Open Source CCF

The following table contains the baseline security subset (derived from The Common Controls Framework by Adobe)
of control activities that apply to Adobe’s enterprise service offerings. The control activities help Adobe enterprise offerings meet the requirements of ISO/IEC 27001, ISO 22301, AICPA Trust Service Criteria - Common Criteria (TSC - CC), AICPA Trust
Service Criteria - Availability ("TSC - A"), AICPA Trust Service Criteria - Confidentiality ("TSC - C"), FedRAMP Tailored baseline ("FedRAMP Tailored"), PCI DSS, as well as the security requirements of GLBA, FERPA, German Federal Office for Information Security - Cloud Computing Compliance Controls Catalogue ("BSI C5"), HIPAA Security Rule, National
Institute of Standards and Technology Cybersecurity ("NIST Cybersecurity"), Information Security Registered Assessors Program ("iRAP"), and Spain Esquema Nacional de Seguridad ("Spanish ENS"). These common activities were identified and developed based on industry requirements and adopted by product operations and engineering teams to achieve compliance
with these standards. This information is only to be used as an illustrative example of common security controls that could be tailored to meet minimum security objectives within an organization.
Additionally, some of the requirements from the aforementioned frameworks are not in scope for the Adobe's enterprise service offerings and are not represented in this table.
Control Family Control Sub- Control Short Common Control Activity ISO/IEC 27001 ISO/IEC 27001 ISO 22301 TSC - TSC - TSC - FedRAMP PCI DSS V3.2.1 GLBA Ref# FERPA Ref# BSI C5 HIPAA Security NIST Cybersecurity iRAP Spanish ENS
Family Name ISMS Annex A Common Criteria Availability Confidentiality Tailored Ref#
Ref# Ref# Ref#
CM-8_N_00
8
CM-8_N_01 9.6.1
Device and Inventory [The organization] maintains an inventory of system devices, which is reconciled 0336 9
Asset Management A.8.1.1 CC6.1.1 CM-8_N_02 9.7 AM-01 164.310(D)(1)
Media Inventory Management [in accordance with the organization-defined frequency]. 0159 10
CM-8_N_03 9.7.1
26
CM-8_N_04
11.1.1
Inventory 12.3.4
Device and Media Management: [The organization's] asset inventory includes in-scope cardholder related systems, 2.4
Asset Management
Inventory Payment Card devices, and media. 9.6.1
Systems 9.7
9.9.1
8
9
Device and Media 12.3.3 10
Asset Management Inventory Labels [The organization's] assets are labelled and have designated owners. A.8.1.2 CC6.1.1 AM-02 0294
Inventory 9.6.1 26
92
93
0336
MA-2_N_02 57
Device and Media Asset Transportation [The organization] authorizes and records the entry and exit of systems at datacenter A.11.2.5 164.310(d)(1) ID.AM-4 0159
Asset Management CC6.5.2 MA-2_N_03 9.6.3 PI-02 68
Transportation Authorization locations. A.11.2.6 164.310(d)(2)(iii) PR.DS-3
PE-8_N_00 69
9.5
[The organization] documents the transportation of physical media outside of A.11.2.5 9.6 57
Device and Media Asset Transportation MA-2_N_02 1599
Asset Management datacenters. A.11.2.6 CC6.5.2 9.6.2 68
Transportation Documentation MA-2_N_03 0310
Physical media is packaged securely and transported in a secure, traceable manner. A.8.3.3 9.6.3 69
9.7
Device and Media The use of portable media in [the organization] datacenters is prohibited unless
Asset Management Use of Portable Media CC6.7.3 MP-7_N_00 1359
Transportation explicitly authorized by management.
4.3.2
4.4
5.1(a)
5.1(b)
5.1(e) MA-2_N_00 0305
5.1(g) MA-2_N_01 0307
Component 6.2.1(a)
Equipment maintenance is documented and approved according to management MA-2_N_04 PR.DS-8 0306 13
Asset Management Installation and Maintenance of Assets A.11.2.4 6.3(a) A1.2.3 PS-06 164.310(a)(2)(iv)
requirements. MA-2_N_05 PR.MA-1 0310 29
Maintenance 6.3(b) MA-4_N_00 0944
7.4(a) MA-4_N_03 1598
7.4(b)
7.4(c)
7.4(d)
7.4(e)
Component Tampering of 7.5.1(a) 9.9
Devices that physically capture payment card data are inspected for evidence of
Asset Management Installation and Payment Card 7.5.1(b) 9.9.2 13
tampering [in accordance with the organization-defined frequency].
Maintenance Capture Devices 8.1(c) A2.1
8.3.1
8.3.2(a)
8.3.2(b)
8.3.2(c)
8.3.2(d)
8.3.2(e)
8.3.2(f)
8.3.3(a)
8.3.3(b)
8.3.3(c)
8.3.5
8.4.1(a)
8.4.1(b)
8.4.1(c)
8.4.1(d)
8.4.1(e)
8.4.2.1
8.4.2.2
8.4.2.3(a)
A1.2.10 BCM-01 42
[The organization's] business contingency plan is reviewed, approved by 8.4.2.3(b) CC7.4.5 164.308(a)(7)(i)
Business Continuity Business Continuity A.17.1.1 A1.2.3 BCM-02 43
Business Continuity management and communicated to relevant team members [in accordance with the 8.4.2.3(c) CC7.5.1 CP-2 12.10.1 164.308(a)(7)(ii)(B)
Planning Plan A.17.1.2 A1.2.5 BCM-03 44
organization-defined frequency]. 8.4.2.3(d) CC9.1.1 164.308(a)(7)(ii)(C)
A1.2.7 BCM-04 70
8.4.2.3(e)
8.4.2.3(f)
8.4.2.3(g)
8.4.2.3(h)
8.4.2.4(a)
8.4.2.4(b)
8.4.3.1(a)
8.4.3.1(b)
8.4.3.1(c)
8.4.3.1(d)
8.4.3.1(e)
8.4.3.1(f)
8.4.3.2(a)
8.4.3.2(b)
8.4.3.2
8.4.4.1
8.4.4.2(a.1)
8.4.4.2(a.2)
8.4.4.2(b)
8.4.4.2(c)
Business Continuity 8.4.4.2(d.1)
Business Continuity [The organization] Business Contingency Plan addresses how to access facilities 164.310(a)(2)(i)
Business Continuity Plan: Personal Health 8.4.4.2(d.2)
Planning and obtain data during an emergency. 164.312(a)(2)(ii)
Information 8.4.4.2(d.3)
8.4.4.3(a)
8.4.4.3(b)
8.4.4.3(c)
8.4.4.3(d)
8.4.4.3(e)
8.4.4.3(f)
8.4.4.3(g)
8.4.4.3(h)
8.6(a)
8.6(e)
8.6
10.2
The Common Controls Framework (CCF) by Adobe v4.0 This work is licensed under a Creative Commons Attribution-Non Commercial-Share Alike 4.0 International License. Revised 12/2020.
4.2.1(a)
4.2.1(b)
5.1(c)
5.1(f)
Business Continuity 5.1(h)
Business Continuity Business contingency roles and responsibilities are assigned to individuals and their CP-2
Business Continuity Plan: Roles and 5.3(a)
Planning contact information is communicated to authorized personnel. IA-2
Responsibilities 5.3(b)
6.3(d)
7.1
7.3(b)
7.3(d)
6.2.1(b)
8.4.5
8.5
[The organization] performs business contingency and disaster recovery tests [in 8.5(a)
CC7.4.5
accordance with the organization-defined frequency] and ensures the following: 8.5(b) BCM-01 164.308(a)(7)(ii)(B) ID.SC-5 42
CC7.5.1
Business Continuity • tests are executed with relevant contingency teams A.17.1.2 8.5(c) A1.2.3 BCM-02 164.308(a)(7)(ii)(C) PR.IP-9 44
Business Continuity Continuity Testing 4.3.1(a) CC7.5.5 CP-4
Planning • test results are documented A.17.1.3 8.5(d) A1.3.1 BCM-03 164.308(a)(7)(ii)(D) PR.IP-10 45
4.3.1(b) CC7.5.6
• corrective actions are taken for exceptions noted 8.5(e) BCM-04 164.310(a)(2)(i) PR.PT-5 70
4.3.1(c) CC9.1.1
• plans are updated based on results 8.5(f)
4.3.2
8.5(g)
4.3.2(a)
8.6(b)
4.3.2(b)
9.1
6.2.1(c)
6.2.1(d)
6.2.1(e)
6.2.1(f)
6.2.1
6.2.2(a) BCM-01
[The organization] identifies the business impact of relevant threats to assets, CC7.4.5 42
Business Business Impact 6.2.2(b) A1.2.3 BCM-02 ID.BE-5
Business Continuity infrastructure, and resources that support critical business functions. Recovery CC7.5.1 CP-9_N_02 164.308(a)(7)(ii)(E) 43
Continuity Analysis 6.2.2(c) A1.2.7 BCM-03 PR.IP-9
objectives are established for critical business functions. CC9.1.1 70
6.2.2(d) BCM-04
6.2.2(e)
8.2.1(a)
8.2.1(b)
8.2.2(a)
6.3(c)
8.2.2(b)
8.3.4(a)
8.2.2(c)
8.3.4(b)
Budgets for infrastructure capacity are established based on analysis of historical 8.2.2(d)
8.3.4(c)
business activity and growth projections; purchases are made against the established 8.2.2(e) A1.1.2 42
Business Continuity Capacity Management Capacity Forecasting 8.3.4(d) SA-2 OPS-01 164.308(a)(7)(ii)(E)
budget and plans are updated on a [in accordance with the organization-defined 8.2.2(f) A1.1.3 70
8.3.4(e)
frequency]. 8.2.2(g)
8.3.4(f)
8.2.2(h)
8.3.4(g)
8.3.4(h)
[The organization] configures redundant systems or performs data backups [in CP-9_N_00 164.308(a)(7)(ii)(A)
Backup CC7.5.1
Backup Backup Configuration accordance with the organization-defined frequency] to resume system operations A.18.1.3 A1.2.8 CP-9_N_01 12.10.1 OPS-07 164.308(a)(7)(ii)(B) 1547
Management CC9.1.1
in the event of a system failure. CP-10 164.310(d)(2)(iv)
[The organization] performs backup restoration or failover tests [in accordance with CC7.4.5 A1.2.7 OPS-06
Backup 164.308(a)(7)(ii)(A)
Backup Resilience Testing the organization-defined frequency] to confirm the reliability and integrity of A.12.3.1 CC7.5.1 A1.2.8 CP-10 12.10.1 OPS-08 1548 100
Management 164.308(a)(7)(ii)(B)
system backups or recovery operations. CC9.1.1 A1.3.2 OPS-09
Backup Alternate [The organization] backups are securely stored in an alternate location from source
Backup A1.2.9 9.5.1 1513
Management Storage data.
1.1
1.1.4
CC6.8.2 1.1.6
CC7.1.1 1.2
CC7.1.2 1.2.2 4
Baseline [The organization] ensures security hardening and baseline configuration standards CC7.1.3 CA-3_N_00 2.1 13
Configuration Baseline A.12.5.1 PR.IP-1 1409
Configuration have been established according to industry standards and are reviewed and updated CC7.1.5 CM-2_N_00 2.1.1 314.4(b)(3) FERPA_99.31(a) 88
Management Configurations A.12.2.1 DE.AE-1 1412
Standard [in accordance with the organization-defined frequency]. CC7.5.1 CM-6_N_00 2.2 89
CC8.1.11 2.2.2 90
CC8.1.12 2.2.3
CC8.1.6 2.2.4
2.2.5
5.3
7.2
Configuration Baseline Default "Deny- all" Where applicable, the information system default access configurations are set to
7.2.1
Management Configurations Settings "deny-all."
7.2.3
1.2.2 4
10.4.2 13
Configuration Baseline [The organization] uses mechanisms to detect deviations from baseline A.9.4.4 CM-6_N_02 11.4 15
Configuration Checks CC6.8.2 314.4(b)(3) FERPA_99.31(a) 164.308(a)(5)(ii)(B)
Management Configurations configurations in production environments. A.12.5.1 CM-7_N_00 11.5 88
11.5.1 89
5.3 90
Configuration
Configuration [The organization] reconciles the established device inventory against the enterprise
Baseline Checks
Management log repository [in accordance with the organization-defined frequency]; devices 314.4(b)(3) FERPA_99.31(a)
Configurations Reconciliation:
which do not forward security configurations are remediated.
CMDB
AU-8_N_00 10.4
Configuration Baseline Time Clock Systems are configured to synchronize information system time clocks based on AU-8_N_01 10.4.1 13
A.12.4.4 0988
Management Configurations Synchronization International Atomic Time or Coordinated Universal Time (UTC). AU-5 10.4.2 37
AU-6 10.4.3
Configuration Baseline Time Clock 10.4

