Henry Schein One Trust Center Trust Center

Henry Schein One Trust Center Overview

At Henry Schein One, our mission is to deliver innovative, integrated dental software that helps practices of all sizes, from solo offices to large group organizations, provide exceptional patient care. We believe better tools lead to better outcomes, and we are committed to equipping dental teams with the technology they need to simplify workflows and elevate care. Protecting patient data is at the core of what we do. We exercise strict procurement protocols and perform regular audits, including SOC 2, HIPAA, BDO, and financial reviews, to ensure data is both protected and accessible only to authorized teams. With advanced security measures and a strong commitment to compliance, we help practices keep information safe, secure, and always within reach.

Policy List

Access to ePHI Policy
Application Security Review Policy
Artificial Intelligence Policy
Breach Reporting Policy
Business Email Forwarding Policy
Change Control Policy
Container Update Policy
CUI CDI Policy
Customer Data Acceptable Use Policy
Data Classification Policy
Data Transmission Security Policy
Device Acceptable Use Policy
Disaster Recovery and Business Continuity Policy
Email Client Policy
End User Device Disposal Policy
External Email Labeling Policy
Geo Blocking Policy
HSOne Data Encryption Policy
IAM Policies and Best Practices
Incident Response For Third Parties and Customers Policy
Incident Response Policy
Information Security Escalation
Information Security Violations Policy
Job Roles Training Policy
Logical Access Control Policy (HS1 new AD)
Logical Access Review Policy
Network Firewall Policy
Password Management Policy
Reverse Engineering Policy
S3 Bucket Policy
Security Awareness Training Policy
Security Defect Remediation Policy
Security Responsibility Policy
Service Account Policies and Best Practices
Software Change Review Policy
System Hardening Policy
Third Party Risk Policy
User Access Review Policy
Vulnerability Scanning And Remediation Policy

Compliance

SOC 2® - SOC for Service Organizations: Trust Services Criteria - 2017 with March 2020 Updates

SOC3 type 2

Data Security and Protection Toolkit

Cyber Essentials

Security

AAT-01 - Artificial Intelligence (AI) & Autonomous Technologies Governance

Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.

AAT-01.1 - AI & Autonomous Technologies-Related Legal Requirements Definition

Mechanisms exist to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT).

AST-01 - Asset Governance

Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.

AST-01.1 - Asset-Service Dependencies

Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function.

AST-01.2 - Stakeholder Identification & involvement

Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets.

AST-02 - Asset Inventories

Mechanisms exist to inventory system components that: ? Accurately reflects the current system; ? Is at the level of granularity deemed necessary for tracking and reporting; ? Includes organization-defined information deemed necessary to achieve effective property accountability; and ? Is available for review and audit by designated organizational officials.

AST-02.1 - Updates During Installations / Removals

Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.

AST-01.3 - Standardized Naming Convention

Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts.

AST-01.4 - Approved Technologies

Mechanisms exist to maintain a current list of approved technologies (hardware and software).

AST-02.11 - Component Assignment

Mechanisms exist to bind components to a specific system.

AST-02.7 - Software Licensing Restrictions

Mechanisms exist to ensure compliance with software licensing restrictions.

AST-03 - Assigning Ownership of Assets

Mechanisms exist to assign asset ownership responsibilities to a department, team or individual that establishes a common understanding of requirements to protect assets.

AST-04 - Network Diagrams & Data Flow Diagrams (DFDs)

Mechanisms exist to maintain network architecture diagrams that: ? Contain sufficient detail to assess the security of the network's architecture; ? Reflect the current state of the network environment; and ? Document all sensitive data flows.

AST-05 - Security of Assets & Media

Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive media.

AST-09 - Secure Disposal, Destruction or Re-Use of Equipment

Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

AST-10 - Return of Assets

Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.

AST-28 - Database Administrative Processes

Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.

AST-28.1 - Database Management System (DBMS)

Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable.

BCD-01 - Business Continuity Management System (BCMS)

Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.

BCD-01.3 - Transfer to Alternate Processing / Storage Site

Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.

BCD-02.2 - Continue Essential Mission & Business Functions

Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.

