which cannot be sanitized

are appropriately destroyed.

1. Validate printer ribbons removed and destroyed in printers and MFDs.

1. Provide sanitization process and procedures of Televisions and computer

monitors.
2. Evidence of sanitization of televisions and computer monitors.

1. Validate televisions and computer monitors which cannot be sanitized are

destroyed.
1. Provide sanitization process and procedures of Network devices.
2. Validate memory in network devices is sanitized using the following
processes, in order of preference:
• following device-specific guidance provided by the ACSC
• following vendor sanitization guidance
• loading a dummy configuration file, performing a factory reset and then
reinstalling firmware.

1. Verify a fax message with a minimum length of four pages is transmitted

prior to re-installation, if a paper tray of a fax machine is removed.

1. Verify the sanitization of rewritable media after each data transfer

between two systems belonging to different security domains.

1. Provide documented policies and procedures in place corresponding to

volatile media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• Volatile media is sanitized either by removing power from the media for 10
minutes.
• Read back verification is done post sanitization

2. Provide artefacts corresponding to implementation as follows:-

• Records of the volatile media sanitized during the review period.
• Volatile media is sanitized either by removing power from the media for 10
minutes.
• Read back verification is done post sanitization.
1. Provide documented policies and procedures in place corresponding to
volatile media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• SECRET and TOP SECRET volatile media is sanitized by overwriting it at
least once in its entirety with a random pattern followed by a read back for
verification.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the volatile media sanitized during the review period.
• SECRET and TOP SECRET volatile media is sanitized by overwriting it at
least once in its entirety with a random pattern followed by a read back for
verification.

1. Provide documented policies and procedures in place corresponding to

volatile media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• The host-protected area and device configuration overlay table of non-
volatile magnetic media is reset prior to sanitization

2. Provide artefacts corresponding to implementation as follows:-

• Records of the volatile media sanitized during the review period
• The host-protected area and device configuration overlay table of non-
volatile magnetic media is reset prior to sanitization

1. Provide documented policies and procedures in place corresponding to

volatile media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• Non-volatile magnetic media is sanitized by overwriting the media at least
once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a
random pattern followed by a read back for verification.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the volatile media sanitized during the review period
• Non-volatile magnetic media is sanitized by overwriting the media at least
once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a
random pattern followed by a read back for verification.

1. Provide documented policies and procedures in place corresponding to

volatile media sanitization highlighting that:-
• Records are maintained for the volatile media sanitized
• The ATA secure erase command is used, in addition to using block
overwriting software, to ensure the growth defects table (g-list) is overwritten

2. Provide artefacts corresponding to implementation as follows:-

• Records of the volatile media sanitized during the review period
• The ATA secure erase command is used, in addition to using block
overwriting software, to ensure the growth defects table (g-list) is overwritten
1. Provide documented policies and procedures in place corresponding to
Non-volatile media sanitization highlighting that:-
• Records are maintained for the Non-volatile EPROM media sanitized
• Non-volatile EPROM media is sanitized by applying three times the
manufacturer’s specified ultraviolet erasure time and then overwriting it at
least once in its entirety with a random pattern followed by a read back for
verification.
• Non-volatile EEPROM media is sanitized by overwriting it at least once in its
entirety with a random pattern followed by a read back for verification.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the Non-volatile EPROM media sanitized during the review
period
• Non-volatile EPROM media is sanitized by applying three times the
manufacturer’s specified ultraviolet erasure time and then overwriting it at
least once in its entirety with a random pattern followed by a read back for
verification.
• Non-volatile EEPROM media is sanitized by overwriting it at least once in its
entirety with a random pattern followed by a read back for verification.

1. Provide documented policies and procedures in place corresponding to

Non-volatile media sanitization highlighting that:-
• Records are maintained for the Non-volatile flash memory media sanitized
• Non-volatile flash memory media is sanitized by overwriting the media at
least twice in its entirety with a random pattern followed by a read back for
verification

2.Provide artefacts corresponding to implementation as follows:-

• Records of the Non-volatile flash memory media sanitized during the
review period
• Non-volatile flash memory media is sanitized by overwriting the media at
least twice in its entirety with a random pattern followed by a read back for
verification.
1. Provide documented policies and procedures in place corresponding to
media disposal highlighting that:-
• Records are maintained for the media disposal
• Destruction of the media types listed below prior to disposal:
- microfiche and microfilm
- optical discs/semiconductor memory (using either furnace/incinerator,
hammer mill, disintegrator, grinder/sander or cutting destruction methods.)
- programmable read-only memory
- read-only memory
- other types of media that cannot be sanitized
- faulty media that cannot be successfully sanitized

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• Destruction of the media types listed below prior to disposal :
- microfiche and microfilm
- optical discs/semiconductor memory (using either furnace/incinerator,
hammer mill, disintegrator, grinder/sander or cutting destruction methods.)
- programmable read-only memory
- read-only memory
- other types of media that cannot be sanitized
- faulty media that cannot be successfully sanitized

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• SCEC or ASIO approved equipment is used when destroying media prior to
disposal.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• SCEC or ASIO approved equipment is used when destroying media prior to
disposal.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• If using degaussers to destroy media prior to disposal, degaussers
evaluated by the United States’ National Security Agency are used

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• If degaussers are used to destroy media prior to disposal, then degaussers
are evaluated by the United States’ National Security Agency are used
1. Provide documented policies and procedures in place corresponding to
media disposal highlighting that:-
• Records are maintained for the media disposal
• Equipment used to destroy microfiche and microfilm prior to disposal is
capable of reducing microform to a fine powder, with resultant particles not
showing more than five consecutive characters per particle upon microscopic
inspection

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• Equipment used to destroy microfiche and microfilm prior to disposal is
capable of reducing microform to a fine powder, with resultant particles not
showing more than five consecutive characters per particle upon microscopic
inspection

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• The resulting waste for all destruction methods, except for
furnace/incinerator and degausser, is stored and handled appropriately.
• cutting destruction method result in media waste particles no larger than 9
mm.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
•The resulting waste for all destruction methods prior to disposal, except for
furnace/incinerator and degausser, is stored and handled appropriately.
• cutting destruction method result in media waste particles no larger than 9
mm.

1. Provide documented policies and procedures in place highlighting that a

degausser of sufficient field strength for the coercivity of the magnetic media
is used prior to disposal.

2. Provide artefacts highlighting that a degausser of sufficient field strength

for the coercivity of the magnetic media is used prior to disposal.

