Академический Документы
Профессиональный Документы
Культура Документы
Trust Services
Principles
and Criteria
Issued by the AICPA Assurance Services
Executive Committee (ASEC)
Trust Services
Principles
and Criteria
19496-349
Copyright 2016 by
American Institute of Certified Public Accountants, Inc.
New York, NY 10036-8775
All rights reserved. For information about the procedure for requesting permission to
make copies of any part of this work, please e-mail copyright@aicpa.org with your
request. Otherwise, requests should be written and mailed to the Permissions
Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
1 2 3 4 5 6 7 8 9 0 BRAAS 1 9 8 7 6
TABLE OF CONTENTS
Section Paragraph
Section Paragraph
1
At the time of publication, the AICPA's Auditing Standards Board (ASB), has completed clar-
ifying Statements on Standards for Attestation Engagements (SSAEs or attestation standards) and
will be issuing its clarified attestation standards as SSAE No. 18, Attestation Standards: Clarification
and Recodification. The ASB expects SSAE No. 18 to be available in April 2016 and to be effective for
practitioners' reports dated on or after May 1, 2017.
2
Review engagements generally consist of the performance of inquiries and analytical proce-
dures designed to provide a moderate level of assurance (that is, negative assurance). However, the
Assurance Services Executive Committee believes that a practitioner ordinarily could not perform
meaningful analytical procedures on an entity's controls or compliance with requirements of specified
laws, regulations, rules, contracts, or grants to achieve this level of assurance, and it is uncertain
what other procedures could be identified that, when combined with inquiry procedures, could form
the basis for a review engagement. Also due to this uncertainty, users of a review report are at
greater risk of misunderstanding the nature and extent of the practitioner's procedures. Accordingly,
the feasibility of a review engagement related to trust services is uncertain.
(continued)
(continued)
(continued)
(continued)
Effective Date
.16 The trust services principles and criteria are effective for periods
ending on or after December 15, 2016. Early implementation is permitted.
.17
Appendix ADefinitions
access to personal information. The ability to view personal infor-
mation held by an organization. This ability may be complemented
by an ability to update or correct the information. Access defines
the intersection of identity and data; that is, who can do what to
which data. Access is one of the fair information practice principles.
Individuals must be able to find out what personal information an
entity has on file about them and how the information is being
used. Individuals must be able to correct erroneous information in
such records.
authorized access. Access to system components that (a) has been
approved by a person designated to do so by management and (b)
does not compromise segregation of duties, confidentiality commit-
ments, or otherwise increase risk to the system beyond the levels
approved by management (that is, access is appropriate).
boundary of the system. The specific aspects of an entity's infras-
tructure, software, people, procedures, and data necessary to per-
form a function or provide a service. When the systems for mul-
tiple functions or services share aspects, infrastructure, software,
people, procedures, and data, the systems will overlap, but the
boundaries of each service's system will differ. In an engagement
that addresses the confidentiality and privacy principles, the sys-
tem boundaries cover, at a minimum, all the system components as
they relate to the life cycle of the confidential and personal informa-
tion within well-defined processes and informal ad hoc procedures.
collection. The process of obtaining personal information from either
the individual directly, such as a Web form or a registration form,
or from another party, such as a business partner.
commitments. Declarations made by management to customers re-
garding the performance of a system. Commitments can be com-
municated in written individualized agreements, standardized con-
tracts, service level agreements, or published statements (for ex-
ample, a security practices statement). A commitment may relate
to one or more principles. The practitioner need only consider com-
mitments related to the principles addressed by the engagement.