BCD-04 - Contingency Plan Testing & Exercises

Mechanisms exist to conduct tests and/or exercises to determine the contingency plan's effectiveness and the organization’s readiness to execute the plan.

BCD-04.1 - Coordinated Testing with Related Plans

Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans.

BCD-06 - Contingency Planning & Updates

Mechanisms exist to keep contingency plans current with business needs and technology changes.

BCD-10.2 - Separation of Primary / Alternate Providers

Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

BCD-11 - Data Backups

Mechanisms exist to create recurring backups of data, software and system images to ensure the availability of the data.

AST-31 - Asset Categorization

Mechanisms exist to categorize technology assets.

BCD-01.6 - Recovery Operations Communications

Mechanisms exist to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.

CFG-01 - Configuration Management Program

Mechanisms exist to facilitate the implementation of configuration management controls.

CFG-02 - System Hardening Through Baseline Configurations

Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards.

CFG-02.1 - Reviews & Updates

Mechanisms exist to review and update baseline configurations: ? At least annually; ? When required due to so; or ? As part of system component installations and upgrades.

CFG-02.8 - Respond To Unauthorized Changes

Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.

CFG-03 - Least Functionality

Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.

CFG-03.1 - Periodic Review

Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.

CAP-04 - Performance Monitoring

Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services.

CAP-05 - Elastic Expansion

Mechanisms exist to automatically scale the resources available for services, as demand conditions change.

CAP-06 - Regional Delivery

Mechanisms exist to support operations that are geographically dispersed via regional delivery of technological services.

CHG-01 - Change Management Program

Mechanisms exist to facilitate the implementation of change management controls.

CHG-02.2 - Test, Validate & Document Changes

Mechanisms exist to test and document proposed changes in a non-production environment before changes are implemented in a production environment.

CHG-02.3 - Security Representative for Change

Mechanisms exist to include a cybersecurity representative in the configuration change control review process.

CHG-03 - Security Impact Analysis for Changes

Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.

CHG-06 - Security Functionality Verification

Mechanisms exist to verify the functionality of security controls when anomalies are discovered.

CHG-06.1 - Report Verification Results

Mechanisms exist to report the results of security and privacy function verification to senior management.

CLD-01 - Cloud Services

Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.

CLD-02 - Cloud Security Architecture

Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.

CLD-10 - Sensitive Data In Public Cloud Providers

Mechanisms exist to limit and manage the storage of sensitive data in public cloud providers.

CPL-01 - Statutory, Regulatory & Contractual Compliance

Mechanisms exist to facilitate the identification and implementation of relevant legislative statutory, regulatory and contractual controls.

CPL-02 - Security Controls Oversight

Mechanisms exist to provide a security controls oversight function.

CPL-03.1 - Independent Assessors

Mechanisms exist to utilize independent assessors at planned intervals or when the system, service or project undergoes significant changes.

CPL-03.2 - Functional Review Of Security Controls

Mechanisms exist to regularly review assets for compliance with the organization’s cybersecurity and privacy policies and standards.

CPL-04 - Audit Activities

Mechanisms exist to plan audits that minimize the impact of audit activities on business operations.

CFG-04.2 - Unsupported Internet Browsers & Email Clients

Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.

CRY-01 - Use of Cryptographic Controls

Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

CRY-01.1 - Alternate Physical Protection

Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards.

CRY-03 - Transmission Confidentiality

Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.

CRY-04 - Transmission Integrity

Cryptographic mechanisms exist to protect the integrity of data being transmitted.

CRY-05 - Encrypting Data At Rest

Cryptographic mechanisms exist to prevent unauthorized disclosure of information at rest.

CLD-01.1 - Cloud Infrastructure Onboarding

Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

CLD-13.1 - Authorized Individuals For Hosted Systems, Applications & Services

Mechanisms exist to authorize specified individuals to access External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services.

CLD-13.2 - Sensitive/Regulated Data On Hosted Systems, Applications & Services

Mechanisms exist to define formal processes to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services , in accordance with all applicable statutory, regulatory and/or contractual obligations.

CPL-01.2 - Compliance Scope

Mechanisms exist to document and validate the scope of cybersecurity & data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.