1. Provide documented policies and procedures in place highlighting that a

degausser capable of the magnetic orientation (longitudinal or perpendicular)
of the magnetic media is used prior to disposal.

2. Provide artefacts highlighting that a degausser capable of the magnetic

orientation (longitudinal or perpendicular) of the magnetic media is used
prior to disposal.
1. Provide documented policies and procedures in place highlighting that any
product-specific directions provided by degausser manufacturers are
followed prior to disposal.

2. Provide artefacts highlighting that any product-specific directions provided

by degausser manufacturers are followed prior to disposal.

1. Provide documented policies and procedures in place highlighting that

following destruction of magnetic media using a degausser, the magnetic
media is physically damaged by deforming the internal platters by any
means prior to disposal.

2. Provide artefacts highlighting that following destruction of magnetic media

using a degausser, the magnetic media is physically damaged by deforming
the internal platters by any means prior to disposal.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of media is performed under the supervision of at least one
person cleared to the sensitivity or classification of the media being
destroyed.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• The destruction of media is performed under the supervision of at least one
person cleared to the sensitivity or classification of the media being
destroyed.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of accountable material is performed under the supervision
of at least two personnel cleared to the sensitivity or classification of the
media being destroyed.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• The destruction of accountable material is performed under the supervision
of at least two personnel cleared to the sensitivity or classification of the
media being destroyed.
1. Provide documented policies and procedures in place corresponding to
media disposal highlighting that when outsourcing the destruction of media
to an external destruction service, a National Association for Information
Destruction AAA certified destruction service with endorsements, as specified
in ASIO’s PSC-167, is used.

2. Provide artefacts highlighting that in case of outsourcing the destruction of

media to an external destruction service, a National Association for
Information Destruction AAA certified destruction service with endorsements,
as specified in ASIO’s PSC-167, is used.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• The destruction of media storing accountable material is not outsourced.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• The destruction of media storing accountable material is not outsourced

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• Following sanitization, destruction or declassification, a formal
administrative decision is made to release media, or its waste, into the public
domain.

2. Provide artefacts corresponding to implementation as follows:-

• Records of the media disposal during the review period
• Post sanitization, destruction or declassification, a formal administrative
decision is made to release media, or its waste, into the public domain.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that:-
• Records are maintained for the media disposal
• Labels and markings indicating the sensitivity, classification, owner or any
other marking that can associate media with its original use, are removed
prior to disposal.

2. Provide artefacts corresponding to Provide artefacts corresponding to

implementation as follows:-
• Records of the media disposal during the review period
• Labels and markings indicating the sensitivity, classification, owner or any
other marking that can associate media with its original use, are removed
prior to disposal.
1. Provide documented policies and procedures in place pertaining to
standard operating environments(SOEs) highlighting following:-
• List of standard operating environments (SOEs) and corresponding details
used for all workstations is maintained
• Scans are performed on SOEs for malicious content and configurations prior
to usage.
• Annual reviews and corresponding updates done on SOEs

2. Provide artefacts corresponding to Provide artefacts corresponding to

implementation as follows:-
• List of standard operating environments (SOEs) and corresponding details
used for all workstations is maintained
• Scans are performed on SOEs for malicious content and configurations prior
to usage.
• Annual reviews and corresponding updates done on SOEs

1. Provide documented policies and procedures in place highlighting that

personnel who are contractors are identified as such.

2. Provide artefacts demonstrating that personnel who are contractors are

identified as such.

1. Provide documented policies and procedures in place highlighting that

personnel who are foreign nationals are identified as such, including by their
specific nationality.

2. Provide artefacts demonstrating that personnel who are foreign nationals

are identified as such, including by their specific nationality.

1. Provide documented policies and procedures in place as a part of access

management highlighting that foreign nationals, including seconded foreign
nationals, do not have access to systems that process, store or communicate
AUSTEO or REL data unless effective security controls are in place to ensure
such data is not accessible to them.

2. Provide artefacts highlighting following in review period :-

• List of foreign nationals including seconded foreign nationals and list of

systems that process, store or communicate AUSTEO or REL data as well as
corresponding implemented security controls testing results for
effectiveness.

• List of users with the access to the systems in the above list in order to
validate that access is only provisioned for foreign nationals including
seconded foreign nationals if effective security controls are in place.
1. Provide documented policies and procedures in place as a part of access
management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have access to systems that process, store or communicate
AGAO data unless effective security controls are in place to ensure such data
is not accessible to them.

2. Provide artefacts highlighting following in review period :-

• List of foreign nationals excluding seconded foreign nationals and list of

systems that process, store or communicate AGAO data as well as
corresponding implemented security controls testing results for
effectiveness.

• List of users with the access to the systems in the above list in order to
validate that access is only provisioned for foreign nationals excluding
seconded foreign nationals if effective security controls are in place.

1. Provide documented policies and procedures in place as a part of access

management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems, applications and data
repositories.

2. Provide artefacts highlighting corresponding to following in review

period :-

• List of foreign nationals excluding seconded foreign nationals and list of

systems, applications and data repositories.

• List of users with the access to the systems, applications and data
repositories in the above list in order to validate that no foreign nationals,
excluding seconded foreign nationals, do not have access to those system
data unless effective security controls are in place to ensure such data is not
accessible to them

1. Provide documented policies and procedures in place as a part of access

management highlighting that foreign nationals, including seconded foreign
nationals, do not have privileged access to systems that process, store or
communicate AUSTEO or REL data.

2. Provide artefacts corresponding to following in review period :-

• List of foreign nationals including seconded foreign nationals and list of

systems that systems that process, store or communicate AUSTEO or REL
data.

• List of U=users with the privileged access to the systems in the above list
in order to validate that no match with the list of foreign nationals including
seconded foreign nationals
1. Provide documented policies and procedures in place as a part of access
management highlighting that foreign nationals, excluding seconded foreign
nationals, do not have privileged access to systems that process, store or
communicate AGAO data.

2. Provide artefacts corresponding to following in review period :-

• List of foreign nationals excluding seconded foreign nationals and list of

systems that process, store or communicate AGAO data.
• Users with the privileged access to the systems in the above list in order to
validate that no match with the list of foreign nationals excluding seconded
foreign nationals

1. Provide documented policies and procedures in place as a part of access

management highlighting that upon identifying malicious activities, access to
systems, applications and data repositories are removed or suspended within
24 hours.