Access to modify time data is restricted to authorized personnel. 0586
Management Configurations Configuration Access 10.4.2
Vendor-supplied default passwords are changed according to [the organization]

Configuration Baseline Default Device 2.1 0383
standards prior to device installation on the [the organization] network or IA-5 13
Management Configurations Passwords 2.1.1 1260
immediately after software or operating system installation.
[The organization] implements only one primary function per server within the
Configuration Baseline
Process Isolation production environment; the information system maintains a separate execution 2.2.1 0380 13
Management Configurations
domain for each executing process.
Where applicable, collaborative computing devices used at [The Organization] are

Configuration Baseline
Collaborative Devices configured to restrict remote activation and provide an explicit indication that they SC-15 13
Management Configurations
are in use.
Configuration Installation of software or programs in the production environment is approved by

Approved Software Software Installation CM-11 0382
Management authorized personnel.
CC.2.2.11
CC6.8.1
1.1.1
CC6.8.3
10.4.2
CC7.1.3 DEV-01
A.12.1.2 6.4
CC8.1.1 DEV-03
Change scope, change type, and roles and responsibilities are pre-established and A.12.6.2 6.4.5
Change Change Management CC8.1.10 DEV-05 30
Change Management control workflow; notification and approval requirements are also pre-established A.14.2.1 SA-3 6.4.5.1 FERPA_99.31(a) PR.IP-3 1211
Management Workflow CC8.1.13 DEV-06 87
based on risk associated with change scope and type. A.14.2.2 6.4.5.2
CC8.1.2 DEV-07
A.14.2.4 6.4.5.3
CC8.1.3 DEV-09
6.4.5.4
CC8.1.4
6.4.6
CC8.1.5
CC8.1.9
1.1.1
CC7.1.3
10.4.2
CC8.1.1
6.3.2
Prior to introducing changes into the production environment, approval from A.12.5.1 CC8.1.13
CA-9_N_00 6.4 DEV-02 30
authorized personnel is required based on the following: • change description A.14.2.3 CC8.1.14
Change CM-4_N_00 6.4.5 DEV-03 88
Change Management Change Approval • impact of change A.14.2.4 CC8.1.3 FERPA_99.31(a) 1211
Management CM-6_N_01 6.4.5.1 DEV-06 89
• test results A.14.2.8 CC8.1.4
CM-6_N_03 6.4.5.2 DEV-07 90
• back-out procedures A.14.2.9 CC8.1.5
6.4.5.3
CC8.1.7
6.4.5.4
CC8.1.8
6.4.6
2
Changes to the production environment are implemented by authorized personnel. CC5.1.6 4
Change Segregation of Segregation of A.14.2.6 6.4.2 IDM-06
CC6.3.3 PR.AC-4 1211 5
Management Duties Duties A.6.1.2 6.4.6 OIS-04
CC6.8.1 16
87
Communication of
Change Change Customer-impacting product and system changes are publicly communicated on the CC.2.2.11
Maintenance and 1211
Management Communication company website. CC2.3.1
Downtime
A.8.2.1
CC3.2.6
[The organization's] data classification criteria are reviewed, approved by A.8.2.2 MP-6_N_01 4
CC6.1.6
Data Data Classification management, and communicated to authorized personnel [in accordance with the A.8.2.3 RA-2 AM-05 164.310(b) 91
Data Management CC6.5.1 C1.1.1 9.6.1 314.3(b)(1) ID.AM-5 0393
Classification Criteria organization-defined frequency]; the data security management determines the A.8.3.1 SI-1 AM-06 164.310(c) 92
CC8.1.14
treatment of data according to its designated data classification level. A.18.1.3 SI-12 93
CC8.1.15
A.18.1.4
Consent is obtained for [the organization's] Terms of Service (ToS) prior to

Data Management Choice and Consent Terms of Service FERPA_99.31(a)
collecting personal information and when the ToS is updated.
Notice of Personal
In accordance with [the organization] policy, [the organization] provides notice to
Data Management Choice and Consent Information CC2.3.7
individuals regarding legally-required disclosures of personal information.
Disclosure
External Privacy In compliance with [the organization] policy, [the organization] reviews privacy-
Data Management Data Handling A.18.1.4 91
Inquiries related inquiries, complaints, and disputes.
87
[Restricted (as defined by the organization's data classification criteria)] data is 88
Data Management Data Handling Test Data Sanitization A.14.3.1 6.4.3 1274
redacted prior to use in a non-production environment. 89
90
24
25
73
74
75
76
A.13.2.3 2.3
IA-5(1)_N_02 164.312(a)(2)(iv) 77
A.14.1.2 4.1 314.3(b)(1)
Encryption of Data in [Restricted (as defined by the organization's data classification criteria)] data that is IA-7_N_00 CRY-02 164.312(E)(1) 91
Data Management Data Encryption A.14.1.3 CC6.7.2 4.1.1 314.3(b)(2) FERPA_99.31(a) PR.DS-2 1162
Transit transmitted over public networks is encrypted. SC-12 CRY-03 164.312(e)(2)(i) 94
A.18.1.4 8.2.1 314.3(b)(3)
SC-13 164.312(e)(2)(ii) 95
A.18.1.5 A2.3
96
97
98
101
102
4
103
24
3.4 25
3.5 73
CC6.1.6
Encryption of Data at [Restricted (as defined by the organization's data classification criteria)] data at rest A.18.1.4 3.5.3 CRY-02 164.312(a)(2)(iv) 74
Data Management Data Encryption CC6.1.9 PR.DS-1 0459
Rest is encrypted. A.18.1.5 3.6 CRY-03 164.312(e)(2)(ii) 91
CC6.7.2
3.6.3 94
8.2.1 95
96
97
2.3
3.6
Approved Where applicable, strong industry standard cryptographic ciphers and keys with an
SC-12 3.6.1
Data Management Data Encryption Cryptographic effective strength greater than 112 bits are required for cryptographic security 0471
SC-13 4.3
Technology operations.
8.2.1
A2.2
3.2
[The organization] does not store full track credit card data, credit card
Credit Card Data 3.2.1
Data Management Data Storage authentication information, credit card verification code, or credit personal
Restrictions 3.2.2
identification number (PIN) which [the organization] processes for payment.
3.2.3
Personal
[The organization] restricts personal account number (PAN) data such that only the
Account
Data Management Data Storage first six and last four digits are displayed; authorized users with a legitimate 3.3
Number Data
business need may be provided the full PAN.
Restrictions
[The organization] uses mechanisms to detect direct changes to the integrity of

Changes to Data at customer data and personal information; [the organization] takes action to resolve 73
Data Management Data Integrity 11.5
Rest confirmed unauthorized 74
changes to data.
[The organization] securely erases media containing decommissioned [Restricted MA-2_N_03 9.8
Secure Disposal of A.8.3.2 CC6.5.1 C1.2.1 AM-04
Data Management Data Removal organization's data classification criteria)] data and obtains a certificate or log of MP-6_N_00 9.8.1 164.310(D)(1)(ii) PR.IP-6 1464
Media A.11.2.7 CC6.5.2 C1.2.2 PI-03
erasure; media pending erasure are stored within a secured facility. MP-6_N_01 9.8.2
Customer Data
[The organization] purges or archives data according to customer requests or legal C1.2.1
Data Management Data Removal Retention and ` 3.1 164.310(D)(1)(i) 1451
and regulatory mandates. C1.2.2
Deletion
Removal of PHI from [The organization] removes electronic protected health information from electronic
Data Management Data Removal 0348
Media media if the media is made available for re-use.
Sharing [the organization] [restricted (as defined by the organization's data

Data Management Social Media Social Media classification criteria)] data via messaging technologies, social media, and public 4.2 0820
websites is prohibited.
Adobe protects its public information system presence with the following
processes: only authorized and trained individuals may post public information,
Publicly Accessible
Data Management Social Media content is reviewed prior to publishing, information on public systems is reviewed AC-22 0820
Content
periodically, and non-public information is removed from public systems upon
discovery.
The Board of Directors provides corporate oversight, strategic direction, and review CC1.1.1
of management for [the organization]. The Board of Directors meets at least [in CC1.2.1
Board of Directors accordance with the organization-defined frequency] and has 3 sub-committees: CC1.2.2
Entity Management Board of Directors 5.1 4.1
Structure and Purpose • Audit Committee CC1.2.3
• Executive Compensation and Nominating Committee CC1.5.3
• Governance Committee CC2.2.2
The Audit Committee is governed by a Charter, is independent from [the

organization] Management, is composed of outside directors (Industry Experts), and
meets [in accordance with the organization-defined frequency]. The Audit
CC1.2.2
Committee oversees:
4.1 CC1.2.3
•Financial Statement Quality 5.1
Entity Management Board of Directors Audit Committee 4.2.2(a) CC1.5.3
•Enterprise Risk Management 5.3
4.2.2(b) CC2.1.2
•Regulatory & Legal Compliance
CC2.2.2
•Internal Audit Functions
•Information Security Functions
•External Audit Functions
CC1.1.1
CC1.1.2
CC1.1.5
CC1.2.1
[The organization] Management ensures that its organization is aligned with the
Organizational CC1.3.1
Entity Management Strategic Planning corporate strategy by assigning key managers with responsibilities to execute the 5.1a 1478
Structure CC1.3.2
corporate strategy.
CC1.3.3
CC1.5.1
CC1.5.2
CC2.2.2
[In accordance with the organization-defined frequency]operating plans are aligned