CPL-06 - Government Surveillance

Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.

CFG-07 - Zero-Touch Provisioning (ZTP)

Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.

CRY-05.3 - Database Encryption

Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.

DCH-03 - Media Access

Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.

DCH-08 - Physical Media Disposal

Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.

DCH-14.1 - Information Search & Retrieval

Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions.

DCH-15 - Publicly Accessible Content

Mechanisms exist to control publicly-accessible content.

DCH-18 - Media & Data Retention

Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.

DCH-01.2 - Sensitive / Regulated Data Protection

Mechanisms exist to protect sensitive/regulated data wherever it is stored.

DCH-01.4 - Defining Access Authorizations for Sensitive/Regulated Data

Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.

DCH-18.2 - Minimize Personal Data (PD)

Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).

DCH-20 - Archived Data Sets

Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.

DCH-22.1 - Updating & Correcting Personal Data (PD)

Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.

DCH-24 - Information Location

Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.

EMB-01 - Embedded Technology Security Program

Mechanisms exist to facilitate the implementation of embedded technology controls.

EMB-03 - Operational Technology (OT)

Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT).

END-01 - Endpoint Security

Mechanisms exist to facilitate the implementation of endpoint security controls.

END-02 - Endpoint Protection Measures

Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.

END-03.1 - Unauthorized Installation Alerts

Mechanisms exist to alert personnel when an unauthorized installation of software is detected.

END-03.2 - Access Restriction for Change

Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.

END-04 - Malicious Code Protection (Anti-Malware)

Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.

END-04.1 - Automatic Updates

Mechanisms exist to automatically update antimalware technologies, including signature definitions.

END-04.3 - Centralized Management

Mechanisms exist to centrally-manage antimalware technologies.

END-04.4 - Heuristic / Nonsignature-Based Detection

Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.

END-04.7 - Always On Protection

Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.

END-05 - Software Firewall

Mechanisms exist to utilize a host-based firewall software on all laptop computers and other portable workstations capable of implementing a host-based firewall.

END-06 - File Integrity Monitoring (FIM)

Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.

END-06.1 - Integrity Checks

Mechanisms exist to validate configurations through integrity checking of software and firmware.

END-06.2 - Integration of Detection & Response

Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.

END-06.3 - Automated Notifications of Integrity Violations

Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification.

END-06.4 - Automated Response to Integrity Violations

Automated mechanisms exist to implement remediation actions when integrity violations are discovered.

END-07 - Host Intrusion Detection and Prevention Systems (HIDS / HIPS)

Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.

END-08 - Phishing & Spam Protection

Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.

END-08.1 - Central Management

Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.

END-08.2 - Automatic Updates

Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.

END-12 - Port & Input / Output (I/O) Device Access

Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.

END-13.3 - Collection Minimization

Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.

END-14.2 - Explicitly Indicate Current Participants

Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.

END-14.4 - Participant Connection Management

Mechanisms exist to ensure the meeting host can positively control an individual's participation in virtual meetings.

GOV-01 - Security & Privacy Governance Program

Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.

GOV-01.1 - Steering Committee

Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.

GOV-02 - Publishing Security & Privacy Documentation

Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.

GOV-03 - Periodic Review & Update of Security & Privacy Program

Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

GOV-05 - Measures of Performance

Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.

GOV-05.2 - Key Risk Indicators (KRIs)

Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.

GOV-06 - Contacts With Authorities

Mechanisms exist to identify and document appropriate contacts within relevant law enforcement and regulatory bodies.

GOV-14 - Business As Usual (BAU) Secure Practices

Mechanisms exist to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement.

GOV-15.2 - Implement Controls

Mechanisms exist to compel data and/or process owners to implement required cybersecurity & data privacy controls for each system, application and/or service under their control.

GOV-15.3 - Assess Controls

Mechanisms exist to compel data and/or process owners to assess if required cybersecurity & data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.

HRS-02.1 - Users With Elevated Privileges

Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question.

HRS-03 - Roles & Responsibilities

Mechanisms exist to define cybersecurity responsibilities for all personnel.

HRS-03.1 - User Awareness

Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.

HRS-03.2 - Competency Requirements for Security-Related Positions

Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.