2. Provide artefacts corresponding to following in review period :-

• Malicious activities monitoring as well as identification (alerting) is in place

in terms of records/logs/reports
• Access to systems, applications and data repositories is removed or
suspended within 24 hrs. upon identifying malicious activities in terms of
records/logs/reports
1. Provide documented policies and procedures in place corresponding to
access management on the maintenance of records which are secured for
the lifetime of each system covering following:-

• All personnel authorized to access the system, and their user identification
• Who provided authorization for access
• When access was granted
• The level of access that was granted
• When access, and the level of access, was last reviewed
• When the level of access was changed, and to what extent (if applicable)
• When access was withdrawn (if applicable).

2. Provide list of all the live systems in the environment during the review
period in order to validate that as part of implementation of access
management documentation records are maintained and secured throughout
the lifetime of system covering following:-

• All personnel authorized to access the system, and their user identification
• Who provided authorization for access
• When access was granted
• The level of access that was granted
• When access, and the level of access, was last reviewed
• When the level of access was changed, and to what extent (if applicable)
• When access was withdrawn (if applicable).

1. Provide documented policies and procedures in place corresponding to

access management with regards to temporary access highlighting that
personnel are granted temporary access to a system, effective security
controls are put in place to restrict their access to only data required for
them to undertake their duties.

2. Provide following in place corresponding to implementation of access

management documentation in terms of list of personnel in the review period
who have been provided temporary access and access review of the users to
validate effectiveness of security controls put in place for restricting access
as per the responsibilities/ duties.

1. Provide documented policies and procedures in place corresponding to

access management highlighting that temporary access is not granted to
systems that process, store or communicate caveated or sensitive
compartmented information.

2. Provide artefacts in place corresponding to implementation of access

management documentation in terms of list of systems during review period
that process, store or communicate caveated or sensitive compartmented
information to validate that no temporary access is granted to the systems in
the list within the review period.
1. Provide documented policies and procedures in place corresponding to
access management on the usage of emergency access to systems
highlighting that tested at least once when initially implemented, and each
time fundamental information technology infrastructure changes occur.

2. Provide artefacts in place corresponding to implementation of access

management documentation in terms of :-
• Records of usage of all emergency access to systems in the review period
• Records of testing at least once when initially implemented, and each time
fundamental information technology infrastructure changes occur during the
review period with regards to emergency access.

1. Provide documented policies and procedures in place corresponding to

access management on the usage of break glass accounts highlighting
following:-
• Break glass accounts are only used when normal authentication processes
cannot be used and only for specific authorized activities.
• Usage of the break glass account is monitored and audited to confirm that
access as well usage was appropriate.
• Once access is no longer required, the access credentials for the break
glass account are updated to prevent unauthorized access.
• Once credentials are changed, the break glass account access is tested
again.

2. Provide following in place corresponding to access management on the

usage of break glass accounts in the review period:-
• Records on the usage of break glass accounts to validate that only used
when normal authentication processes cannot be used, only for specific
authorized activities.
• Corresponding records of logging as well as monitoring while usage in
order to ensure usage as well as access was appropriate.
• Corresponding artefacts highlighting that when access is no longer
required, the access credentials for the break glass account are updated to
prevent unauthorized access.
• Corresponding artefacts highlighting that once credentials are changed, the
break glass account access is tested again.

1. Provide documented policies and procedures in place corresponding to

password management highlighting that minimum password requirements
for multi-factor authentication is of 10 characters on TOP SECRET systems.

2. Provide artefacts in place in terms of password configuration screenshots

highlighting that minimum password requirements for multi-factor
authentication is of 10 characters on TOP SECRET systems.
1. Provide documented policies and procedures in place corresponding to
service account creation highlighting that service accounts are created as
group managed service accounts.

2. Provide the list of service accounts created as well as the list of group
managed service accounts in the review period as a part of implementation
in order to validate that service accounts are created as group managed
service Accounts.

1. Provide documented policies and procedures in place corresponding to

authentication highlighting that authentication methods susceptible to replay
attacks are disabled.

2. Provide artefacts in place highlighting that authentication methods

implemented are not susceptible to replay attacks.

1. Provide documented policies and procedures in place corresponding to

authentication highlighting that LAN manager and NT LAN manager
authentication methods are disabled..

2. Provide configuration setting screenshot / evidence in review period that

depicts the LAN Manager and NT LAN Manager authentication methods are
disabled

1. Provide documented policies and procedures in place corresponding to

privileged access management highlighting that users having privileged
account are members of the protected users security group.

2. Provide following artefacts in terms of implementation of the privileged

access management:-
• List of privileged accounts and corresponding users who are assigned
privileged accounts in the review period.

• List of the users in the protected user security groups and corresponding
results of validation with users associated with privileged accounts in the
review period.

1. Provide documented policies and procedures in place corresponding to

password management highlighting that credentials are stored separately
from systems to which they grant access.

2. Provide artefacts in terms of implementation of the password

management highlighting that credentials are stored separately from
systems to which they grant access.

1. Provide documented policies and procedures in place corresponding to

password management highlighting that stored passwords/passphrases are
secured by ensuring they are hashed, salted and stretched.

2. Provide artefacts in terms of implementation of the password

management documentation highlighting that stored passwords/passphrases
are secured by ensuring they are hashed, salted and stretched.
1. Provide documented policies and procedures in place corresponding to
password management highlighting that passwords/passphrases are
changed if:-
• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network
• they are discovered being transferred in the clear across a network
• membership of a shared account changes
• they have not been changed in the past 12 months.

2. Provide artefacts in terms of implementation of the password

management policy demonstrating awareness amongst users and in terms of
configuration settings highlighting passwords/passphrases are changed in
any of the below listed scenarios:-
• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network
• they are discovered being transferred in the clear across a network
• membership of a shared account changes
• they have not been changed in the past 12 months.

1. Provide documentation and artefacts demonstrating that a system

administration process, with supporting system administration procedures, is
developed/ documented, maintained(regular review & approval) and
implemented.

1. Provide documented policies and procedures in place corresponding to

access management highlighting that privileged users use a dedicated
administrator workstation which cannot communicate to assets not related to
the administrative activities, or use separate privileged and unprivileged
operating environments when performing certain tasks

2. Validate privileged users shall only use privileged operating environments

for performing privileged tasks, and all other activity shall use the
unprivileged operating environments.

1. Provide documented policies and procedures in place corresponding to

access management highlighting that privileged users are assigned an
unprivileged administration account for authenticating to their dedicated
administrator workstation.