with Corporate Objectives, which are established [in accordance with the 5.1(a)
Entity Management Strategic Planning Operating Plans CC1.5.2
organization-defined frequency] during the Company's planning process. Priorities 7.1
are set and plans are communicated appropriately.
Cyber Security [The organization] purchases cyber security insurance to mitigate risk of material
Entity Management Strategic Planning 7.1 CC9.1.2
Insurance financial impact that could result from a cyber security event.
CC1.5.3
CC1.5.5
CC2.1.2
[In accordance with the organization-defined frequency], the Chief Audit Executive
CC2.2.2
meets with the Audit Committee to review key risk issues. The Audit Committee
Internal Audit Internal Audit CC3.1.5
Entity Management approves the [in accordance with the organization-defined frequency] Internal Audit 9.2
Oversight Function CC3.1.6
Plan. Results of [in accordance with the organization-defined frequency] audits and
CC3.1.7
subsequent issue tracking summaries are presented to the Audit Committee.
CC3.1.8
CC4.1.1
CC4.1.2
CC3.1.5
Internal financial control assessment results are reported to the Audit Committee by
Internal Audit Financial Control CC3.1.6
Entity Management the Chief Audit Executive on a [in accordance with the organization-defined 9.2
Oversight Review CC3.1.7
frequency] and support the CEO/CFO 302/404 certifications.
CC3.1.8
CC1.5.4
[The organization]'s anti-fraud program encompasses both entity-level (Code of CC3.3.1
Internal Audit Conduct, Hotline, Background Checks, AC oversight, etc.) and process-level CC3.3.2
Entity Management Anti-fraud Program
Oversight controls (including IT controls) embedded with [The organization]'s process design CC3.3.3
of ICOFR. CC3.3.4
CC3.3.5
[In accordance with the organization-defined frequency], the Chief Security Officer
Information Security Information Security meets with the Audit Committee to review key Information Security issues. Results CC2.2.2
Entity Management 9.3 COM-04 0714
Oversight Function of continuous monitoring activities and current security compliance status are CC2.3.3
presented to the Audit Committee and the Board of Directors.
CC3.1.10
CC3.1.14
Information Security compliance results are reported to the Audit Committee by the CC3.1.15
Information Security Information Security
Entity Management Chief Security Officer on a [in accordance with the organization-defined frequency] CC3.1.16 0714
Oversight Compliance Review
and support information security compliance certifications CC3.1.9
CC4.1.4
CC4.2.1
CC6.1.2 AC-2_N_00 2
CC6.1.3 AC-2_N_05 3
164.308(a)(3)
CC6.1.5 AC-3 4
A.9.2.1 164.308(a)(3)(ii)(A)
CC6.1.6 AC-17_N_00 14
A.9.2.2 IDM-01 164.308(a)(3)(ii)(B)
Identity and Logical Access Logical Access Logical access provisioning to information systems requires approval from CC6.1.8 CP-9_N_03 7.1.4 0405 15
A.9.2.3 C1.1.2 314.3(b)(3) FERPA_99.31(a) IDM-02 164.308(a)(4) PR.AC-1
Access Management Account Lifecycle Provisioning appropriate personnel. CC6.2.1 IA-4_N_00 8.1.2 1507 16
A.9.4.1 IDM-06 164.308(a)(4)(ii)(B)
CC6.3.1 IA-5_N_07 17
A.18.1.3 164.308(a)(4)(ii)(C)
CC6.3.3 IA-5_N_08 88
164.312(a)(1)
CC8.1.14 MP-2_N_00 89
CC8.1.15 PS-4_N_04 90
CC6.1.2
A.7.3.1 CC6.1.5 2
AC-2_N_05 164.308(a)(3)
A.9.2.1 CC6.1.6 3
AC-2_N_08 164.308(a)(3)(ii)(B)
A.9.2.2 CC6.1.8 8.1.2 IDM-01 14
Identity and Logical Access Logical Access De- Logical access that is no longer required in the event of a termination is AC-17_N_00 164.308(a)(3)(ii)(C)
A.9.2.3 CC6.2.2 C1.1.2 8.1.3 314.3(b)(3) FERPA_99.31(a) IDM-02 PR.AC-1 0430 15
Access Management Account Lifecycle provisioning documented, communicated to management, and revoked. PS-4_N_00 164.308(a)(4)
A.9.4.1 CC6.3.1 8.1.4 IDM-04 16
PS-4_N_01 164.308(a)(4)(ii)(C)
A.9.2.6 CC6.3.2 17
PS-4_N_05 164.312(a)(1)
A.18.1.3 CC6.3.3 60
CC9.2.8
Logical Access De-

Identity and Access Logical Access The People Resources system sends a notification to relevant personnel in the event
provisioning: PS-4_N_01 0430
Management Account Lifecycle of a termination of an information system user.
Notification
AC-2_N_07 164.308(a)(3)
CC6.1.2 AC-2_N_08 164.308(a)(3)(ii)(A)
A.9.2.3
CC6.2.3 AC-2_N_09 164.308(a)(3)(ii)(B)
Identity and Logical Access Logical Access [The organization] performs account and access reviews [in accordance with the A.9.4.1 IDM-01 15
CC6.3.1 C1.1.2 AC-3 7.1 314.3(b)(3) FERPA_99.31(a) 164.308(a)(3)(ii)(C) 0407
Access Management Account Lifecycle Review organization-defined frequency]; corrective action is taken where applicable. A.9.2.5 IDM-05 17
CC6.3.2 IA-5_N_09 164.308(a)(4)
A.18.1.3
CC6.3.3 PS-5_N_00 164.308(a)(4)(ii)(C)
PS-5_N_02 164.312(a)(1)
Upon notification of an employee reassignment or transfer, management reviews

Identity and Logical Access Role Change: Access
the employee's access for appropriateness. Access that is no longer required is PS-5 8.1.2 0430
Access Management Account Lifecycle De-provisioning
revoked and documented.
[The organization] restricts the use of shared and group authentication credentials.
Identity and Logical Access Shared Logical
Authentication credentials for shared and group accounts are reset [in accordance FERPA_99.31(a) 164.308(a)(5)(ii)(D) 0415
Access Management Account Lifecycle Accounts
with the organization-defined frequency].
Identity and Logical Access Shared Account Where applicable, the use of generic and shared accounts to administer systems or
8.5 0415
Access Management Account Lifecycle Restrictions perform critical functions is prohibited; generic user IDs are disabled or removed.
15
IA-4_N_01
17
IA-4_N_02
Identity and CC6.1.2 IDM-01 164.312(a)(1) 21
Unique [The organization] requires unique identifiers for user accounts and prevents A.9.4.1 IA-4_N_03 8.1.1
Access Authentication CC6.1.3 314.3(b)(3) FERPA_99.31(a) PSS-08 164.312(a)(2)(i) 0414 22
Identifiers identifier reuse. A.9.4.2 IA-5_N_00 8.6
Management CC6.1.7 PSS-09 164.312(D) 23
IA-5_N_01
24
IA-5_N_05
25
15
AC-14 17
IA-4_N_04 8.2 18
CC6.1.2
User and device authentication to information systems is protected by passwords A.9.1.2 IA-5_N_02 8.2.3 19
CC6.1.3 IDM-01
Identity and Password that meet [the organization's] password complexity requirements. [the organization] A.9.4.1 IA-5_N_06 8.2.4 20
Authentication CC6.1.5 314.3(b)(3) FERPA_99.31(a) IDM-09 164.308(a)(5)(ii)(D)
Access Management Authentication requires system users to change passwords [in accordance with the organization- A.9.4.2 IA-5(1)_N_00 8.2.5 21
CC6.1.6 PSS-09
defined frequency]. A.9.4.3 IA-5(1)_N_01 8.2.6 22
CC6.1.7
IA-5(1)_N_03 8.6 23
IA-5(1)_N_04 24
25
AC-2
AC-20
IA-2(1)_N_00
15
IA-2(12)
17
IA-5_N_02
21
IA-5(11)
CC6.1.2 22
Multi-factor authentication is required for: A.9.4.1 IA-8 8.3
Identity and Multifactor CC6.1.3 IDM-01 23
Authentication • remote sessions A.9.4.2 IA-8(1) 8.3.1 164.312(d) PR.AC-7 1504
Access Management Authentication CC6.1.7 PSS-09 24
• access to environments that host production systems A.11.2.6 IA-8(2) 8.3.2
CC6.6.3 25
IA-8(3)
57
IA-8(4)
68
MA-4_N_00
69
MA-4_N_02
MA-4_N_03
MA-4_N_04
Authentication Authentication AC-14 18

Identity and Authorized personnel verify the identity of users before modifying authentication A.9.2.4 IDM-08
Maintenance Credential CC6.1.7 IA-5_N_03 8.2.2 1593 19
Access Management credentials on their behalf. A.9.3.1 PSS-05
Maintenance IA-5(1)_N_05 20
Identity and
Information systems are configured to terminate inactive sessions after [the 12.3.8
Access Authentication Session Timeout MA-4 164.312(a)(2)(iii) 0428
organization-defined duration] or when the user terminates the session. 8.1.8
Management
Identity and Information systems are configured to limit concurrent login sessions and the
Authentication Session Limit AC-7
Access Management inactive user interface is not displayed when the session is terminated.
Account Users are locked out of information systems after [the organization-defined number]
Identity and 8.1.6
Authentication Lockout: Cardholder of invalid attempts for a minimum of [the organization- defined duration], or until
Access Management 8.1.7
Data Environments an administrator enables the user ID.
Identity and Users are locked out of information systems after multiple, consecutive invalid
Authentication Account Lockout AC-2 1403
Access Management attempts within a defined period; Accounts remain locked for a defined period.
IA-2(12)
IA-5(11)
Privileged logical access to trusted data environments is enabled through an IA-8
Identity & Access Privileged Session CC6.7.1
Authentication authorized session manager; session user activity is recorded and tunneling to IA-8(1) 1509
Management Management CC7.1.4
untrusted data environments is restricted. IA-8(2)
IA-8(3)
IA-8(4)
Where full disk encryption is used, logical access must be managed independently
Identity and
Authentication Full Disk Encryption of operating system authentication; decryption keys must not be associated with 3.4.1
Access Management
user accounts.
Systems leveraged by the U.S. Federal Government present a login screen that
displays the following language:
• users are accessing a U.S. Government information system
Identity and AC-7
Authentication Login Banner • system usage may be monitored, recorded, and subject to audit
Access Management AC-8
• unauthorized use of the system is prohibited and subject to criminal and civil
penalties
• use of the system indicates consent to monitoring and recording
7.1
7.1.1
7.1.2
Logical Access Role 7.1.3
Identity and Role-Based Logical Initial permission definitions, and changes to permissions, associated with logical
Permission 7.2 1507
Access Management Access access roles are approved by authorized personnel.
Authorization 7.2.1
7.2.2
7.2.3
8.7
Identity and Role-Based Logical 15

Source Code Security Access to modify source code is restricted to authorized personnel. A.9.4.5 1508
Access Management Access 87
Identity and Role-Based Logical Service Account Individual user or administrator use of service accounts for O/S, applications, and
8.7
Access Management Access Restrictions databases is prohibited.
[The organization] clients with access to the cardholder data environment (CDE), as
users or processes, are assigned unique accounts that cannot modify shared binaries A.1
Identity and Role-Based Logical PCI Account
or access data, server resources, or scripts owned by another CDE or [the A.1.1
Access Management Access Restrictions
organization]; application processes are restricted from operating in privileged- A.1.2
mode.
AC-20 57
Identity and Virtual Private Remote connections to the corporate network are accessed via VPN through
Remote Access A.11.2.6 CC6.1.5 MA-4_N_01 FERPA_99.31(a) 164.312(d) 68
Access Management Network managed gateways.
MA-4_N_04 69
[The organization] has a defined process and mechanisms in place to expeditiously