Commitments may be made on many different aspects of the ser-
vice being provided, including the following:
r Specification of the algorithm used in a calculation
r The hours a system will be available
r Published password standards
r Encryption standards used to encrypt stored customer
data
consent. This privacy requirement is one of the fair information
practice principles. Individuals must be able to prevent the collec-
tion of their personal data, unless legally required. If an individual
has a choice about the use or disclosure of his or her information,
consent is the individual's way of giving permission for the use
or disclosure. Consent may be affirmative (for example, opting in)
.18
Appendix BIllustration of Risks and Controls for a Sample Entity
In evaluating whether controls are suitably designed to meet each of the trust
services criteria, management needs to evaluate the risks that would prevent
the criteria from being met for the system being assessed. In identifying these
risks, management needs to consider the
r products and services provided by the system.
r components of the system used to provide the products and ser-
vices.
r environment in which the system operates.
r commitments the entity has made to system users and parties
affected by the system.
r system requirements that derive from
laws and regulations affecting how the system functions
and products and services are provided,
commitments made to system users and parties affected
by the system, and
business objectives of the entity.
The illustration that follows is an example of the risks that a hypothetical
midsized entity might identify during its risk evaluation and the controls that
it could implement to address those risks. It is provided to assist practition-
ers with an understanding of the types of risks an entity might identify and
controls to mitigate the risks to meet the criteria. It is not intended to be an
all-inclusive listing of possible risks and controls. Each entity needs to consider
other risks and controls to address those risks to meet the criteria. Also, the
types of controls are presented at a high level and do not include the details
that would be necessary for a suitably designed control, for example, the posi-
tion of the person performing the control, the frequency with which the control
is performed, and how the control is performed, documented, and monitored.
Illustrative Types
Criteria Illustrative Risks of Controls
Criteria Common to All [Security, Availability, Processing Integrity,
Confidentiality, and Privacy] Principles
CC1.0 Common Criteria Related to Organization and Management
CC1.1 The entity has The entity's The entity evaluates
defined organizational its organizational
organizational structure does not structure, reporting
structures, reporting provide the lines, authorities,
lines, authorities, necessary structure, and responsibilities
and responsibilities resources, and as part of its business
for the design, information flow to planning process and
development, manage [security, as part of its ongoing
implementation, availability, risk assessment and
operation, processing integrity, management process
Illustrative Types
Criteria Illustrative Risks of Controls
maintenance, and confidentiality, or and revises these
monitoring of the privacy] activities. when necessary to
system enabling it to help meet changing
meet its commitments and
commitments and system requirements.
system
requirements as
they relate to [insert
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
The roles and Roles and
responsibilities of responsibilities are
key managers are defined in written job
not sufficiently descriptions and
defined to permit communicated to
proper oversight, managers and their
management, and supervisors.
monitoring of
[security,
availability,
processing integrity,
confidentiality, or
privacy] activities.
Job descriptions are
reviewed by entity
management on an
annual basis for
needed changes and,
when job duty
changes are required
necessary, changes to
these job descriptions
are also made.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Reporting Reporting
relationships and relationships and
organizational organizational
structure do not structures are
permit effective reviewed periodically
senior management by senior management
oversight of as part of
[security, organizational
availability, planning and adjusted
processing integrity, as needed based on
confidentiality, or changing entity
privacy] activities. commitments and
requirements.
Personnel have not Roles and
been assigned responsibilities are
responsibility or defined in written job
have not been descriptions.
delegated
insufficient
authority to meet
[security,
availability,
processing integrity,
confidentiality, or
privacy]
commitments and
system
requirements.
Responsibility and Roles and
accountability for responsibilities for
privacy and data privacy and data
protection are not governance are defined
assigned to and communicated to
personnel with personnel as well as to
sufficient authority third parties. The
within the entity to entity has assigned a
manage risk and chief privacy officer
compliance. (CPO) who reports to
the general counsel
and audit committee.
The CPO oversees the
privacy staff
responsible for
implementation and
monitoring of privacy
controls. In addition,
designated privacy
advocates are assigned
in each business unit
and report indirectly to
privacy staff.