2. Provide artefacts corresponding to implementation as follows:-

• List of privileged users in the review period
• Sampled unprivileged administration accounts in order to validate that
unprivileged administration account is assigned to privileged users for
authenticating to their dedicated administrator workstation.
1. Provide documented policies and procedures in place corresponding to
access management highlighting that file-based access controls are applied
to database files and periodic review as well as update of the corresponding
access privileges/ rights is also conducted.

2. Provide artefacts corresponding to access management demonstrating

that file-based access controls are applied to database files and periodic
review as well as update of the corresponding access privileges/ rights is also
conducted.

1. Provide documented policies and procedures in place corresponding to

password/passphrases management for authentication highlighting that
passphrases stored in databases are hashed with a uniquely salted
Australian Signals Directorate Approved Cryptographic Algorithm.

2. Provide artefacts corresponding to secure password/passphrases storage

demonstrating that passphrases stored in databases are hashed with a
uniquely salted Australian Signals Directorate Approved Cryptographic
Algorithm.

1. Provide evidence that privileged users are assigned a dedicated privileged

account to be used solely for tasks requiring privileged access

1. Access Management process and policy

2. Snapshots for the following:
• Access to data repositories, and privileged/unprivileged access to systems
and applications is configured to be automatically disabled after they have
not been used for an period of 45 days.

1. Provide evidence showcasing split tunnelling is disabled on all network

devices when accessing an Organization's network via a VPN connection.

1. Provide documented policies and procedures in place corresponding to

account permissions highlighting that privileged and unprivileged accounts
(excluding backup administrators) do not have permissions in place to
modify, delete, or access other accounts or their own account's backups.
2. Provide evidence of account permissions demonstrating privileged and
unprivileged accounts (excluding backup administrators) do not have the
ability to modify, delete, or access other accounts or their own account's
backups.

1. Provide policies and procedures in place corresponding to trusted sources

for SECRET and TOP SECRET systems.
2. Provide a list of all accounts with access to SECRET and TOP SECRET
systems which includes:
• Approver
• Approval date
• Date system access was granted

1. Provide log management procedure

2. Provide evidence of logs being maintained for changes to privileged
accounts and groups
3. Provide evidence of logs being retained for review
1. Provide documented policies and procedures in place corresponding to
account permissions highlighting that backup administrator accounts
(excluding backup break glass accounts) do not have permissions in place for
modifying or deleting backups.
2. Provide evidence of account permissions demonstrating backup
administrator accounts (excluding backup break glass accounts) do not have
the ability to modify or delete backups.

1. Validate that access to privileged accounts are limited (i.e. any accounts
with direct edit access).
2. Validate privileged accounts are not used to access the internet, email,
and web services.

1. Provide documented policies and procedures in place corresponding to

access management highlighting that privileged operating environments
cannot be virtualized within unprivileged operating environments.

2. Provide evidence that privileged operating environments cannot be

virtualized within unprivileged operating environments

1. Provide Access Management process and policy

2. Snapshots for the following:
• Privileged access to systems, applications, and data repositories is
automatically disabled after a period of twelve months unless revalidated.

1. Provide documented policies and procedures in place corresponding to

password management highlighting that:
• Passphrases used for single-factor authentication are at least 4 random
words with a total minimum length of 14 characters, unless more stringent
requirements apply.
• Passphrases used for single-factor authentication on SECRET systems are
at least 5 random words with a total minimum length of 17 characters.
• Passphrases used for single-factor authentication on TOP SECRET systems
are at least 6 random words with a total minimum length of 20 characters.
2. Provide artefacts in place in terms of password configuration screenshots
highlighting that:
• Passphrases used for single-factor authentication are at least 4 random
words with a total minimum length of 14 characters, unless more stringent
requirements apply.
• Passphrases used for single-factor authentication on SECRET systems are
at least 5 random words with a total minimum length of 17 characters.
• Passphrases used for single-factor authentication on TOP SECRET systems
are at least 6 random words with a total minimum length of 20 characters.

1. Provide documentation and artefacts demonstrating that media

management policy is documented, maintained(regular review & approval)
and implemented.
1. Provide documentation and artefacts demonstrating that removable media
usage policy is documented, maintained (regular review & approval) and
implemented.
1. Provide documented policies and procedures in place corresponding to
media management and removable media usage highlighting that any media
connected to a system with a higher sensitivity or classification, then media
is reclassified to the higher sensitivity or classification, unless the media is
read-only or the system has a mechanism through which read-only access
can be ensured.

2. Provide sample records of the media connected to systems and

corresponding classification of the media as well as systems in order to
validate that any media connected to a system with a higher sensitivity or
classification, then media is reclassified to the higher sensitivity or
classification, unless the media is read-only or the system has a mechanism
through which read-only access can be ensured.

1. Provide documented policies and procedures in place corresponding to

media management and removable media usage highlighting that to
reclassify media to a lower sensitivity or classification, the media is sanitized
(unless the media is read-only) and a formal administrative decision (in
consultation with data owners) is made to reclassify the media.

2. Provide sample records of the instances in which reclassification of media

is done in order to validate that to reclassify media to a lower sensitivity or
classification, the media is sanitized (unless the media is read-only) and a
formal administrative decision (in consultation with data owners) is made to
reclassify the media.

1. Provide documented policies and procedures in place corresponding to

media management and removable media usage highlighting that media is
encrypted.

2. Provide artefacts corresponding to media encryption demonstrating that

that media is encrypted.
1. Provide documented policies and procedures in place corresponding to
media management and removable media usage highlighting that media is
only used with systems that are authorized to process, store or communicate
based on the sensitivity or classification of the media.

2. Provide sample records of media usage as well as corresponding

authorized systems in order to validate media is only used with systems
which are authorized to process, store or communicate based on the
sensitivity or classification of the media.