Identity and Ability to Disable disable or disconnect remote access to information systems within a defined time 12.3
Remote Access PR.AC-3
Access Management Remote Sessions frame based on 12.3.8
business need.
Remote Maintenance:
Identity and Vendor accounts used for remote access are enabled only during the time period 12.3.8
Remote Access Authentication
Access Management needed, disabled when not in use, and monitored while in use. 8.1.5
Sessions
Remote Maintenance:
Unique Where applicable, Service providers with remote access to customer premises (e.g.,
Identity and
Remote Access Authentication for support of POS systems or servers) must use a unique authentication credential 8.5.1
Access Management
Credentials for each (such as a password/phrase) for each customer.
Customer
Where applicable, processes that run as part of an [the organization] shared hosting
Identity and End-user End-user Environment A.1.1
platform will run under unique credentials that permit access to only one customer
Access Management Authentication Segmentation A.1.2
environment.
[The organization] applications secure user data and maintain confidentiality by

default or according to permissions set by the individual; [the organization]
Identity and End-user End-user Access to authenticates individuals with unique identifiers and passwords prior to enabling
FERPA_99.33(a)(l) 1546
Access Management Authentication Applications and Data access to:
• use the application
• view or modify their own data
24
3.5 25
3.5.2 38
CC6.1.10
Identity and Key Repository A.10.1.2 3.6 39
Key Management Access to the cryptographic keystores is limited to authorized personnel. CC6.1.9 FERPA_99.31(a) CRY-01 164.308(a)(5)(ii)(D)
Access Management Access A.18.1.5 3.6.2 94
CC6.7.2
3.6.3 95
3.6.7 96
97
24
[The organization] changes shared data encryption keys 3.6
CC6.1.10 25
Identity and - at the end of the [organization-defined lifecycle period] A.10.1.2 PS-4_N_01 3.6.4
Key Management Data Encryption Keys CC6.1.9 CRY-04 1091 38
Access Management - when keys are compromised A.18.1.5 PS-5_N_02 3.6.5
CC6.7.2 39
- upon termination/transfer of employees with access to the keys 3.6.7
94
3.6
Identity and Cryptographic keys are invalidated when compromised or at the end of their defined 3.6.4
Key Management Key Maintenance 1091
Access Management lifecycle period. 3.6.5
3.6.7
Identity and Clear Text Key If applicable, manual clear-text cryptographic key- management operations must be 3.6
Key Management
Access Management Management managed using split knowledge and dual control. 3.6.6
Identity and
Key Storage and 3.5
Access Key Store Review Management reviews and authorizes key store locations.
Distribution 3.5.4
Management
Storage of data encryption keys that encrypt or decrypt cardholder data meet at least
one of the following:
3.5
• the key-encrypting key is at least as strong as the data encrypting key and is stored
Identity and 3.5.3
Key Storage and Storage of Data separately from the data encrypting key
Management 3.6
Distribution Encryption Keys • stored within a secure cryptographic device (such as a host security module
3.6.1
(HSM) or
3.6.3
PTS-approved point-of interaction device)
• keys are stored as at least two full-length key components or key shares
Identity and Key Storage and Clear Text 3.6

[The organization] prohibits the distribution of cryptographic keys in clear text.
Access Management Distribution Distribution 3.6.2
Installation of
Identity and Access Public Key Digital Certificates are verified by information system components prior to
Software: Certificate CM-11
Management Infrastructure installation on the production network.
Verification
CC.2.2.6
CC7.2.1
CC7.3.1
IR-4_N_00
CC7.3.2
[The organization] defines the types of incidents that need to be managed, tracked IR-4_N_02
CC7.3.3
and reported, including: IR-6_N_01
CC7.3.4
• procedures for the identification and management of incidents IR-7_N_00
CC7.3.5 ID.RA-4
• procedures for the resolution of confirmed incidents IR-8_N_00
CC7.4.10 11.1.2 PR.IP-9
• key incident response systems A.16.1.1 IR-8_N_01
CC7.4.11 11.5.1 RS.RP-1 0043 2
• incident coordination and communication strategy A.16.1.2 IR-8_N_02
CC7.4.2 12.10 SIM-01 RS.CO-2 3
Incident Response • contact method for internal parties to report incidents A.16.1.4 IR-8_N_03 314.3(b)(2) 164.308(a)(6)(i)
Incident Response Incident Response CC7.4.3 12.10.1 SIM-02 RS.CO-3 0123 32
Plan • support team contact information A.16.1.5 IR-8_N_04 314.4(b)(3) 164.308(a)(6)(ii)
CC7.4.4 12.10.4 SIM-03 RS.AN-2 36
• notification to relevant management in the event of a security breach A.16.1.6 IR-8_N_05
CC7.4.7 12.10.5 RS.AN-4 0125 60
• provisions for updating and communicating the plan A.16.1.7 IR-8_N_06
CC7.4.8 12.10.6 RS.MI-1
• provisions for training of support team IR-8_N_07
CC7.4.9 RC.RP-1
• preservation of incident information IR-8_N_08
CC7.5.2
• management review and approval, [in accordance with frequency], or when major IR-8_N_09
CC7.5.3
changes to the organization occur IR-8_N_10
CC7.5.4
IR-8_N_11
CC7.5.5
CC7.5.6
CC8.1.11
Incident Response [The organization] tests incident response processes [in accordance with the 12.10.2
Incident Response Incident Response 0576
Testing organization-defined frequency]. Results from the tests are documented. 12.10.6
CC.2.2.6
CC7.3.1
CC7.3.3
CC7.3.4
CC7.3.5 IR-4_N_01
A.16.1.1 CC7.4.10 IR-5_N_00
DE.DP-3 2
A.16.1.2 CC7.4.11 IR-9_N_00
Confirmed incidents are assigned a priority level and managed to resolution. If 10.6.3 DE.DP-5 3
A.16.1.4 CC7.4.2 IR-9_N_01 314.3(b)(2) 164.308(a)(6)(i) 0123
Incident Response Incident Response Incident Response applicable, [the organization] coordinates the incident response with business 10.8.1 SIM-01 RS.CO-4 32
A.16.1.5 CC7.4.3 IR-9_N_02 314.4(b)(3) 164.308(a)(6)(ii) 0125
contingency activities. 12.10.3 RS.MI-2 36
A.16.1.6 CC7.4.4 IR-9_N_03
RS.IM-2 60
A.16.1.7 CC7.4.7 IR-9_N_04
CC7.4.8 IR-9_N_05
CC7.5.3
CC7.5.4
CC7.5.5
CC7.5.6
[The organization] defines external communication requirements for CC.2.2.6

incidents, including: CC2.3.1
0123
• information about external party dependencies CC2.3.2
External 0141 1
Incident • criteria for notification to external parties as required by [the organization] policy CC7.3.2 OIS-05
Incident Response Communication of A.6.1.3 12.10.3 1433 5
Communication in the event of a security breach CC7.4.12 SIM-02
Incidents 1434 32
• contact information for authorities (e.g., law enforcement, regulatory bodies, etc.) CC7.4.13
0140
• provisions for updating and communicating external communication requirement CC7.4.6
changes CC7.5.2
CC.2.2.6
CC2.2.3
[The organization] provides a contact method for external parties to:
Incident Incident Reporting CC2.3.11 32
Incident Response • submit complaints and inquiries A.16.1.2 12.10.3 0123
Communication Contact Information CC2.3.2 60
• report incidents
CC2.3.4
CC2.3.5
0123
0141
Incident Incident External [The organization] communicates a response to external stakeholders as required by
Incident Response CC2.3.1 12.10.1 SIM-03 1433
Communication Communication the Incident Response Plan.
1434
0140
Where applicable, authorized [the organization] personnel must enroll mobile

Mobile Device Mobile Device Mobile Device AC-19
devices with the enterprise Mobile Device Management (MDM) solution prior to CC6.7.4 1195
Management Security Enrollment MP-7_N_00
obtaining access to [the organization] network resources on mobile devices.
Mobile Device Mobile Device Mobile Device Mobile devices (i.e., laptops, smartphones, tablets) that are used to access data from
CC6.7.4 AC-19 0869
Management Security Encryption Adobe internal resources are encrypted.
Configuration Where applicable, portable and mobile devices are configured to ensure
Mobile Device Mobile Device
Management: Mobile unnecessary hardware capabilities and functionalities are disabled, and management AC-19 1.4 0864
Management Security
Devices defined security features are enabled.
4
8
1.1.4
9
1.2
10
1.2.1
24
Network traffic to and from untrusted networks passes through a policy CA-3_N_00 1.2.3 OPS-19
Network Policy CC6.6.1 25
Network Operations Perimeter Security enforcement point; firewall rules are established in accordance to identified security A.13.1.1 CM-7_N_01 1.3 FERPA_99.31(a) COS-01 PR-PT-4 1528
Enforcement Points CC6.6.4 73
requirements and business justifications. SC-5 1.3.1 COS-02
74
1.3.2
75
1.3.3
76
1.3.4
77
94
1.1.4
1.2
CC6.1.4 1.2.1
Inbound and
CC6.7.2 1.2.3
Outbound Network Network traffic to and from untrusted networks passes through a Demilitarized
Network Operations Perimeter Security CC6.8.5 1.3 0637
Traffic: DMZ Zone (DMZ).
CC8.1.14 1.3.1
Requirements
CC8.1.15 1.3.2
1.3.3
1.3.4
[The organization] maintains an inventory of ingress and egress points on the

production network and performs the following for each:
Ingress and Egress 1.1.6
Network Operations Perimeter Security • inventory is reduced to the minimum possible level 1427
Points 1.3.6
• permitted ports, protocols and services are inventoried and validated
• documents security features that are implemented for insecure protocols
Non-disclosure of [The organization] does not disclose private IP addresses and routing information to
Network Operations Perimeter Security 1.3.7
Routing Information unauthorized parties.
Dynamic Packet Where applicable, [the organization] enables dynamic packet filtering on the
Network Operations Perimeter Security SC-5 1.3.5
Filtering network.
Firewall Rule Set Network infrastructure rule sets are reviewed [in accordance with the organization-
Network Operations Perimeter Security SC-5 1.1.7
Review defined frequency].
All trusted connections are documented and approved by authorized personnel;

CA-3
management ensures the following documentation is in place prior to approval:
SC-7
Network Operations Perimeter Security Trusted Connections • agreement with vendor 1178
SC-21
• security requirements
SC-22
• nature of transmitted information
CC6.1.4 78
A.12.1.4 CC6.7.1 OPS-24 87
Network Network Production environments are logically segregated from non- production PR.AC-5
Network Operations A.13.1.3 CC6.8.1 SC-39 6.4.1 COS-06 0400 88
Segmentation Segmentation environments. PR.DS-7
A.14.2.6 CC6.8.2 DEV-10 89
CC8.1.14 90
Card Processing Where applicable, [the organization] segregates the Personal Account Number
Network 1.3.6
Network Operations Environment (PAN) infrastructure including payment card collection devices; [the organization]
Segmentation 9.1.2
Segmentation limits access to the segregated environment to authorized personnel.
Disable Rogue
[The organization] employs mechanisms to detect and disable the use of
Network Operations Wireless Security Wireless Access 12.10.5 1324
unauthorized wireless access points.
Points
Wireless Access [The organization] maintains an inventory of authorized wireless access points
Network Operations Wireless Security 11.1.1
Points including a documented business justification.
[In accordance with the organization-defined frequency], [the organization]

Rogue Wireless 11.1
Network Operations Wireless Security performs an access point mapping exercise to identify and remove unauthorized 1335
Access Point Mapping 11.1.2
wireless access points.
Authentication: [The organization] restricts access to network services via wireless access points to
4.1
Network Operations Wireless Security Wireless Access authenticated users and services; approved wireless encryption protocols are AC-18 0536
4.1.1
Points required for wireless connections.
59
New hires are required to pass a background check as a condition of their CC1.4.5 PR.AC-6
People Resources On-boarding Background Checks 7.2 A.7.1.1 PS-3_N_00 12.7 HR-01 0434 61
employment. CC5.3.5 PR.IP-11
62
[The organization] has established a check-in performance management process for CC1.1.3
Performance on-going dialogue between managers and employees. [In accordance with the CC1.4.3
People Resources On-boarding
Management organization-defined frequency] reminders are sent to managers to perform their CC1.4.6
regular check-in conversation. CC1.5.5
7.2(a)
Job candidates apply for roles that are listed on the [the organization] career portal; 7.2(b)
CC1.4.3
People Resources On-boarding Hiring Process candidates are interviewed to determine their knowledge and competence for their 7.2(c)
CC1.4.6
prospective roles and compatibility with [the organization] values. 7.2(d)
7.2
2
3
PS-4_N_03
Organization Upon employee termination, management is notified to collect [the organization] 14
People Resources Off-boarding A.8.1.4 PS-4_N_04 HR-05
Property Collection property from the terminated employee. 16
PS-4_N_05
17
60
Upon employee termination, management conducts exit interviews for the