Illustrative Types
Criteria Illustrative Risks of Controls
CC1.2 Responsibility and Personnel have not Roles and
accountability for been assigned responsibilities are
designing, responsibility or defined in written job
developing, have been delegated descriptions.
implementing, insufficient
operating, authority to meet
maintaining, [security,
monitoring, and availability,
approving the processing integrity,
entity's system confidentiality, or
controls and other privacy]
risk mitigation commitments and
strategies are system
assigned to requirements.
individuals within
the entity with
authority to ensure
policies and other
system
requirements are
effectively
promulgated and
implemented to
meet the entity's
commitments and
system
requirements as
they relate to [insert
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
Job descriptions are
reviewed on a
periodic basis for
needed changes and
updated if such
changes are
identified.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Responsibility and The CPO oversees a
accountability for privacy staff
privacy and data responsible for the
protection controls implementation and
are not assigned to monitoring of privacy
personnel with controls. In addition,
sufficient authority designated privacy
within the entity to advocates, who
manage risk and indirectly report to
compliance. the CPO and privacy
staff, are assigned in
each business unit.
Privacy advocates
are responsible for
helping to ensure the
implementation of
privacy controls and
monitoring activities.
CC1.3 The entity has Newly hired, newly Job requirements are
established assigned, or documented in the
procedures to transferred job descriptions, and
evaluate the personnel do not candidates' abilities
competency of have sufficient to meet these
personnel knowledge and requirements are
responsible for experience to evaluated as part of
designing, perform their the hiring,
developing, responsibilities. performance review,
implementing, and transfer
operating, evaluation processes.
maintaining, and
monitoring the
system affecting
[insert the
principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination thereof]
and provides
resources necessary
for personnel to
fulfill their
responsibilities.
Illustrative Types
Criteria Illustrative Risks of Controls
The experience and
training of
candidates for
employment or
assignment are
evaluated before they
assume the
responsibilities of
their position.
Personnel do not Management
have sufficient establishes requisite
periodic training to skillsets for
perform their personnel and
responsibilities. provides continued
training about its
commitments and
requirements for
personnel.
Management
monitors compliance
with training
requirements.
Technical tools and During its ongoing
knowledge resources and periodic business
are insufficient to planning and
perform assigned budgeting process,
tasks. management
evaluates the need
for additional tools
and resources in
order to achieve
business objectives.
CC1.4 The entity has Personnel did not Management
established comply with the monitors personnel
workforce conduct entity's compliance with the
standards, requirements for code of conduct
implemented conduct. through monitoring
workforce candidate of customer and
background workforce member
screening complaints and the
procedures, and use of an anonymous
conducts third-party
enforcement administered ethics
procedures to enable hotline. The entity's
it to meet its code of conduct
commitments and includes a sanctions
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
system policy for personnel
requirements as who violate the code of
they relate to conduct. The sanctions
[insert the policy is applied to
principle(s) personnel who violate
addressed by the the code of conduct.
engagement:
security,
availability,
processing
integrity,
confidentiality, or
privacy, or any
combination
thereof].
Personnel are required
to read and accept the
code of conduct and the
statement of
confidentiality and
privacy practices upon
their hire and to
formally reaffirm them
annually thereafter.
A candidate with a Senior management
background develops a list of
considered to be characteristics that
unacceptable by would preclude a
management of the candidate from being
entity is hired by hired based on
the entity. sensitivity or skill
requirements for the
given position. That list
is provided to the
individuals within the
organization who make
final hiring decisions,
and those
characteristics are
considered when
evaluating all
candidates.
Illustrative Types
Criteria Illustrative Risks of Controls
Before a third party is
engaged by the entity,
the third-party
personnel undergo
background screening.
A background check
includes, at a
minimum, credit,
criminal, drug, and
employment checks.
Agreements are
established with third
parties or
subcontractors that
include clearly defined
terms, conditions, and
responsibilities for
third parties and
subcontractors.
Prior to employment,
personnel are verified
against regulatory
screening databases.
The entity has
established standards
and guidelines for
personnel ethical
behavior.