1. Validate the media management and removable media usage policy

documentation for coverage on disabling automatic execution features for
media in the operating system of systems
2. Verify the operating system configuration to check whether automatic
execution features for media are disabled
1. Validate the media management and removable media usage policy
documentation for restriction on writing to media without an approved
business justification for its use
2. Evidence of documented and approved business justification to write to
media
3. Validate that media is prevented from being written to if there is no
business requirement for its use, or if the business requirement is no longer
valid

1. Validate the media management and removable media usage policy

documentation for coverage on transferring of data manually between two
systems belonging to different security domains
2. Walkthrough of the process to transfer data manually between two
systems belonging to different security domains
3. Evidence of destination system having a mechanism to ensure read-only
access to the system; alternatively, evidence that write-once media is used
to transfer data manually between systems of different security domains

1. Where it exists, provide consumer guide for evaluated encryption software

in use
2. Evidence of implementation of sanitization and post-sanitization
requirements as stated in the consumer guide

1. Provide operating system hardening guidelines and documentation

2. Validate that the operating system hardening guidelines were followed via
documented reports, checklists, etc.
3. Evidence for documented exceptions to the established system hardening
guidelines
4. Evidence of operating system configuration gap assessments reports
Where applicable,
1. Provide evidence of documented application security best practices
2. Provide evidence of implementation of application security guidelines
3. Validate that the following is covered:
• implementation of application controls using cryptographic hash rules,
publisher certificate rules or path rules and validation at least annually
• restriction on all users except privileged users to change or remove
application controls

Where applicable,
1. Provide evidence that both publisher names and product names are used
when implementing application control using publisher certificate rules

Where applicable,
1. Provide evidence that application control is configured to generate event
logs
2. Provide sample event logs generated by application
3. Verify if the event logs capture the following for failed execution attempts:
• name of the blocked file
• date/time stamp
• username of the user attempting to execute the file

1. Validate the network architecture diagram to check host-based intrusion

prevention system implementation
2. Evidence of HIPS installation on all workstations and high value servers
including:
• DNS servers
• web servers
• file servers
• email servers
• authentication servers

1. Provide External communication interfaces that allow DMA are disabled.

Where applicable,
1. Provide process walkthrough of software-based isolation mechanism used
to share a physical server's hardware
2. Provide evidence that the configuration of the isolation mechanism is
hardened by removing unneeded functionality
3. Provide evidence that access to the administrative interface used to
manage the isolation mechanism is restricted
Where applicable,
1. Provide process walkthrough of software-based isolation mechanism used
to share a physical server's hardware for SECRET or TOP SECRET workloads
2. Provide evidence that the physical server and all computing environments
running on the physical server are of the same classification
3. Provide configuration snapshots that the physical server and all computing
environments running on the physical server are within the same security
domain

1. Validate the media management and removable media usage policy

documentation for coverage on encryption software that implements an ASD
Approved Cryptographic Algorithm (AACA) if an organization wishes to
reduce the physical storage or handling requirements for ICT equipment or
media containing sensitive data
2. Provide evidence that encryption software that implements an Australian
Signals Directorate Approved Cryptographic Algorithm is used for encryption
if an organization wishes to reduce the physical storage or handling
requirements for ICT equipment or media that contains sensitive data

1. Validate encryption software that has completed a Common Criteria

evaluation against a Protection Profile is used when encrypting media that
contains OFFICIAL, Sensitive or PROTECTED data.

1. Validate HACE (High Assurance Cryptographic Equipment) is used when

encrypting media that contains SECRET or TOP SECRET data.

1. Provide High Assurance Cryptographic Equipment (HACE) usage process

for data at rest
2. Provide evidence/configuration snapshots that depicts HACE used for data
at rest implements full disk encryption, or partial encryption where access
controls will only allow writing to the encrypted partition
1. Provide encryption process in place to encrypt AUSTEO (Australian Eyes
Only) and AGAO (Australian Government Access Only) data at rest
2. Provide evidence that an ASD Approved Cryptographic Algorithm (AACA) is
used to encrypt AUSTEO and AGAO data when at rest on a system, in
addition to any encryption already in place

1. Provide documented encryption process for communicating classified data

over official networks, public network infrastructure and through unsecured
spaces
2. Provide evidence that cryptographic equipment or encryption software
that implements an ASD Approved Cryptographic Protocol (AACP) is used to
communicate sensitive data over public network infrastructure and through
unsecured spaces

1. Provide documented encryption process for communicating classified data

over official networks, public network infrastructure and through unsecured
spaces
2. Provide evidence that cryptographic equipment or encryption software
that has completed a Common Criteria evaluation against a Protection Profile
is used to communicate sensitive data over public network infrastructure and
through unsecured spaces

1. Provide encryption process in place to protect AUSTEO (Australian Eyes

Only) and AGAO (Australian Government Access Only) data when
communicated across the network infrastructure
2. Provide evidence that an ASD Approved Cryptographic Protocol (AACP) is
used to protect AUSTEO and AGAO data when communicated across the
network infrastructure, in addition to any encryption already in place
1. Provide evidence that only ASD Approved Cryptographic Algorithms
(AACA) or high assurance cryptographic algorithms are used by
cryptographic equipment and software

1. Provide evidence that Elliptic-curve Diffie–Hellman (ECDH) and Elliptic

Curve Digital Signature Algorithm (ECDSA) is used where possible in
preference to Diffie Hellman (DH) and Digital Signature Algorithm (DSA)

1. Provide documentation on usage of Diffie Hellman (DH) for agreeing on

encryption session keys
2. Provide evidence of using:
• at least 2048 bits modulus when using DH for agreeing on encryption
session
• modulus and associated parameters selected according to NIST SP 800-56A
Rev. 3, when using DH for agreeing on encryption session

1. Provide documentation on usage of Digital Signature Algorithm (DSA) for

digital signatures
2. Provide evidence of using:
• at least 2048 bits modulus when using DSA for digital signatures
• modulus and associated parameters generated according to FIPS 186-4,
when using DSA for digital signatures

1. Provide documentation for using elliptic curve cryptography

2. Provide evidence of using curve from FIPS 186-4, when using elliptic curve
cryptography

1. Provide evidence that a base point order and key size of at least 224 bits is
used, when using Elliptic-curve Diffie–Hellman (ECDH) key agreement
protocol for agreeing on encryption session keys

1. Provide evidence that a base point order and key size of at least 224 bits is
used, when using Elliptic Curve Digital Signature Algorithm (ECDSA) for
digital signatures

1. Provide documentation for using RSA for digital signatures and session
keys
2. Provide evidence that:
• a modulus of at least 2048 bits is used, when using RSA for digital
signatures, and passing encryption session keys or similar keys
• a key pair for passing encrypted session keys that is different from the key
pair used for digital signatures is used, when using RSA for digital signatures,
and passing encryption session keys or similar keys
1. Provide evidence of documentation/ communication that prohibits usage of
symmetric cryptographic algorithms in Electronic Codebook Mode
2. Provide evidence that symmetric cryptographic algorithms are not used in
Electronic Codebook Mode

1. Verify that 3DES is used with three distinct keys

1. Provide documentation available for using AACAs used by HACE are

implemented in an ASD approved configuration, with preference given to
CNSA Suite algorithms and key sizes.
2. Provide evidence that ASD approved cryptographic algorithms (AACAs) are
used in an evaluated implementation