People Resources Off-boarding Exit Interviews terminated PS-4_N_02
employee.
CC1.1.4
Employees that fail to comply with [the organization] policies are subject to a PS-8_N_00
People Resources Compliance Disciplinary Process 7.3(c) A.7.2.3 7.3(c) CC1.5.1 HR-04 164.308(a)(1)(ii)(C) 60
disciplinary process. PS-8_N_01
CC1.5.5
[The organization] has a Code of Ethics for Senior Officers. The Senior Officers
People Resources Business Ethics Code of Ethics and CEO certify that they understand the Code [in accordance with the CC1.2.1 PL-4
organization-defined frequency]
CC1.1.3
[The organization] has a business ethics hotline for employees and external parties
CC1.1.4
Business Ethics to report ethical misconduct. Allegations are investigated and [the organization] will
People Resources Business Ethics CC1.5.5
Hotline take appropriate action for confirmed violations. Hotline reports are reported to the
CC2.2.3
Audit Committee on a [in accordance with the organization-defined frequency].
CC2.3.4
[The organization] conducts screening and rescreening of authorized personnel for CC3.1.1
roles that require national security clearances. For national security clearances; a CC3.1.11
National Security reinvestigation is required during the 5th year for top secret security clearance, the CC3.1.12
People Resources Personnel Screening PS-3_N_01 0434
Clearance 10th year for secret security clearance, and 15th year for confidential security CC3.1.13
clearance. In addition, for law enforcement and high impact public trust level, a CC3.1.2
reinvestigation is required during the 5th year. CC3.1.3
CC3.1.4
CC3.2.1
CC3.2.2
CC3.2.3
4.1
CC3.2.4
8.1
CC3.2.5
8.2
CC3.2.6
8.3
6.1.1(a) CC3.2.7 1
10.2
6.1.1(b) CC3.2.8 5
6.1.1 ID.GV-4
[The organization] management performs a risk assessment [in accordance with the 6.1.1(c) CC3.3.1 314.4(b)(1) 6
6.1.2 OIS-06 ID.RA-6 1563
Risk Management Risk Assessment Risk Assessment organization-defined frequency]. Results from risk assessment activities are 6.1.2(b.2) CC3.3.2 RA-3 12.2 314.4(b)(2) 7
6.1.3 OIS-07 ID.RM-1 1564
reviewed to prioritize mitigation of identified risks 8.2.3(a) CC3.3.3 314.4(b)(3) 47
6.1.3(a) ID.RM-3
8.2.3(b) CC3.4.1 48
6.1.3(b)
8.2.3(c) CC3.4.2 49
6.1.3(e)
CC3.4.3
6.1.3(f)
CC3.4.4
6.2(c)
CC3.4.5
9.1
CC4.1.1
CC4.1.2
CC4.1.8
CC5.1.1
CC5.1.2
CC5.1.3
CC5.1.4
CC5.1.5
CC7.4.10
CC7.4.11
[The organization]s periodic risk assessment for systems that process, transmit or
store Protected Health Information (PHI) includes the following:
• identify and classify assets
• identify threats
164.308(a)(1)(ii)(A)
Risk Assessment: • identify vulnerabilities ID.RA-3
Risk Management Risk Assessment 164.308(a)(1)(ii)(B)
HIPAA Criteria • identify controls ID.RA-5
164.308(a)(8)
• perform threat likelihood analysis
• perform threat impact analysis
• identify residual risk CC1.5.1
• identify appropriate safeguards CC2.1.3
CC2.1.4
CC2.2.1
CC2.3.3
CC3.2.8
CC3.3.1
CC3.3.2
CC3.3.3 2
The design and operating effectiveness of internal controls are continuously CC3.4.1 3
9.1 A.12.7.1
Continuous evaluated against the established [organization-defined controls framework] by [the 8.1(a) CC3.4.2 CA-5_N_01 COM-02 164.308(a)(1) 5
Risk Management Risk Assessment 9.3 A.18.2.2 1163
Monitoring organization]. Corrective actions related to identified deficiencies are tracked to 8.1(b) CC3.4.3 CA-7_N_02 COM-03 164.308(a)(8) 47
10.1 A.18.2.3
resolution. CC3.4.4 48
CC3.4.5 49
CC4.1.8
CC4.2.1
CC4.2.2
CC4.2.3
CC5.1.4
CC5.3.3
CC5.3.4
CC7.5.4
[In accordance with the organization-defined frequency], reviews shall be
performed with approved documented specification to confirm personnel are
following security policies and operational procedures pertaining to:
• log reviews [in accordance with the organization-defined frequency] 12.11 1563
Risk Management Risk Assessment Self- Assessments
• firewall rule-set reviews 12.11.1 1564
• applying configuration standards to new systems
• responding to security alerts
• change management processes
4.1
8.1 CC3.2.6
8.2 CC3.2.8 1
8.3 CC4.1.6 6
[In accordance with the organization-defined frequency], [the organization] 314.4(b)(1)
Service Risk Rating 10.2 CC4.1.8 7
Risk Management Risk Assessment prioritizes the frequency of vulnerability discovery activities based on an assigned CA-7_N_01 12.2 314.4(b)(2) 1163
Assignment 6.1.1 CC5.1.2 47
service risk rating. 314.4(b)(3)
6.1.2 CC5.1.3 48
6.1.3 CC7.4.10 49
6.2(c) CC7.4.11
9.1
8.6(d)
9.2.1(a.1)
9.2.2(a.2) CC.2.2.10
9.2.3(b) CC.2.2.5
A.12.7.1
[The organization] establishes internal audit requirements and executes audits on 9.2.2(a) CC.2.2.7 2
Internal and External A.18.2.1 CA-5_N_00 1563
Risk Management Internal Audits information systems and processes [in accordance with the organization-defined 9.2 9.2.2(b) CC1.5.5 314.4(c) OIS-01 3
Audit A.18.2.2 CA-7_N_06 1564
frequency]. 9.2.2(c) CC4.1.7 5
A.18.2.3
9.2.2(d) CC4.1.8
9.2.2(e) CC4.2.1
9.2.2(f)
9.2.2(g)
Internal and External ISMS Internal Audit Internal audit establishes and executes a plan to evaluate applicable controls in the
Risk Management 9.2 CC4.1.3
Audit Requirements Information Security Management System (ISMS) at least once every 3 years.
6.1.2(a)
6.1.2(b.1)
10.1.1
10.1.2(a.1)
10.1.2(a.2)
10.1.2(b.1)
6.1.3(e) CC4.2.3
10.1.2(b.2)
6.1.3(f) CC5.1.1 5
Controls Management prepares a remediation plan to formally manage the resolution of 10.1.2(b.3) 1563
Risk Management Remediation Tracking 8.3 CC5.3.4 314.4(c) 6
Implementation findings identified in risk assessment activities. 10.1.2(c) 1564
10.1 CC7.4.11 7
10.1.2(d)
10.2 CC7.5.4
10.1.2(e)
10.1.2
10.1.3(a)
6.1.3(e) 10.1.3(b)
Controls ISMS Corrective Management prepares a Corrective Action Plan (CAP) to manage the resolution of 6.1.3(f) 10.1.2(d) 1563
Risk Management
Implementation Action Plans nonconformities identified in independent audits. 10.1 1564
10.2
Management prepares a statement of applicability that includes control objectives,

6.1.3(b) 2
Controls Statement of implemented controls, and business justification for excluded controls. 1563
Risk Management 6.1.3(c) A.18.1.1 CC5.1.4 COM-01 3
Implementation Applicability Management aligns the statement of applicability with the results of the risk 1564
6.1.3(d) 5
assessment.
CA-3_N_01
System Design Internal System System Documentation of system boundaries and key aspects of their functionality are
CC2.2.9 CA-9_N_01 0041
Documentation Documentation Documentation published to authorized personnel.
SA-5
System
System Design Internal System Documentation: Information systems and interfaces of the Cardholder Data Environment (CDE) are 1.1.2
Documentation Documentation Cardholder diagrammed. 1.1.3
Environment
Customer- facing CC2.3.10

System Design [The organization] publishes whitepapers to its public website that describe the
System Whitepapers CC2.3.8
Documentation purpose, design, and boundaries of the system and system components.
Documentation CC2.3.9
1.5
2.5
3.5
3.5.1
3.5.2
3.5.3
3.5.4
3.6
3.6.1
3.6.2
5.1(a)
3.6.3
5.1(d)
3.6.4
5.2(d)
3.6.5 164.308(a)(1)
5.2(e)
3.6.6 164.308(a)(3)
5.2(g)
4.1 3.6.7 164.308(a)(4) 1
7.3(a)
5.2.1(a) 3.6.8 164.308(a)(4)(ii)(B) 2
7.3(b)
5.2.1(b) CC1.4.1 3.7 164.308(a)(4)(ii)(C) 3
7.3(c)
[The organization's] policies and standards are reviewed, approved by management, A.5.1.1 5.2.1(c) CC2.2.1 4.3 164.308(a)(7)(i) 4
Security Policy and Standard 7.5.1(b) PS-6_N_00 OIS-02
Policy Governance and communicated to authorized personnel [in accordance with the organization- A.5.1.2 5.2.1(d) CC2.2.4 5.4 164.308(a)(7)(ii)(D) ID:GV-1 0888 27
Governance Review 7.5.2(a) PS-6_N_01 SP-01
defined frequency]. A.12.1.1 5.2.2(a) CC5.3.1 6.7 164.308(a)(8) 28
7.5.2(b)
5.2.2(b) CC5.3.6 7.3 164.310(a)(1) 88
7.5.2(c)
5.2.2(c) 8.1 164.312(C)(1) 89
7.5.3(a)
7.3(a) 8.1.1 164.316(b)(1) 90
7.5.3(b)
8.1.2 164.316(b)(2)(ii)
7.5.3(c)
8.1.3 164.316(b)(2)(iii)
7.5.3(d)
8.1.4
7.5.3(e)
8.1.5
7.5.3(f)
8.1.6
8.1.7
8.1.8
8.4
8.8
9.10
10.9
11.6
12.1.1
12.4
[The organization] reviews exceptions to policies, standards, and procedures; SP-01 1