CC2.0 Common Criteria Related to Communications
CC2.1 Information External users System descriptions are
regarding the misuse the system made available to
design and due to their failure authorized external
operation of the to understand its users that delineate the
system and its scope, purpose, and boundaries of the
boundaries has design. system and describe
been prepared and relevant system
communicated to components as well as
authorized internal the purpose and design
and external users of the system.
of the system to Documentation of the
permit users to system description is
understand their made available to
role in the system authorized external
and the results of users via the entity's
system operation. customer-facing
website.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
A description of the
system is posted on the
entity's intranet and is
available to the entity's
internal users. This
description delineates
the boundaries of the
system and key aspects
of processing.
Internal users are A description of the
unaware of key entity organization
organization and structure, system
system support support functions,
functions, processes, and
processes, roles, organizational roles
and and responsibilities is
responsibilities. posted on the entity's
intranet and made
available to entity
internal users. The
description delineates
the parties responsible,
accountable, consented,
and informed of
changes in design and
operation of key system
components.
External users fail System descriptions are
to address risks for made available to
which they are authorized external
responsible that users that delineate the
arise outside the boundaries of the
boundaries of the system and describe
system. significant system
components as well as
the purpose and design
of the system. The
system description is
made available to
external users via
ongoing
communications with
customers or via the
customer website.
Illustrative Types
Criteria Illustrative Risks of Controls
CC2.2 The entity's [insert Internal and The entity's [security,
the principle(s) external users availability, processing
addressed by the misunderstand the integrity,
engagement: capabilities of the confidentiality, or
security, system in providing privacy] commitments
availability, for [security, regarding the system
processing integrity availability, are included in the
confidentiality, or processing master services
privacy, or any integrity, agreement and
combination confidentiality, or customer-specific
thereof] privacy] and take service level
commitments are actions based on agreements. In
communicated to the addition, a summary of
external users, as misunderstanding. these commitments is
appropriate, and made available on the
those commitments entity's customer-facing
and the associated website. A privacy
system notice is posted on all of
requirements are the entity's publicly
communicated to available websites and
internal users to software. The privacy
enable them to notice describes the
carry out their entity's privacy
responsibilities. commitments.
Policy and procedures
documents for
significant processes
that address system
requirements are
available on the
intranet.
The entity fails to Policy and procedures
meet its documents for
commitments due significant processes
to lack of are made available on
understanding on the entity's intranet.
the part of
personnel
responsible for
providing the
service.
Personnel are required
to attend annual
security,
confidentiality, and
privacy training.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Personnel are required
to read and accept the
entity's code of conduct
and the statement of
security,
confidentiality, and
privacy practices upon
hire and annually
thereafter.
Processes are
monitored monthly
through service level
management
procedures that
monitor compliance
with service level
commitments and
agreements. Results
are shared with
applicable personnel
and customers, and
actions are taken and
communicated to
relevant parties,
including customers,
when such
commitments and
agreements are not
met.
CC2.3 The responsibilities The system fails to Policy and procedures
of internal and function as documents for
external users and designed due to significant processes
others whose roles internal users' that address system
affect system failure to meet requirements are
operation are with their available on the
communicated to responsibilities. intranet.
those parties.
Personnel are required
to attend annual
security,
confidentiality, and
privacy training.
Illustrative Types
Criteria Illustrative Risks of Controls
Personnel are
required to read and
accept the code of
conduct and the
statement of
confidentiality and
privacy practices
upon hire and
annually thereafter.
Processes are
monitored through
service level
management
procedures that
monitor compliance
with commitments
and requirements.
Results are shared
with applicable
personnel and
customers.
The system fails to Customer
function as designed responsibilities are
due to external described on the
users' failure to customer-facing
meet their website and in
responsibilities. system
documentation.