1. Verify that Commercial National Security Algorithm (CNSA) Suite

algorithms and key sizes are preferred

1. Provide evidence that only ASD Approved Cryptographic Protocols (AACPs)

or high assurance cryptographic protocols are used by cryptographic
equipment and software

1. Provide documentation and guidelines in place for using Transport Layer

Security in communication systems
2. Provide evidence that communication systems are following the below
requirements:
• The latest version of TLS is used
• AES in Galois Counter Mode is used for symmetric encryption
• Only server-initiated secure renegotiation is used
• DH or ECDH is used for key establishment
• The ephemeral variant is used and anonymous DH is not used
• SHA-2-based certificates are used
• Cipher suites are configured to use SHA-2 as part of the Message
Authentication Code and Pseudo-Random Function
• PFS is used for TLS connections
• TLS compression is disabled
1. Provide evidence that the use of SSH version 1 is disabled
2. Provide evidence that public key-based authentication is used for SSH
connections
3. Provide evidence that when SSH-agent or other similar key caching
programs are used, it is only on workstations and servers with screen locks,
key caches are set to expire within four hours of inactivity, and agent
credential forwarding is enabled only when SSH traversal is required

1. Where applicable, provide evidence of the following configuration settings

for the SSH daemon:
• only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than 60 seconds
(LoginGraceTime 60)
• disable host-based authentication (HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts yes)
• disable the ability to login directly as root (PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no)
• disable connection forwarding (AllowTCPForwarding no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).

1. Provide snapshots/evidence depicting that versions of Secure/Multipurpose

Internet Mail Extension (S/MIME) earlier than 3.0 are not used
1. Provide requirements documented for IPsec configuration and usage
2. Validate that IPsec configuration and usage abide by these requirements:
• Tunnel mode is used for IPsec connections; however, if using transport
mode, an IP tunnel is used. PFS is used for all IPsec connections
• The ESP protocol is used for IPsec connections
• IKE is used for key exchange when establishing an IPsec connection.
• If using ISAKMP in IKE version 1, aggressive mode is disabled
• A security association lifetime of less than four hours, or 14400 seconds, is
used
• HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC
algorithm
• The largest modulus size possible for all relevant components in the
network is used when conducting a key exchange
• The use of XAuth is disabled for IPsec connections using IKE version 1

1. Provide evidence of all communications security and equipment-specific

doctrine produced by the Australian Cyber Security Centre (ACSC) for the
management and use of High Assurance Cryptographic Equipment (HACE)
1. Provide security requirements set forth for the room where cryptographic
equipment is stored and verify if it is done based on the classification of data
that the cryptographic equipment processes
2. Provide classification or sensitivity of the data that the cryptographic
equipment processes

1. Provide snapshot/evidence that depicts areas in which High Assurance

Cryptographic Equipment (HACE) is used are designated as a cryptographic
controlled area

1. Provide the list of allowed content types

2. Provide evidence of integrity check (where applicable)
3. Provide sample logs/alerts for blocking content if integrity verification fails
4. Provide evidence of validation performed on signature before the data is
exported (if data is signed)

1. Provide evidence of requirements in place for content filtering

2. Verify that all encrypted content, traffic and data is decrypted and
inspected to allow content filtering

1. Provide evidence such as evaluation reports and approvals obtained for

using peripheral switch when sharing peripherals between systems
1. Provide evidence such as evaluation reports and approvals for using, an
evaluated peripheral switch used for sharing peripherals between SECRET or
TOP SECRET systems and any non-SECRET or TOP SECRET systems.

1. Provide evidence such as evaluation reports and approvals obtained for

using an evaluated peripheral switch used for sharing peripherals between
SECRET and TOP SECRET systems, or between SECRET or TOP SECRET
systems belonging to different security domains.

1. Provide evidence such as evaluation reports and approvals obtained for

using peripheral switch when sharing peripherals between official or
classified systems at the same classification, that belong to different security
domains

1. Provide evidence such as evaluation reports and approvals obtained for

using peripheral switch when accessing a system containing data and a
system of the same classification that is not authorized to process the same
caveat

1. Provide the requirements documented/communicated for exporting data

2. Provide evidence that the following activities are done when exporting
data from a SECRET or TOP SECRET system:
• data format checks and logging
• monitoring to detect overuse/unusual usage patterns
• limitations on data types and sizes
• keyword searches on all textual data.

1. Provide the documented process and supporting procedures developed

and implemented to manage exporting data
1. Provide the documented process and supporting procedures developed
and implemented to manage exporting data
2. Provide evidence of keyword searches being undertaken on all textual
data
3. Provide evidence that any identified data is quarantined until reviewed and
approved for release by a trusted source other than the originator
1. Provide sample data transfer logs recorded for all data imports and
exports from systems
2. Provide evidence that transfer logs are fully and partially audited at least
monthly

1. Provide policies and procedures in place for backup and restoration

2. Provide reports/evidence that partial restoration of backups is tested at
least on a quarterly basis
3. Provide reports/evidence that full restoration of backups is tested at least
once when initially implemented and each time fundamental information
technology infrastructure changes occur

1. Provide policies and procedures in place for backup and restoration

2. Provide evidence that backups are stored offline, or online but in a non-
rewritable and non-erasable manner
3. Provide evidence that backups are stored at multiple geographically-
dispersed locations

1. Provide evidence of policies governing time period for retaining of event

logs
2. Provide configuration setting snapshot depicting time-period set for
retaining event logs

1. Provide evidence of policies governing time period for retaining of DNS

and proxy logs
2. Provide configuration setting snapshot depicting time-period set for
retaining DNS and proxy logs

1. Provide relevant log management policy documentation

2. Provide evidence of periodic log management policy review
3. Provide evidence of log management policy communication to relevant
personnel's
4. Provide evidence of revision histories maintained for log management
policy

1.Policy and procedure document(s) corresponding to vulnerability

management.
2. Validate scans are performed at least biweekly to identify missing
patches/updates for applications.
3. Tracker of vulnerabilities identified in the last scan
1.Policy and procedure document(s) corresponding to vulnerability
management.
2. Validate scans are performed at least weekly to identify missing
patches/updates for missing patches or updates for security vulnerabilities in
office productivity suites, web browsers and their extensions, email clients,
PDF software, drivers, firmware, and operating systems of workstations and
servers and network devices, and security products.
3. Tracker of vulnerabilities identified in the last scan

1. Provide policy and procedure document(s) corresponding to intrusion

remediation activities.
2. Provide evidence intrusion remediation activities are conducted in a
coordinated manner during the same planned outage

1. Validate the media management and removable media usage policy

documentation covers a restriction on unauthorized removable media and
devices connecting to workstations and servers.
2. Validate that removable media and devices are prevented from being
connected to workstations and servers via the use of device access control
software or by disabling external communication interfaces in operating
systems.