Security Exception
Policy Governance exceptions are documented and approved based on business need and removed A.5.1.1 CC5.3.1 SP-02 2
Governance Management
when no longer required. SP-03 3
4.2.2(c)
7.5.2(a)
7.5.2(b)
[The organization]'s document management criteria is periodically reviewed, 7.5.2(c)
Security approved by management, and communicated to authorized personnel; management 7.5.3.1(a)
Policy Governance Document Control 0047
Governance determines the treatment and retention of documentation according to legal and 7.5.3.1(b)
regulatory requirements. 7.5.3.2(a)
7.5.3.2(b)
7.5.3.2(c)
7.5.3.2(d)
1.5
2.5
3.7
4.3
AC-1_N_00
5.4
AC-1_N_02
6.7
AT-1_N_00
7.3
AT-1_N_02
8.1
AU-1_N_00
8.1.1
AU-1_N_02
8.1.2
CA-1_N_00 1
8.1.3
CA-1_N_02 2
8.1.4
CA-6_N_00 3
8.1.5
CA-6_N_01 4
5.1 CC1.3.3 8.1.6
A.10.1.1 CM-1_N_00 5
5.1(e) CC1.5.1 8.1.7
A.11.2.9 CM-1_N_02 15
5.1(f) CC4.1.5 8.1.8
A.13.2.1 CP-1_N_00 24
5.1(g) CC5.2.1 8.4
[The organization-defined security leader] conducts a periodic staff meeting to A.5.1.1 CP-1_N_02 25
Security Security Information Security 5.1(h) CC5.2.2 8.8 164.308(a)(4)(ii)(C)
communicate and align on relevant security threats, program performance, and A.6.1.1 IA-1_N_00 314.3(a) ID.AM-3 1602 60
Governance Documentation Program Content 6.2(b) CC5.3.1 9.10 164.308(a)(5)(ii)(A)
resource prioritization. A.6.1.5 IA-1_N_02 68
7.5.2 CC5.3.2 10.8
A.6.2.1 IR-1_N_00 69
7.5.2(a) CC7.1.1 10.9
A.6.2.2 IR-1_N_02 73
7.5.2(b) CC7.2.1 11.5
A.9.1.1 MA-1_N_00 74
8.1 CC7.4.1 11.6
MA-1_N_02 75
12.1
MP-1_N_00 76
12.3
MP-1_N_02 77
12.3.1
PE-1_N_00 94
12.3.2
PE-1_N_02
12.3.3
PL-1_N_00
12.3.4
PL-1_N_02
12.3.5
PS-1_N_00
12.3.6
PS-1_N_02
12.3.7
RA-1_N_00
12.3.8
12.3.9
12.3.10
12.4
AC-1_N_01
AC-1_N_03
AT-1_N_01
AT-1_N_03
AU-1_N_01
AU-1_N_03
CA-1_N_01
CA-1_N_03
CM-1_N_01
CM-1_N_03
CP-1_N_01
CP-1_N_03
IA-1_N_01
Security Security [The organization's] key control capabilities are supported by documented
Procedures IA-1_N_03 1602
Governance Documentation procedures that are communicated to authorized personnel
IR-1_N_01
IR-1_N_03
MA-1_N_01
MA-1_N_03
MP-1_N_01
MP-1_N_03
PE-1_N_01
PE-1_N_03
PL-1_N_01
PL-1_N_03
PS-1_N_01
PS-1_N_03
RA-1_N_01
[The organization] performs privacy readiness reviews to identify high-risk
Security Privacy Readiness
Privacy Program processing activities that impact personal data; identified non- compliance with [the A.18.1.4 0888 91
Governance Review
organization] privacy practices is tracked through remediation.
Documentation that impacts personal health information, including policies,

Document
Security Privacy procedures, and the documentation of actions, activities, or assessments, are
Management 164.316(b)(2)(i)
Governance Documentation retained for 6 years from the date of its creation, or the date when it last was in
Standard: HIPAA
effect, whichever is later.
Security Workforce Proprietary [Workforce personnel as defined by the organization] consent to a proprietary rights A.13.2.4 PS-6_N_00 40
CC2.3.6
Governance Agreements Rights Agreement agreement. A.18.1.2 PS-6_N_02 60
Review of
Security Workforce [The organization's] proprietary rights agreement and network access agreement are A.13.2.4 PS-6_N_00 40
Confidentiality CC2.3.6
Governance Agreements reviewed [in accordance with the organization-defined frequency]. A.18.1.2 PS-6_N_01 60
Agreements
Cryptographic Key Custodians and Cryptographic Materials Custodians (CMC)

Security Workforce Key Custodians 3.6
acknowledge in writing or electronically that they understand and accept their
Governance Agreements Agreement 3.6.8
cryptographic-key-custodian responsibilities.
4.2
5.1
5.1(a)
5.1(e)
5.1(f)
5.1(g)
5.1(h)
[The organization] has an established security leadership team including key 5.2(d)
CC1.3.4
Security Information Security Information Security stakeholders in [the organization's] Information Security Program; goals and 5.2(f)
CC7.4.6 PL-2 314.4(a) OIS-01 164.308(a)(2) 0714 1
Governance Management System Program milestones for deployment of the information security program are established and 6.2(a)
CC7.4.9
communicated to the company. 6.2(d)
6.2(e)
6.2(f)
6.2(i)
6.2(j)
7.4
7.5.1(a)
9.3
4.2
1
4.3
4
4.4
5
5.2 CC1.3.3
Information Information 6
Security Information Security Management System (ISMS) boundaries are formally defined 6.2 CC5.3.1 CA-6_N_02
Security Management Security Management A.6.1.5 314.4(b)(3)(e) OIS-01 0039 7
Governance in an ISMS scoping document. 7.4 CC7.4.6 PL-2
System System Scope 47
7.5.1 CC7.4.9
48
8.1
49
9.1
60
9.3
1.1.5
12.4 ID.AM-6
5.1(f) CC1.3.3 1
12.5 ID.GV-2
5.1(g) CC1.3.4 4
Roles and responsibilities for the governance of Information Security within [the 12.5.1 PR.AT-2
Security Information Security Security Roles and 5.1(h) CC1.4.4 164.308(a)(2) 5
organization] are formally documented within the Information Security A.6.1.1 PL-4 12.5.2 OIS-03 PR.AT-3 1525
Governance Management System Responsibilities 5.3 CC5.3.2 164.308(a)(3) 60
Management Standard and communicated on the [the organization] intranet. 12.5.3 PR.AT-4
6.2(h) CC5.3.5 61
12.5.4 PR.AT-5
7.2 CC9.2.3 62
12.5.5 DE.DP-1
12.10.1
Security Roles and Roles and responsibilities and a program charter for the governance of PCI DSS
Security Information Security
Responsibilities: PCI compliance within [the organization] are formally documented and communicated 12.4.1
Governance Management System
Compliance by management.
Information
Information 5.1(c)
Security Security Information systems security implementation and management is included as part
Security 6.2(g) A.6.1.5 CC7.4.1 SA-2 0120
Governance Management of the budget required to support [the organization's] security program.
Resources 7.1 9.3.1
System
9.3.2(a)
9.3.2(b)
9.3.2(c.1)
9.3.2(c.2)
9.3.2(c.3)
9.3.2(d)
9.3.2(e)
CC4.1.8
9.3.2(f)
The Information Security Management System (ISMS) steering committee CC4.2.2
Security Information Security 9.3.2(g)
Management Review conducts a formal management review of ISMS scope, risk assessment activities, 9.3 CC5.2.2 COM-04 1526
Governance Management System 9.3.2(h)
control implementation, and audit results on an annual basis. CC5.2.3
9.3.2(i)
CC5.2.4
9.3.2(j)
9.3.2(k)
9.3.3.1(a)
9.3.3.1(b)
9.3.3.1(c)
9.3.3.1(d)
9.3.3.2(a)
9.3.3.2(b)
Security Software Usage [The Organization] maintains software license contracts and monitors its
Software Licensing A.18.1.2 CM-10
Governance Restrictions compliance with usage restrictions.
8
CC6.8.2 9
Major software releases are subject to the Service Life Cycle, which requires A.14.1.1 SA-1
Service Lifecycle CC8.1.10 10
Service Lifecycle Release Management acceptance via Concept Accept and Project Plan Commit phases prior to A.14.2.5 SA-3 6.3 DEV-01 PR.IP-2
Workflow CC8.1.5 11
implementation. A.6.1.5 SA-4
CC8.1.9 12
87
CC6.8.2
CC7.1.2
Source Code Source Code Source code is managed with [the organization]-approved version control
Service Lifecycle A.14.2.6 CC7.1.3 DEV-08 87
Management Management mechanisms.
CC8.1.14
CC8.1.5
Information system acquisitions require approval from authorized personnel based

on verification of the following documented evidence:
• security function, strength, and assurance requirements
• requirements for protecting security-related documentation
System Acquisition
Service Lifecycle Program Management • system development and test requirements SA-4(10)
Approval
• acceptance criteria for releases
• enumeration of Security controls
• security control implementation and monitoring requirements
• components are FIPS-201 approved
CC6.8.2
AU-2_N_00
CC7.1.2 33
AU-12_N_00 OPS-10
CC7.1.3 314.3(b)(2) 164.312(b) 34
Systems Monitoring Logging Audit Logging [The organization] logs critical information system activity. A.12.4.1 A1.2.6 MA-4_N_00 FERPA_99.31(a) OPS-11 DE.AE-3 0580
CC7.1.4 314.4(b)(3) 164.312(c)(2) 35
MA-4_N_03 OPS-12
CC7.2.1 46
SC-7
CC7.2.2
10.5
[The organization] logs critical information system activity to a secure repository. 10.5.1
Systems Monitoring Logging Secure Audit Logging [the organization] disables administrators ability to delete or modify enterprise audit CC7.2 10.5.2 1405
logs; the number of administrators with access to audit logs is limited. 10.5.3
10.5.4
[The organization] logs the following activity for cardholder data environments:
• individual user access to cardholder data
• administrative actions
10.1
• access to logging servers
10.2
• failed logins
10.2.1
• modifications to authentication mechanisms and user privileges
Audit Logging: 10.2.2
• initialization, stopping, or pausing of the audit logs
Cardholder Data 10.2.3
Systems Monitoring Logging • creation and deletion of system-level objects 0582
Environment 10.2.4
• security events
Activity 10.2.5
• logs of all system components that store, process, transmit, or could impact the
10.2.6
security of cardholder data (CHD) and/or sensitive authentication data (SAD)
10.2.7
• logs of all critical system components
10.6.1
• logs of all servers and system components that perform security functions (e.g.,
firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS),
authentication servers, ecommerce redirection servers, etc.)
[The organization] records the following information for confirmed events in the
10.3
cardholder data environment:
10.3.1
Audit Logging: • user identification
10.3.2
Cardholder Data • type of event DE.AE-4
Systems Monitoring Logging 10.3.3 0585
Environment Event • date and time DE.DP-4
10.3.4
Information • event success or failure indication
10.3.5
• origination of the event
10.3.6
• identification of affected data, system component, or resource
[The organization] establishes unique logging and audit trails for each entity's
Audit Logging: cardholder
A.1
Service Provider data environment and complies with the following:
Systems Monitoring Logging A.1.3
Logging • logs are enabled for third-party applications
A.1.4
Requirements • logs are active by default
• logs are available for review by and communicated to the owning entity
[The organization] reconciles the established device inventory against the enterprise OPS-10
Log Reconciliation: CC7.1.4 314.3(b)(2)
Systems Monitoring Logging log repository [in accordance with the organization-defined frequency]; devices FERPA_99.31(a) OPS-11
CMDB CC7.2.2 314.4(b)(3)
which do not forward log data are remediated. OPS-12
[The organization] allocates audit record storage capacity in accordance with
AU-4
Audit Log logging
AU-11
Systems Monitoring Logging Capacity and storage and retention requirements; Audit logs are retained [in accordance with the 10.7 PR.PT-1 0859 46
CA-7_N_04
Retention organization-defined duration] with [the organization-defined duration] of data
CA-7_N_05
immediately available for analysis.
If applicable, [the organization's] managed enterprise antivirus deployments