CC2.4 Information Controls fail to Policy and
necessary for function as designed procedures
designing, or operate effectively documents for
developing, due to significant processes
implementing, misunderstanding are available on the
operating, on the part of intranet.
maintaining, and personnel
monitoring controls, responsible for
relevant to the implementing and
[insert the performing those
principle(s) controls resulting in
addressed by the failure to achieve
engagement: [security,
security, availability,
availability, processing integrity,
processing integrity, confidentiality, or
confidentiality, or privacy]
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
privacy, or any commitments and
combination thereof] system
of the system, is requirements.
provided to
personnel to carry
out their
responsibilities.
Processes are
monitored following
service level
management
procedures that
monitor compliance
with commitments
and requirements.
Results are shared
according to policies.
Customer
responsibilities are
described on the
customer-facing
website and in
system
documentation.
CC2.5 Internal and System anomalies Policy and
external users have are detected by procedures
been provided with internal or external documents for
information on how users but the significant processes,
to report [insert the failures are not which include
principle(s) reported to responsibility for
addressed by the appropriate reporting operational
engagement: personnel resulting failures, incidents,
security, in the system failing system problems,
availability, to achieve its concerns, and user
processing integrity, [security, complaints (and the
confidentiality, or availability, process for doing so),
privacy, or any processing integrity, are published and
combination thereof] confidentiality, or made available on
failures, incidents, privacy] the intranet.
concerns, and other commitments and
complaints to system
appropriate requirements.
personnel.
Illustrative Types
Criteria Illustrative Risks of Controls
Customer
responsibilities, which
include responsibility
for reporting
operational failures,
incidents, problems,
concerns, and
complaints, and the
process for doing so,
are described on the
customer-facing
website and in system
documentation.
CC2.6 System changes Internal and Proposed system
that affect internal external users changes affecting
and external users' misunderstand customers are
responsibilities or changes in system published on the
the entity's capabilities or their customer-facing
commitments and responsibilities in website XX days
system providing for before their
requirements [security, implementation.
relevant to [insert availability, Internal and external
the principle(s) processing integrity, users are given the
addressed by the confidentiality, or chance to participate
engagement: privacy] due to in user acceptance
security, system changes and testing for major
availability, take actions based changes XX days prior
processing integrity, on the to implementation.
confidentiality, or misunderstanding. Changes made to
privacy, or any systems are
combination thereof] communicated and
are communicated confirmed with
to those users in a customers through
timely manner. ongoing
communications
mechanisms such as
customer care
meetings and via the
customer-facing
website.
Management of the
business unit must
confirm
understanding of
changes by
authorizing them.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Internal and The system change
external users are calendar that
not aware of system describes changes to
changes. be implemented is
posted on the entity
intranet.
Updated system
documentation is
published on the
customer website
and intranet 30 days
prior to
implementation.
System changes that
result from incidents
are communicated to
internal and external
users through email
as part of the
implementation
process.
Changes in roles Major changes to
and responsibilities roles and
and changes to key responsibilities and
personnel are not changes to key
communicated to personnel are
internal and communicated to
external users in a affected internal and
timely manner. external users via
email as part of the
change management
process.
CC3.0 Common Criteria Related to Risk Management and Design
and Implementation of Controls
CC3.1 The entity (1) Not all system A master list of the
identifies potential components are entity's system
threats that could included in the risk components is
impair system management maintained,
[insert the process resulting in accounting for
principle(s) a failure to identify additions and
addressed by the and mitigate or removals, for
engagement: accept risks. management's use.
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
Illustrative Types
Criteria Illustrative Risks of Controls
combination thereof]
commitments and
system requirements
(including threats
arising from the use of
vendors and other
third parties providing
goods and services, as
well as threats arising
from customer
personnel and others
with access to the
system); (2) analyzes
the significance of risks
associated with the
identified threats; (3)
determines mitigation
strategies for those
risks (including
implementation of
controls, assessment
and monitoring of
vendors and other
third parties providing
goods or services, as
well as their activities,
and other mitigation
strategies); (4)
identifies and assesses
changes (for example,
environmental,
regulatory, and
technological changes
and results of the
assessment and
monitoring of controls)
that could significantly
affect the system of
internal control; and
(5) reassesses, and
revises as necessary,
risk assessments and
mitigation strategies
based on the identified
changes.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Not all changes that During the risk
significantly affect the assessment and
system are identified management process,
resulting in a failure to risk management
correctly reassess personnel identify
related risks. changes to business
objectives,
commitments and
requirements, internal
operations, and external
factors that threaten
the achievement of
business objectives and
update the potential
threats to system
objectives. In response
to the identification of
such risks, management
updates its policies,
procedures, processes,
and controls, as needed.