HRS-04 - Personnel Screening

Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.

HRS-04.1 - Roles With Special Protection Measures

Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.

HRS-04.3 - Citizenship Requirements

Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.

HRS-05 - Terms of Employment

Mechanisms exist to require all employees and contractors to apply security and privacy principles in their daily work.

HRS-05.1 - Rules of Behavior

Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

HRS-05.2 - Social Media & Social Networking Restrictions

Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

HRS-06 - Access Agreements

Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.

HRS-06.1 - Confidentiality Agreements

Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.

HRS-06.2 - Post-Employment Obligations

Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information.

HRS-07 - Personnel Sanctions

Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.

HRS-07.1 - Workplace Investigations

Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.

HRS-08 - Personnel Transfer

Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner.

HRS-09 - Personnel Termination

Mechanisms exist to govern the termination of individual employment.

HRS-09.1 - Asset Collection

Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.

HRS-09.2 - High-Risk Terminations

Mechanisms exist to expedite the process of removing "high risk" individual’s access to systems and applications upon termination, as determined by management.

HRS-09.3 - Post-Employment Requirements

Mechanisms exist to govern third-party personnel by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.

HRS-09.4 - Automated Employment Status Notifications

Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.

HRS-05.7 - Policy Familiarization & Acknowledgement

Mechanisms exist to ensure personnel receive recurring familiarization with the organization's cybersecurity & data privacy policies and provide acknowledgement.

HRS-13.3 - Establish Redundancy for Vital Cybersecurity & Privacy Staff

Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff.

IAC-01 - Identity & Access Management (IAM)

Mechanisms exist to facilitate the implementation of identification and access management controls.

IAC-01.1 - Retain Access Records

Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted, and when the access was last reviewed.

IAC-06 - Multi-Factor Authentication (MFA)

Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for: ? Remote network access; and/ or ? Non-console access to critical systems or systems that store, transmit and/or process sensitive data.

IAC-06.1 - Network Access to Privileged Accounts

Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts.

IAC-06.2 - Network Access to Non-Privileged Accounts

Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts.

IAC-07 - User Provisioning & De-Provisioning

Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.

IAC-07.1 - Change of Roles & Duties

Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted.

IAC-07.2 - Termination of Employment

Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract.

IAC-08 - Role-Based Access Control (RBAC)

Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive data access.

IAC-10.1 - Password-Based Authentication

Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.

IAC-10.10 - Expiration of Cached Authenticators

Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period.

IAC-01.3 - User & Service Account Inventories

Automated mechanisms exist to maintain a current list of authorized users and service accounts.

IAC-05.2 - Privileged Access by Non-Organizational Users

Mechanisms exist to prohibit privileged access by non-organizational users.

IAC-06.3 - Local Access to Privileged Accounts

Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts.

IAC-06.4 - Out-of-Band Multi-Factor Authentication

Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access.

IAC-10 - Authenticator Management

Mechanisms exist to securely manage authenticators for users and devices.

IAC-10.7 - Hardware Token-Based Authentication

Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.

IAC-11 - Authenticator Feedback

Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IAC-13.1 - Single Sign-On (SSO)

Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and services.

IAC-13.2 - Federated Credential Management

Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices.

IAC-14 - Re-Authentication

Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.

IAC-15.6 - Account Disabling for High Risk Individuals

Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization.

IAC-15.7 - System Accounts

Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner.

IAC-15.8 - Usage Conditions

Automated mechanisms exist to enforce usage conditions for users and/or roles.

IAC-16 - Privileged Account Management (PAM)

Mechanisms exist to restrict and control privileged access rights for users and services.

IAC-16.1 - Privileged Account Inventories

Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management.

IAC-17 - Periodic Review

Mechanisms exist to periodically review the privileges assigned to users to validate the need for such privileges; and reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

IAC-20 - Access Enforcement

Mechanisms exist to enforce logical access permissions through the principle of "least privilege."

IAC-20.1 - Access To Sensitive Data

Mechanisms exist to limit access to sensitive data to only those individuals whose job requires such access.

IAC-20.2 - Database Access

Mechanisms exist to restrict access to database containing sensitive data to only necessary services or those individuals whose job requires such access.