1. Provide documented policies and procedures in place corresponding to

media disposal highlighting that the resulting media waste particles from the
destruction of TOP SECRET media is stored and handled as:
• OFFICIAL if less than or equal to 3 mm
• SECRET if greater than 3 mm and less than or equal to 9 mm

1. Provide evidence showing Windows Defender Credential Guard and

Windows Defender Remote Credential Guard are enabled.
1. Validate organization has monitoring procedures in place that monitor
workstations for Internet-facing services, office productivity suites, web
browsers and their extensions, email clients, PDF software, Adobe Flash
Player, and security products that are no longer supported by vendors.
2. Validate any inappropriate Internet-facing services, office productivity
suites, web browsers and their extensions, email clients, PDF software,
Adobe Flash Player, and security products that are no longer supported by
vendors are immediately removed via automated process.

1. Provide documented policies and procedures in place corresponding to

planning and coordination of intrusion remediation activities.
2. Provide evidence that previous planning and coordination of intrusion
remediation activities was conducted on a separate system to that which had
been compromised.

1. Provide evidence showing FT (802.11r) is disabled unless authenticator-to-

authenticator communications are secured by an ASD Approved
Cryptographic Protocol.
1. Provide documented policies and procedures in place corresponding to
media disposal highlighting that the resulting media waste particles from the
destruction of SECRET media is stored and handled as:
• OFFICIAL if less than or equal to 3 mm
• PROTECTED if greater than 3 mm and less than or equal to 6 mm
• SECRET if greater than 6 mm and less than or equal to 9 mm

1. Provide a snapshot of the configuration for PDF viewers.

1. Provide vulnerability assessment and patch management policy

2. Provide last VA scan reports
3. Provide audit log tracker for patches, updates, and vendor mitigations
updated for internet-facing services, office productivity suites, web browsers,
extensions, email clients, PDF software, operating systems of workstations
and internet facing services, and security products
4. Provide sample change tickets for last patching performed based on
review.
5. Provide VA/PT tracker capturing records, history and status of all
vulnerabilities identified.
6. Provide sample vulnerability treatment ticket for:
• Vulnerabilities identified for internet-facing services, office productivity
suites, web browsers, extensions, email clients, PDF software, operating
systems of workstations and internet facing services, and security products
in last VA scan to show if it was applied within two weeks.
• Vulnerabilities identified with an existing exploit in last VA scan to show if it
was patched, updated, or mitigated within 48 hours.
• Vulnerabilities identified for all other applications in last VA scan to show if
it was applied within one month.

1. Mobile and portable device management policy

2. Sample evidence (screenshot) of mobile device management solution
installed in the mobile device
3. Validate mobile devices prevent personnel from installing or uninstalling
non-approved applications once provisioned.

1. Provide documented policies and procedures in place corresponding to

Microsoft's 'recommended driver block rules'
2. Provide configuration snapshots showing Microsoft's 'recommended driver
block rules' are in place

1. Provide the application hardening process.

2. Provide the configurations of the Microsoft office products installed on the
workstations.
3. Provide evidence of review and validation of Microsoft Office’s list of
trusted publishers on an annual or more frequent basis.
1. Provide the application hardening process.
2. Provide the configurations of the Microsoft office products installed on the
workstations.

1. Provide the application hardening process.

2. Provide the configurations of the Microsoft office products installed on the
workstations.

1. Provide log management procedure

2. Provide evidence of event logs being maintained for Microsoft Office
macros
3. Provide evidence of event logs being retained for review
4. Provide evidence that macro event logs are replicated and stored on a
centralized server.
5. Provide evidence that appropriate mechanisms are implemented for
protecting integrity of logs and to prevent/detect logs modified/tampered at
the storage location.

1.Policy and procedure document(s) corresponding to vulnerability

management.
2. Provide the configurations of the Microsoft office products installed on the
workstations.

1. Provide the application hardening process.

2. Provide the configurations of the Microsoft office products installed on the
workstations.

1. Provide configuration evidence that Internet Explorer 11 is disabled or

removed across the organization using group policy.
1. Provide Teleworking/ trusted device policy/ Code of conduct to ensure that
following conditions are included in the policy:
• If unable to carry or store mobile devices in a secured state, they are
physically transferred in a security briefcase or an approved multi-use
satchel, pouch or transit bag.

1. Provide an organization-approved set for execution of executables,

software libraries, scripts, installers, compiled HTML, HTML applications and
control panel applets, and drivers.
2. Provide artefacts showing application control is configured to restrict the
execution of executables, software libraries, scripts, installers, compiled
HTML, HTML applications, drivers, and control panel applets to an
organization-approved set.
1. Provide documented policies and procedures in place highlighting that
electrostatic memory devices are destroyed using either furnace/incinerator,
hammer mill, disintegrator or grinder/sander.

1. Provide evidence of PowerShell configuration.

2. Provide PowerShell script block logs.
3. Provide evidence of event logs being retained for review
4. Provide evidence that event logs are replicated and stored on a centralized
server with restricted access.

1. Provide log management procedure

2. Provide evidence of logs being maintained for allowed and blocked
Microsoft Office macro executions
3. Provide evidence of event logs being retained for review

1. Provide documented policies/procedures in place for transfer of data

2. Provide evidence of approvals obtained from authorized sources, prior to
allowing the transfer of data from SECRET or TOP SECRET systems
3. Provide list of approvers authorized to allow data transfer from SECRET or
TOP SECRET systems
4. Obtain evidence of review performed on the list of authorized approvers

1.Policy and procedure document(s) corresponding to vulnerability

management.
2. Validate scans are performed daily and real-time to identify missing
patches/updates for internet-facing services and operating systems of
internet-facing services.
3. Tracker of vulnerabilities identified in the last scan

1. Provide a list of softwares available to consumers

2. Provide a software bill of materials for each software
1. Provide a list of all internet-facing organizational domains.