Enterprise generate audit logs which are retained [in accordance with the organization-defined 10.7
Systems Monitoring Logging 0859 46
Antivirus Logging duration] with [the organization-defined duration] of data immediately available for 5.2
analysis.
AC-2_N_06
AU-12_N_00
10.8 15
AU-12_N_01 OPS-10 164.308(a)(1)(ii)(D)
Security 10.9 33
Security [The organization] defines security monitoring alert criteria, how alert criteria will AU-2_N_01 314.3(b)(2) OPS-11 164.308(a)(6)(ii)
Systems Monitoring Monitoring Alert A.12.4.3 12.10.5 FERPA_99.31(a) DE.CM-2 34
Monitoring be flagged, and identifies authorized personnel for flagged system alerts. AU-2_N_02 314.4(b)(3) OPS-12 164.312(B)
Criteria 12.5 35
AU-2_N_03 OPS-16 164.312(c)(2)
12.5.2 46
AU-3_N_00
AU-8_N_00
OPS-10
Log-tampering [The organization] monitors and flags tampering to the audit logging and OPS-11
Systems Monitoring Security Monitoring A.12.4.2 AU-6_N_00 0586 37
Detection monitoring tools in the production environment. OPS-12
OPS-14
Security Monitoring
10.2
Alert [The organization] defines security monitoring alert criteria for failed login attempts 9.1(a)
Systems Monitoring Security Monitoring 10.2.4 164.308(a)(5)(ii)(C) 1537
Criteria: Failed on [the organization's] network. 9.1(b)
10.6
Logins
Security
Monitoring Alert
[The organization] defines security monitoring alert criteria for privileged functions
Systems Monitoring Security Monitoring Criteria: 10.6 1537
executed by both authorized and unauthorized users.
Privileged
Functions
Security
Monitoring Alert [The organization] defines security monitoring alert criteria for changes to the
Systems Monitoring Security Monitoring 10.5.5 0120
Criteria: Audit integrity of audit logs.
Log Integrity
Security
Monitoring Alert
[The organization] defines security monitoring alert criteria for system components
Criteria:
Systems Monitoring Security Monitoring that store, process, transmit, or could impact the security of cardholder data and/or 10.6.1
Cardholder
sensitive authentication data.
System
Components
10.2
10.2.4
164.308(a)(1)(ii)(D)
AU-2 10.5.5
164.308(a)(5)(ii)(B) 33
Critical systems are monitored in accordance to predefined security criteria and AU-5_N_01 10.6 OPS-10
System Security CC7.2.2 314.3(b)(2) 164.308(a)(5)(ii)(C) DE.CM-7 34
Systems Monitoring Security Monitoring alerts are sent to authorized personnel. Confirmed incidents are tracked to A.12.4.3 9.1(b) A1.2.6 AU-9 10.6.1 FERPA_99.31(a) OPS-11
Monitoring CC7.3.2 314.4(b)(3) 164.308(a)(6)(ii) RS.AN-1 35
resolution. SC-7 10.6.2 OPS-12
164.312(B) 46
SI-4 10.6.3
164.312(c)(2)
10.8.1
12.10.5
[The organization] has an Intrusion Detection System (IDS) or Intrusion Prevention

System (IPS) deployment(s) and ensures the following:
• signature definitions are updated including the removal of false positive signatures
Intrusion Detection • non-signature based attacks are defined SI-4 11.4
Systems Monitoring Security Monitoring 46
Systems • IDS/IPS are configured to capture malicious (both signature and non-signature SI-5 12.10.5
based) traffic
• alerts are reviewed and resolved by authorized personnel when malicious traffic is
detected
12
PS-02 46
A1.1.1
PS-06 58
Availability A1.2.2
Availability [The organization] defines availability monitoring alert criteria, how alert criteria A.12.1.3 OPS-01 63
Systems Monitoring Monitoring Alert 9.1(a) A1.2.4 SI-5 PR.DS-4
Monitoring will be flagged, and identifies authorized personnel for flagged system alerts. A.17.2.1 OPS-02 79
Criteria A1.2.5
OPS-09 104
A1.2.6
OPS-17 105
106
12
46
A1.1.1
PS-06 58
System 9.1(c) A1.2.2
Availability Critical systems are monitored in accordance to predefined availability criteria and A.12.1.3 OPS-01 63
Systems Monitoring Availability 9.1(d) A1.2.4 SI-5 0120
Monitoring alerts are sent to authorized personnel. A.17.2.1 OPS-02 79
Monitoring 9.1 A1.2.5
OPS-09 104
A1.2.6
105
106
A.11.1.1
A.11.1.2 PE-3_N_00
PS-03 50
A.11.1.3 A1.2.1 PE-3_N_01 9.1 164.308(a)(4)(ii)(C)
Physical access to restricted areas of the facility is protected by walls with non- PS-04 PR.AC-2 51
Site Operations Physical Security Secured Facility A.11.1.4 A1.2.3 PE-3_N_02 9.1.3 FERPA_99.31(a) 164.310(a)(1) 1053
partitioned ceilings, secured entry points, and/or manned reception desks. PS-05 PR.IP-5 55
A.11.1.5 A1.2.5 PE-3_N_03 9.5 164.310(a)(2)(ii)
PS-06 56
A.11.1.6 PE-16_N_00
A.11.2.1
Physical Protection
[The organization] power and telecommunication lines are protected from A1.2.4
Site Operations Physical Security and Positioning of A.11.2.3 PE-15 PS-06 1296 52
interference, interception, and damage. A1.2.5
Cabling
Physical access provisioning to a [the organization] datacenter requires

management approval and documented specification of: MA-5_N_01
9.2
• account type (e.g., standard, visitor, or vendor) MA-5_N_02
9.3 164.308(a)(4)(ii)(B)
• access privileges granted MP-2_N_00
Physical Access Provisioning Physical 9.4 PS-03 164.310(a)(1)
Site Operations • intended business purpose A.11.1.2 CC6.4.1 A1.2.3 PE-2_N_00 FERPA_99.31(a) 1074 50
Account Lifecycle Access 9.4.1 PS-04 164.310(a)(2)(ii)
• visitor identification method, if applicable PE-2_N_01
9.4.2 164.310(a)(2)(iii)
• temporary badge issued, if applicable PE-3_N_04
9.5
• access start date PE-12
• access duration
9.2
Physical access that is no longer required in the event of a termination or role CC6.4.1 PE-14
Physical Access De-provisioning 9.3 PS-03
Site Operations change is revoked. If applicable, temporary badges are returned prior to exiting A.11.1.2 CC6.4.2 A1.2.3 PS-4_N_00 FERPA_99.31(a) 164.310(a)(2)(ii) 1074 50
Account Lifecycle Physical Access 9.4.3 PS-04
facility. CC6.4.3 PS-4_N_01
9.5
CC6.4.1
Physical Access Periodic Review of [The organization] performs physical access account reviews [in accordance with PE-14 PS-03 164.310(a)(2)(ii)
Site Operations A.11.1.2 CC6.4.2 A1.2.3 9.5 FERPA_99.31(a) 1074 50
Account Lifecycle Physical Access the organization-defined frequency]; corrective action is taken where applicable. PS-5_N_00 PS-04 164.310(a)(2)(iii)
CC6.4.3
Physical Access Role

Physical Access Initial permission definitions, and changes to permissions, associated with physical A.11.1.5
Site Operations Permission A1.2.3 FERPA_99.31(a) 1074 50
Account Lifecycle access roles are approved by authorized personnel. A.11.1.6
Authorization
PE-2
A1.2.3
Physical Access Monitoring Physical Intrusion detection and video surveillance are installed at [the organization] PE-3_N_00 9.1 PS-03
Site Operations A.11.2.1 A1.2.4 164.310(a)(2)(ii) 50
Account Lifecycle Access datacenter locations; confirmed incidents are documented and tracked to resolution. PE-3_N_01 9.1.1 PS-04
A1.2.5
PE-3_N_02
Physical Access Surveillance Feed

Site Operations Surveillance feed data is retained for [the organization- defined duration]. 9.1.1
Account Lifecycle Retention
Physical access for visitors is managed through monitoring, maintaining records, PE-3_N_02
Physical Access escorting, and reviewing access [in accordance with the organization-defined PE-3_N_04 9.4.1
Site Operations Visitor Access 1074
Account Lifecycle frequency]. Visitor access records to the facilities are kept for [the organization- PE-8_N_00 9.4.4
defined duration]. PE-8_N_01
Physical access devices (i.e., keys, combinations, access cards, etc.) are maintained PE-3_N_05
Physical Access Physical Access
Site Operations through an inventory and restricted to authorized individuals. Appropriate devices PE-3_N_06 1074
Account Lifecycle Devices
are rotated when compromised or upon employee termination or transfer. PE-3_N_07
50
A1.2.1
52
A.11.1.4 A1.2.2 PE-6 PS-03
Environmental Temperature and Temperature and humidity levels of datacenter environments are monitored and 53
Site Operations A.11.2.1 A1.2.3 PE-14_N_00 PS-04
Security Humidity Control maintained at appropriate levels. 54
A.11.2.2 A1.2.4 PE-14_N_01 PS-05
55
A1.2.5
56
A1.2.1
Emergency responders are automatically contacted when fire detection systems are A1.2.2 50
Environmental Fire Suppression A.11.1.4 PE-6
Site Operations activated; the design and function of fire detection and suppression systems are A1.2.3 PS-05 55
Security Systems A.11.2.1 PE-13_N_00
maintained [in accordance with the organization-defined frequency]. A1.2.4 56
A1.2.5
[The organization] employs uninterruptible power supplies (UPS) and generators to A1.2.2
52
Environmental Power Failure support critical systems in the event of a power disruption or failure. The design and A1.2.3
Site Operations A.11.2.2 PE-15 PS-06 ID.BE-4 1123 53
Security Protection function of relevant equipment is certified [in accordance with the organization- A1.2.4
54
defined frequency]. A1.2.5
[The organization] employs emergency lighting in the event of a power disruption

Environmental
Site Operations Emergency Lighting or failure. The design and function of relevant equipment is certified [in accordance A1.2.5 PE-3 1135
Security
with the organization-defined frequency].
AT-2_N_00 2
[Workforce personnel as defined by the organization] complete security awareness 5.1(d) A.7.2.1 AT-2_N_01 HR-03 3
CC.2.2.8 12.6
Training and General Awareness General Security training, which includes updates about relevant policies and how to report security 7.2 A.7.2.2 AT-2_N_02 DEV-04 164.308(a)(5) 32
5.1(d) CC2.2.4 12.6.1 314.4(b)(1) PR.AT-1 0252
Awareness Training Awareness Training events to the authorized response team. Records of training completion are 7.3(b) A.16.1.2 AT-4_N_00 SIM-04 164.308(a)(5)(ii)(A) 60
CC5.3.2 12.6.2
documented and retained for tracking purposes. 7.3(c) A.16.1.3 AT-4_N_01 SIM-05 61
IR-6_N_00 62
2
3
A.7.1.2
AM-02 60
Training and General Awareness Code of Conduct [Workforce personnel as defined by the organization] complete a code of business A.7.2.1 CC1.1.2 12.3
AM-03 64
Awareness Training Training conduct training. A.8.1.3 CC2.2.4 12.3.5
HR-02 65
A.11.2.8
66
67
Training and Developer Security [The organization's] software engineers are required to complete training based on
Role-Based Training AT-3 6.5
Awareness Training secure coding techniques [in accordance with the organization-defined frequency].
[The organization] personnel that interact with cardholder data systems receive
awareness training to be aware of attempted tampering or replacement of devices.
Training should include the following:
• verify the identity of third- party persons claiming to be repair or maintenance
Payment Card
Training and personnel, prior to granting them access to modify or troubleshoot devices.
Role-Based Training Processing Security 9.9.3
Awareness • do not install, replace, or return devices without verification
Awareness Training
• be aware of suspicious behavior around devices (e.g., attempts by unknown
persons to unplug or open devices)
• report suspicious behavior and indications of device tampering or substitution to
authorized personnel (e.g., to a manager or security officer)
[The organization] personnel with key security responsibilities complete relevant