Personnel involved in The entity has defined
the risk management and implemented a
process do not have formal risk
sufficient information management process
to evaluate risks and that specifies risk
the tolerance of the tolerances and the
entity for those risks. process for evaluating
risks based on identified
threats and the
specified tolerances.
One or more internal During the risk
or external risks that assessment and
are significant threaten management process,
the achievement of risk management office
[security, availability, personnel identify
processing integrity, changes to business
confidentiality, or objectives,
privacy] commitments, commitments and
and system system requirements,
requirements that can internal operations, and
be addressed by external factors that
security controls, are threaten the
not identified. achievement of business
objectives and update
the potential threats to
system objectives.
Identified risks are
rated using a risk
evaluation process and
ratings are reviewed by
management.
Illustrative Types
Criteria Illustrative Risks of Controls
The entity preforms a
privacy impact
assessment (PIA) to
identify privacy specific
risks or compliance
obligations and assesses
the likelihood and
potential magnitude of
those risks. A PIA
entails assessing the
impact when new
processes involving
personal information are
developed and when
changes are made to
such processes.
The risk and controls
group evaluates the
effectiveness of controls
and mitigation
strategies in meeting
identified risks and
recommends changes
based on its evaluation.
The risk and controls
group's
recommendations are
reviewed and approved
by senior management.
An owner is assigned for
each remediation plan in
risk assessments.
The entity uses a
configuration
management database
and related process to
capture key system
components, as well as
technical and
installation specific
implementation details,
and to support ongoing
asset and service
management
commitments and
requirements.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Changes that are During the risk
not properly assessment and
identified create management process,
risks due to the risk management
failure of those personnel identify
changes to undergo environmental,
the risk regulatory, and
management technological
process. changes that have
occurred. In response
to the identification
of such risks,
management updates
its policies,
procedures,
processes, and
controls, as needed.
CC3.2 The entity designs, Controls and Control
develops, mitigation strategies self-assessments are
implements, and selected, developed, performed by
operates controls, and deployed do not operating units on a
including policies adequately mitigate quarterly basis.
and procedures, to risk.
implement its risk
mitigation strategy,
reassesses the
suitability of the
design and
implementation of
control activities
based on the
operation and
monitoring of those
activities, and
updates the controls,
as necessary.
Internal audits are
performed based on
the annual
risk-based internal
audit plan.
Business and system
recovery plans are
tested annually.
Illustrative Types
Criteria Illustrative Risks of Controls
Internal and external
vulnerability scans
are performed
quarterly and
annually and their
frequency is adjusted
as required to meet
ongoing and
changing
commitments and
requirements.
Management takes
action based on the
results of the scans.
Policies and
procedures related to
risk management are
developed,
implemented, and
communicated to
personnel.
Deployed controls See CC3.1
and mitigation illustrative controls.
strategies create
new risks that fail to
be assessed.
CC4.0 Common Criteria Related to Monitoring of Controls
CC4.1 The design and Controls are not Internal audit
operating suitably designed, performs control
effectiveness of configured in assessments on a
controls are accordance with quarterly basis and
periodically established policies, communicates
evaluated against or operating in an results to the audit
the entity's effective manner, committee for
commitments and resulting in a monitoring of
system system that does not corrective actions.
requirements as meet commitments
they relate to [insert and system
the principle(s) requirements.
addressed by the
engagement:
security,
availability,
processing integrity,
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
confidentiality, or
privacy, or any
combination
thereof], and
corrections and
other necessary
actions relating to
identified
deficiencies are
taken in a timely
manner.