1. Provide evidence via group policy configuration details that .NET

Framework 3.5 is disabled or removed.
017:2013, ISO/IEC 27017:2015, ISO/IEC
ecurity Management and Assessment
am (FedRAMP Li-SAAS).

anization must review, evaluate, and tailor

Applicable Framework
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI

EU Code of Conduct

ISO 27017 Provider & Customer,

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
IRAP

Spanish ENS Medium & High

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 22301
ISO C5,
BS1 C5,
Fedramp Tailored,
ISMAP,
Saudi CCC

ISO 22301
BS1 C5,
Fedramp Tailored,
Saudi CCC
Fedramp Tailored,
Spanish ENS High,
Saudi CCC

Saudi CCC

Spanish ENS Basic, Medium, & High

BSI C5

ISMAP
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
BS1 C5,
Spanish ENS Medium, & High,
ISMAP,
Saudi CCC,
IRAP

Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP

IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
ISO 27017 Provider,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP
PCI

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
ISO 27017 Customer,
BS1 C5,
Spanish ENS Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Medium, & High,
ISMAP,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

PCI
ISMAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Provider

BS1 C5,
ISMAP,
IRAP
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
Fedramp Tailored,
PCI,
Saudi CCC,
IRAP

PCI
PCI

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Customer,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

ISO 27017 Provider,

BS1 C5,
ISMAP,
Saudi CCC,
IRAP

ISO 27017 Provider,

BS1 C5,
ISMAP,
Saudi CCC,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI

PCI

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct
BS1 C5

ISO 27018,
Spanish ENS Medium, & High,
PCI

ISMAP

PCI

ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider & Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
ISO 27701 Processor & Controller,
ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC

PCI

PCI

PCI

PCI

PCI
PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Spanish ENS High

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISMAP

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider & Customer,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct

ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
IRAP
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP

ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct

Fedramp Tailored,
ISMAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
Saudi CCC

ISO 27017 Customer,

BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
IRAP

ISO 27017 Provider,

BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP
ISO 27017 Provider,
BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI

BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI

EU Code of Conduct
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

Fedramp Tailored,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, & High

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO
ISO 27701
27018,Processor & Controller,
BS1 C5,
Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP
ISO 27018,
BS1 C5,
ISMAP,
PCI,
Saudi CCC,
IRAP

PCI

PCI

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27701 Processor & Controller,

ISO 27017 Provider,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP
Fedramp Tailored,
Spanish ENS High,
Saudi CCC

Fedramp Tailored,
Spanish ENS Medium, & High,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored

Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
Saudi CCC,
IRAP

Fedramp Tailored
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
IRAP

Fedramp Tailored

Spanish ENS Basic, Medium, & High,

ISMAP,
IRAP

Spanish ENS Basic, Medium, & High,

ISMAP
PCI

Saudi CCC

ISMAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP

BS1 C5,
Saudi CCC,
IRAP

Fedramp Tailored,
IRAP

Fedramp Tailored,
ISMAP,
Saudi CCC,
EU Code of Conduct

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
ISO 27017 Provider & Customer,
BS1 C5,
Fedramp Tailored,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
ISMAP,
Saudi CCC

BS1 C5,
ISMAP,
Saudi CCC,
IRAP

PCI
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
Spanish ENS High

PCI

PCI

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

Fedramp Tailored,
Spanish ENS High,
ISMAP,
PCI,
Saudi CCC,
IRAP

Fedramp Tailored,
PCI,
Saudi CCC

Spanish ENS High

PCI

PCI

ISO 27017 Provider & Customer,

BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

Spanish ENS Basic, Medium, & High,

ISMAP,
Saudi CCC

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
Spanish ENS Basic, Medium, & High,
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
Spanish ENS Basic, Medium, & High,
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 Privacy,
ISO 27701 Controller,
ISO 27018,
ISMAP,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
ISMAP,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct

ISO 27701 Processor & Controller,

ISO 27018,
ISMAP,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
Spanish ENS Basic, Medium, & High,
ISMAP

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct

ISO 27701 Controller,

ISO 27701 Processor,
ISO 27018,
SOC (Privacy)
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
Spanish ENS Basic, Medium, & High,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27001

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor,
ISO 27018,
BS1 C5,
EU Code of Conduct

SOC 2 Privacy

ISO 27701 Processor & Controller,

ISO 27018,
EU Code of Conduct

ISO 27701 Processor & Controller,

ISO 27018,
EU Code of Conduct,
IRAP
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
Spanish ENS Medium, & High,
PCI,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor,
ISO 27018

ISO 27701 Processor & Controller,

ISO 27018,
EU Code of Conduct
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
Spanish ENS Basic, Medium, & High,
ISMAP,
EU Code of Conduct

ISO 27701 Processor & Controller,

ISO 27018,

SOC 2 Privacy,
ISO 27701 Processor & Controller

ISO 27701 Processor & Controller,

ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
ISMAP,
EU Code of Conduct
ISO 27701 Processor & Controller,
ISO 27018,
EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
ISMAP,
EU Code of Conduct,
IRAP

ISO 27701 Processor & Controller,

ISO 27018,
BS1 C5,
Saudi CCC
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5

ISO 27701 Processor & Controller,

EU Code of Conduct

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
PCI,
Saudi CCC,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU
SOCCode of Conduct,
2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
Saudi CCC
ISO 27017 Customer,
ISO 27018,
BS1 C5,
ISMAP,
IRAP

ISO 27017 Provider,

ISO 27018,
BS1 C5,
ISMAP

ISMAP
PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

BS1 C5,
Spanish ENS High,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
Saudi CCC

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27018,
Fedramp Tailored,
EU Code of Conduct
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Medium, & High,
ISMAP,
EU Code of Conduct,
IRAP
Fedramp Tailored

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Spanish ENS Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Spanish ENS Basic, Medium, & High,
ISMAP,
Saudi CCC,
EU Code of Conduct

ISMAP

PCI

PCI

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

PCI

PCI

Saudi CCC

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27017
ISO 27018,Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct
ISO 27017 Provider,
BS1 C5,
ISMAP,
Saudi CCC,
IRAP

SOC 2 Privacy,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Provider & Customer,

ISO 27018,
BS1 C5,
Spanish ENS Medium, & High,
SOC 2 (A/C/S),
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

SOC 2 Privacy,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
ISMAP,
PCI,
Saudi CCC,
EU Code of Conduct,
IRAP

ISO 27017 Customer,

BS1 C5,
ISMAP

ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
Saudi CCC
BS1 C5,
ISMAP,
Saudi CCC,
IRAP

BS1 C5,
Saudi CCC,
EU Code of Conduct

SOC 2 Privacy,
ISO 27018,
Fedramp Tailored,
ISMAP,
PCI

Fedramp Tailored
ISMAP

Saudi CCC

PCI

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP
IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP

IRAP