role-based training [in accordance with the organization-defined frequency]:
• personnel must complete training prior to obtaining access to privileged security
Training and Role-based Security
Role-Based Training systems IR-2 1565
Awareness Training
• personnel with contingency responsibilities must complete role-based training [in
accordance with the organization-defined frequency]
• records of training completion are documented and retained for tracking purposes
Training and Role-based Security [The organization] personnel with access to personal health information (PHI) are 164.308(a)(5)
Role-Based Training
Awareness Training: HIPAA required to attend and complete HIPAA privacy training. 164.308(a)(5)(ii)(A)
CC1.3.5
CC1.4.2
CC3.2.7
CC3.4.5
[In accordance with the organization-defined frequency], management reviews
CC9.2.1 PS-7_N_04 12.8.3 41
controls within third party assurance reports to ensure that they meet ensure that
Third Party Third Party Assurance 8.1(c) CC9.2.10 SA-1 12.8.4 314.4(d)(1) ID.SC-1 47
Vendor Assessments they meet organizational requirements; if control gaps are identified in the A.15.2.1 SSO-04 164.308(B)(2) 1395
Management Review 8.6(c) CC9.2.11 SA-4 9.5 314.4(d)(2) ID.SC-4 48
assurance reports, management takes action to address impact the disclosed gaps
CC9.2.12 SA-9 9.5.1 49
have on the organization.
CC9.2.2
CC9.2.4
CC9.2.6
CC9.2.7
CC1.3.5
CC1.4.2
CC1.4.3
1
CC3.2.7
2
A.13.2.2 CC6.1.5 PS-7_N_00 12.8
3
A.15.1.1 CC9.2.1 PS-7_N_01 12.8.2
Third Party Vendor Risk [The organization] performs a risk assessment to determine the data types that can 314.4(d)(1) SSO-01 8
Vendor Assessments A.15.1.2 CC9.2.10 SA-1 12.8.3 ID.SC-2 0072
Management Management be shared with a managed service provider. 314.4(d)(2) SSO-02 9
A.15.1.3 CC9.2.11 SA-4 12.8.5
10
A.15.2.2 CC9.2.12 SA-9 2.6
40
CC9.2.2
41
CC9.2.4
CC9.2.6
CC9.2.7
Third Party Forensic [The organization] enables procedures to conduct a forensic investigation in the
Vendor Assessments A.1.4 RS.AN-3 1571
Management Investigations event that a hosted merchant or service provider is compromised.
Network Access
Third Party Third party entities which gain access to [the organization's] network sign a A.13.2.4 PS-7_N_00 SSO-01 40
Vendor Agreements Agreement: CC2.3.6 0072
Management network access agreement. A.18.1.2 PS-7_N_01 SSO-02 60
Vendors
1
2
3
A.13.2.2 8
A.14.2.7 9
Vendor Non- PS-7_N_00
Third Party [Workforce personnel as defined by the organization] consent to a non-disclosure A.15.1.1 CC9.2.1 DEV-02 10
Vendor Agreements disclosure C1.1.1 PS-7_N_01 12.8.2 314.4(d)(2) DE.CM-6 0072
Management clause. A.15.1.2 CC9.2.9 SSO-01 40
Agreements PS-7_N_03
A.15.1.3 41
A.15.2.2 87
88
89
90
[The organization] managed service providers that manage, store, or transmit

Third Party Cardholder Data cardholder data on behalf of the customer must provide written acknowledgement
Vendor Agreements 12.9 0072
Management Security Agreement to customers of their responsibility to protect cardholder data and the cardholder
data environment.
4
24
25
71
Network Service CC6.6.2 COS-01 72
Third Party Vendors providing networking services to [the organization] are contractually
Vendor Agreements Level Agreements A.13.1.2 CC9.2.1 PS-7_N_04 COS-02 1073 73
Management bound to provide secure and available services as documented in SLAs.
(SLA) CC9.2.5 COS-03 74
75
76
77
94
Third Party Approved Service [The organization] maintains a list of approved managed service providers and the
Vendor Procurement CC9.2.3 12.8.1 1452
Management Provider Listing services they provide to [the organization].
[The organization] requires a Business Associate Subcontractor Agreement with

HIPAA Business 164.308(B)(2)
Business Associates from which it receives or transmits protected health
Third Party Associate 164.308(B)(3)
Vendor Agreements information (PHI); Business Associates under contract are required to provide 0072
Management Subcontractor 164.308(B)(4)
assurance that they adhere to [the organization] security standards, which includes
Agreement 164.314(a)(2)(i)
the security of PHI and reporting security events that potentially expose PHI.
[The organization] has documented a Vendor Information Security Standard that

defines the responsibilities and governance requirements regarding vendor
Third Party Vendor Information
Vendor Agreements information security engagements. Contractual agreements are entered into with 7.3 ID.BE-1 1568
Management Security Standard
vendors who process or store [The organization's] data that define information
Security terms and service level agreements.
4
11.2
27
11.2.1 OPS-18
CC6.8.4 CA-7_N_00 ID.RA-1 28
Vulnerability [The organization] conducts vulnerability scans against the production 11.2.2 OPS-19 164.308(a)(1)(ii)(A)
Production Scanning Vulnerability Scans A.12.6.1 CC7.1.5 RA-5 314.4(b)(2) FERPA_99.31(a) PR.IP-12 1163 29
Management environment; scan tools are updated prior to running scans. 11.2.3 OPS-20 164.308(a)(1)(ii)(B)
CC7.2.1 SI-2 DE.CM-8 88
11.3.3 PSS-02
89
5.1.2
90
Vulnerability
Vulnerability scans are conducted against cardholder environments [in accordance
Vulnerability Production Assessment: 11.2
with the organization-defined frequency] or after significant change; critical 1163
Management Scanning Cardholder Data 11.2.1
vulnerability resolution is confirmed via a rescan.
Environment
Vulnerability Approved Scanning [In accordance with the organization-defined frequency], [the organization] engages
Production Scanning 11.2.2
Management Vendor an Approved Scanning Vendor to conduct external vulnerability scans.
4
27
CC4.1.8 CA-2(1)_N_00 11.3 OPS-18
28
Vulnerability Application [The organization] conducts penetration tests according to the service risk rating CC6.8.5 CA-7_N_00 11.3.1 OPS-19 164.308(a)(1)(ii)(A)
Penetration Testing A.12.6.1 314.4(b)(2) FERPA_99.31(a) 1163 29
Management Penetration Testing assignment. CC7.1.5 IA-6_N_00 11.3.2 OPS-20 164.308(a)(1)(ii)(B)
88
CC7.2.1 SI-3 11.3.4 PSS-02
89
90
[The organization] conducts penetration tests against cardholder data environments

(CDE) and includes the following requirements:
• testing covers the entire CDE perimeter and critical data systems
• testing verifies that CDE perimeter segmentation is operational
• testing is performed from both inside and outside the CDE network
• testing validates segmentation and scope reduction controls (e.g., tokenization
processes)
• network layer penetration tests include components that support network functions
as well as operating systems
Penetration 11.3
Vulnerability • at the application level, testing provides coverage, at a minimum, against the
Penetration Testing Testing: Cardholder 11.3.4 1163
Management security testing requirements defined in "Code Security Check: Cardholder Data
Data Environment 11.3.4.1
Environment"
• testing is performed with consideration of threats verified [in accordance with the
organization-defined frequency] from external alerts, directives, and advisories
defined in "External Alerts and Advisories"
• testing is performed with consideration of vulnerabilities reported through [the
organization's] PSIRT process [in accordance with the organization-defined
frequency]
• risk ratings are assigned to discovered vulnerabilities, which are tracked through
remediation
[The organization] installs security-relevant patches, including software or firmware

Vulnerability Patch Infrastructure CA-7_N_00 314.3(b)(2)
updates; identified end-of-life software must have a documented decommission CC7.5.1 6.2 FERPA_99.31(a) 1143
Management Management Patch Management SI-2 314.4(b)(3)
plan in place before the software is removed from the environment.
If applicable, [the organization] has managed enterprise antivirus deployments and

5.1
ensures the following:
5.1.1
Vulnerability • signature definitions are updated CC6.8.4
Malware Protection Enterprise Antivirus A.12.2.1 CA-7_N_00 5.1.2 FERPA_99.31(a) OPS-05 164.308(a)(5)(ii)(B) 1417 31
Management • full scans are performed [in accordance with the organization-defined frequency] CC7.2.1
5.2
and real-time scans are enabled
6.2
• alerts are reviewed and resolved by authorized personnel
Vulnerability Enterprise Antivirus Antivirus mechanisms cannot be disabled or altered by users unless specifically
Malware Protection 5.3
Management Tampering authorized by management.
8
[In accordance with the organization-defined frequency], [the organization] CA-7_N_00
Vulnerability A.14.2.1 CC6.8.2 6.3.1 9
Code Security Code Security Check conducts source code checks for vulnerabilities according to the service risk rating IA-6_N_00 1238
Management A.14.2.5 CC7.2.1 6.4.4 10
assignment. SI-3
87
Where applicable, security testing performed prior to releasing code into production
6.5
includes the following:
6.5.1
6.5.2
• code injection
6.5.3
• buffer overflows
6.5.4
Code Security Check: • insecure cryptographic storage
Vulnerability 6.5.5
Code Security Cardholder Data • insecure communications DE.CM-5 0402
Management 6.5.6
Environment • improper error handling
6.5.7
• high-risk vulnerabilities
6.5.8
• cross-site scripting
6.5.9
• improper access control
6.5.10
• cross-site request forgery
6.6
• broken authentication session management
Vulnerability External Advisories External Information [The organization] reviews information-security-related inquiries, complaints, and
Management and Inquiries Security Inquiries disputes.
3
Vulnerability External Advisories External Alerts and [The organization] reviews alerts and advisories from management approved A.16.1.1 ID.RA-2 32
6.1 OIS-05 1472
Management and Inquiries Advisories security forums and communicates verified threats to authorized personnel. A.6.1.4 RC.CO-1 36
60
4
27
[The organization] assigns a OPS-22 28
Vulnerability Vulnerability A.12.6.1 CA-7_N_00
Program Management risk rating to identified vulnerabilities and prioritizes remediation of legitimate CC7.1.5 6.1 314.4(c) FERPA_99.31(a) OPS-23 RS.MI-3 1143 29
Management Remediation A.14.2.8 CA-7_N_03
vulnerabilities according to the assigned risk. PSS-02 88
89
90

Open Source CCF

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open Source CCF

Uploaded by

Copyright:

Available Formats

The following table contains the baseline security subset (derived from The Common Controls Framework by Adobe)

Configuration Baseline Time Clock 10.4

Vendor-supplied default passwords are changed according to [the organization]

Where applicable, collaborative computing devices used at [The Organization] are

Configuration Installation of software or programs in the production environment is approved by

Consent is obtained for [the organization's] Terms of Service (ToS) prior to

[The organization] uses mechanisms to detect direct changes to the integrity of

Sharing [the organization] [restricted (as defined by the organization's data

The Audit Committee is governed by a Charter, is independent from [the

[In accordance with the organization-defined frequency]operating plans are aligned

Logical Access De-

Upon notification of an employee reassignment or transfer, management reviews

Authentication Authentication AC-14 18

Identity and Role-Based Logical 15

[The organization] has a defined process and mechanisms in place to expeditiously

[The organization] applications secure user data and maintain confidentiality by

Identity and Key Storage and Clear Text 3.6

[The organization] defines external communication requirements for CC.2.2.6

Where applicable, authorized [the organization] personnel must enroll mobile

[The organization] maintains an inventory of ingress and egress points on the

All trusted connections are documented and approved by authorized personnel;

[In accordance with the organization-defined frequency], [the organization]

Upon employee termination, management conducts exit interviews for the

Management prepares a statement of applicability that includes control objectives,

Customer- facing CC2.3.10

[The organization] reviews exceptions to policies, standards, and procedures; SP-01 1

Documentation that impacts personal health information, including policies,

Cryptographic Key Custodians and Cryptographic Materials Custodians (CMC)

Information system acquisitions require approval from authorized personnel based

If applicable, [the organization's] managed enterprise antivirus deployments

[The organization] has an Intrusion Detection System (IDS) or Intrusion Prevention

Physical access provisioning to a [the organization] datacenter requires

Physical Access Role

Physical Access Surveillance Feed

[The organization] employs emergency lighting in the event of a power disruption

[The organization] personnel with key security responsibilities complete relevant

[The organization] managed service providers that manage, store, or transmit

[The organization] requires a Business Associate Subcontractor Agreement with

[The organization] has documented a Vendor Information Security Standard that

[The organization] conducts penetration tests against cardholder data environments

[The organization] installs security-relevant patches, including software or firmware

If applicable, [the organization] has managed enterprise antivirus deployments and

You might also like