IAC-20.3 - Use of Privileged Utility Programs

Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls.

IAC-20.4 - Dedicated Administrative Machines

Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.

IAC-21 - Least Privilege

Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

IAC-21.1 - Authorize Access to Security Functions

Mechanisms exist to limit access to security functions to explicitly-authorized privileged users.

IAC-21.5 - Prohibit Non-Privileged Users from Executing Privileged Functions

Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures.

IAC-22 - Account Lockout

Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.

IAC-24 - Session Lock

Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.

IAC-24.1 - Pattern-Hiding Displays

Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock.

IAC-25 - Session Termination

Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.

IRO-02 - Incident Handling

Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.

IRO-02.1 - Automated Incident Handling Processes

Automated mechanisms exist to support the incident handling process.

IRO-02.4 - Continuity of Operations

Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions.

IRO-03 - Indicators of Compromise (IOC)

Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.

IAO-01.1 - Assessment Boundaries

Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review.

IAO-02 - Assessments

Mechanisms exist to formally assess the cybersecurity and privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

IAO-02.1 - Assessor Independence

Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity and privacy control assessments.

IAO-03.2 - Adequate Security for Sensitive Data In Support of Contracts

Mechanisms exist to protect sensitive data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract.

IAO-05 - Plan of Action & Milestones (POA&M)

Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.

IAO-07 - Security Authorization

Mechanisms exist to ensure systems, projects and services are officially authorized prior to "go live" in a production environment.

IRO-04 - Incident Response Plan (IRP)

Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.

IRO-04.1 - Data Breach

Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.

IRO-04.2 - IRP Update

Mechanisms exist to regularly update incident response strategies to keep current with business needs, technology changes and regulatory requirements.

IRO-05 - Incident Response Training

Mechanisms exist to train personnel in their incident response roles and responsibilities.

IRO-04.3 - Continuous Incident Response Improvements

Mechanisms exist to use qualitative and quantitative data from incident response testing to: (1) Determine the effectiveness of incident response processes; (2) Continuously improve incident response processes; and (3) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.

IRO-01 - Incident Response Operations

Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for security and privacy-related incidents.

IRO-10.2 - Cyber Incident Reporting for Sensitive Data

Mechanisms exist to report sensitive data incidents in a timely manner.

IRO-10.3 - Vulnerabilities Related To Incidents

Mechanisms exist to report system vulnerabilities associated with reported security and privacy incidents to organization-defined personnel or roles.

IRO-11 - Incident Reporting Assistance

Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential security and privacy incidents.

IRO-12.1 - Responsible Personnel

Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive information spills.

IRO-13 - Root Cause Analysis (RCA) & Lessons Learned

Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and privacy incidents to reduce the likelihood or impact of future incidents.

IRO-14 - Regulatory & Law Enforcement Contacts

Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.

IRO-15 - Detonation Chambers (Sandboxes)

Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.

IRO-16 - Public Relations & Reputation Repair

Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation.

IAO-04 - Threat Analysis & Flaw Remediation During Development

Mechanisms exist to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development.

MON-01.1 - Intrusion Detection & Prevention Systems (IDS & IPS)

Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.

MON-01.4 - System Generated Alerts

Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness.

MON-01.7 - File Integrity Monitoring (FIM)

Mechanisms exist to utilize a File Integrity Monitor (FIM) or similar change-detection technology on critical assets to generate alerts for unauthorized modifications.

MON-01.10 - Deactivated Account Activity

Mechanisms exist to monitor deactivated accounts for attempted usage.

MON-16.3 - Unauthorized Activities

Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.

NET-01.1 - Zero Trust Architecture (ZTA)

Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized.

NET-02.2 - Guest Networks

Mechanisms exist to implement and manage a secure guest network.

MON-07 - Time Stamps

Mechanisms exist to configure systems to use internal system clocks to generate time stamps for audit records.

MON-07.1 - Synchronization With Authoritative Time Source

Mechanisms exist to synchronize internal system clocks with an authoritative time source.

MON-11 - Monitoring For Information Disclosure

Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.

NET-02 - Layered Network Defenses

Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

NET-03.8 - Separate Subnet for Connecting to Different Security Domains

Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.

NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)

Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems.

NET-04.1 - Deny Traffic by Default & Allow Traffic by Exception

Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).

NET-06.1 - Security Management Subnets

Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system.

NET-08 - Network Intrusion Detection / Prevention Systems (NIDS / NIPS)

Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.

NET-08.1 - DMZ Networks

Mechanisms exist to require De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.

NET-10 - Domain Name Service (DNS) Resolution

Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.

NET-14.5 - Work From Anywhere (WFA) - Telecommuting Security

Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers.

PES-01 - Physical & Environmental Protections

Mechanisms exist to facilitate the operation of physical and environmental protection controls.

PES-02 - Physical Access Authorizations

Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).

PES-02.1 - Role-Based Physical Access

Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual.

PES-03.4 - Access To Information Systems

Physical access control mechanisms exist to enforce physical access to critical information systems or sensitive data, in addition to the physical access controls for the facility.

OPS-04 - Security Operations Center (SOC)

Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.

NET-18.5 - Domain Name Verification

Mechanisms exist to ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC).

NET-18.6 - Internet Address Denylisting

Mechanisms exist to implement Internet address denylisting protections that blocks traffic received from or destined to a denylisted Internet address.

NET-20 - Email Content Protections

Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.

NET-20.1 - Email Domain Reputation Protections

Mechanisms exist to monitor the organization's email domain’s reputation and protect the email domain’s reputation.

NET-20.2 - Sender Denylisting

Mechanisms exist to implement sender denylisting protections that prevent the reception of email from denylisted senders, domains and/or email servers.

NET-20.9 - User Threat Reporting

Mechanisms exist to incorporate submissions from users of phishing attempts, spam or otherwise malicious actions to better protect the organization.

OPS-06 - Security Orchestration, Automation, and Response (SOAR)

Mechanisms exist to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

PES-04.3 - Temporary Storage

Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.

PES-06 - Visitor Control

Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).

PES-06.1 - Distinguish Visitors from On-Site Personnel

Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive data is accessible.

PES-07.3 - Emergency Power

Facility security mechanisms exist for facilities to supply long-term alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source.

PES-11 - Alternate Work Site

Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites.

PRI-08 - Testing, Training & Monitoring

Mechanisms exist to conduct security and privacy testing, training and monitoring activities

PRM-07 - Secure Development Life Cycle (SDLC) Management

Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures.

PRM-08 - Manage Organizational Knowledge

Mechanisms exist to manage the organizational knowledge of the cybersecurity and privacy staff.

RSK-06.2 - Compensating Countermeasures

Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats.

SEA-11 - Honeypots

Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks.

SEA-18 - System Use Notification (Logon Banner)

Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides privacy and security notices.

SAT-01 - Security & Privacy-Minded Workforce

Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.

SAT-02 - Security & Privacy Awareness

Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.

TDA-06 - Secure Coding

Mechanisms exist to develop applications based on secure coding principles.

TDA-09.2 - Static Code Analysis

Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis.

TDA-09.5 - Application Penetration Testing

Mechanisms exist to perform application-level penetration testing of custom-made applications and services.

TDA-20 - Access to Program Source Code

Mechanisms exist to limit privileges to change software resident within software libraries.

VPM-05 - Software Patching

Mechanisms exist to conduct software patching for all deployed operating systems, applications and firmware.

VPM-06 - Vulnerability Scanning

Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications.

VPM-07 - Penetration Testing

Mechanisms exist to conduct penetration testing on systems and web applications.

WEB-02 - Use of Demilitarized Zones (DMZ)

Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports.

WEB-03 - Web Application Firewall (WAF)

Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.

TDA-02.5 - Identification & Justification of Ports, Protocols & Services

Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions.

TDA-02.6 - Insecure Ports, Protocols & Services

Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions.

TDA-06.5 - Software Design Review

Mechanisms exist to have an independent review of the software design to confirm that all cybersecurity & data privacy requirements are met and that any identified risks are satisfactorily addressed.

TDA-09.7 - Manual Code Review

Mechanisms exist to require the developers of systems, system components or services to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design.

TDA-20.2 - Archiving Software Releases

Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information.