Management and
internal audit
periodically receive
reports summarizing
incidents, root cause
of incidents, and
corrective action
plans. Internal audit
monitors for
completion of
corrective action
plans.
Control
self-assessments
(including
assessment of
controls addressing
privacy risks) are
performed by
operating units on a
quarterly basis, and
the results of these
are reported to
management for
additional control
monitoring purposes.
Illustrative Types
Criteria Illustrative Risks of Controls
CC5.0 Common Criteria Related to Logical and Physical Access
Controls
CC5.1 Logical access Not all system Established entity
security software, infrastructure or standards exist for
infrastructure, and system components infrastructure and
architectures have are protected by software hardening
been implemented to logical access and configuration
support (1) security measures that include
identification and resulting in requirements for
authentication of unauthorized implementation of
authorized internal modification or use. access control
and external users; software, entity
(2) restriction of configuration
authorized internal standards, and
and external user standardized access
access to system control lists.
components, or
portions thereof,
authorized by
management,
including hardware,
data, software,
mobile devices,
output, and offline
elements; and (3)
prevention and
detection of
unauthorized access
to meet the entity's
commitments and
system
requirements as
they relate to [insert
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Network scans are
performed for
infrastructure
elements to identify
variance from entity
standards. Static and
dynamic code analysis
testing is performed
on new application
systems and on
changes made to
existing system source
code prior to and after
such systems are
placed into production.
Management takes
appropriate action
based on the results of
the scans.
Information system
assets are assigned
owners who are
responsible for
evaluating access
based on job roles. The
owners define access
rights when assets are
acquired or changed
and periodically
evaluate access for
assets under their
custody or
stewardship.
Online applications
match each user ID to
a single customer
account number.
Requests for access to
system records require
the matching of the
customer account
number against a list
of privileges each user
possesses when
granted access to the
system initially.
Illustrative Types
Criteria Illustrative Risks of Controls
Logical access Infrastructure
security measures components and
do not identify or software are
authenticate configured to use the
internal and shared sign-on
external users prior functionality when
to permitting access available. Systems not
to IT components. using the shared
sign-on functionality
are required to be
implemented with
separate user ID and
password submission.
External access by
personnel is permitted
only through a
two-factor (for
example, a swipe card
and a password)
encrypted virtual
private network (VPN)
connection.
Logical access A role based security
security measures process has been
do not provide for defined with an access
the segregation of control system that is
duties required by required to use roles
the system design. when possible.
Assets are assigned
owners who are
responsible for
evaluating the
appropriateness of
access based on job
roles. Roles are
periodically reviewed
and updated by asset
owners and the risk
and controls group on
an annual basis.
Access change
requests resulting
from the review are
submitted to the
security group via a
change request record.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
For software or
infrastructure that
does not support the
use of role-based
security, a separate
database of roles and
related access
privileges is
maintained. The
security group uses
this database when
specifying and
entering access rules
in these systems.
Logical access Privileged access to
security measures sensitive resources is
do not restrict access restricted to defined
to system user roles, and logical
configurations, access to these roles
privileged must be approved by
functionality, the chief information
master passwords, security officer. This
powerful utilities, access is reviewed by
security devices, and the chief information
other high risk security officer on a
resources. periodic basis.
CC5.2 New internal and Valid user identities On a daily basis,
external users, are granted to workforce member
whose access is unauthorized user IDs are
administered by the persons. automatically
entity, are created in or removed
registered and from the active
authorized prior to directory and VPN
being issued system systems as of the
credentials and date of employment
granted the ability using an automated
to access the system feed of new internal
to meet the entity's and external users
commitments and collected from
system workforce member
requirements as changes in the
they relate to [insert human resource
the principle(s) management system.
addressed by the
engagement:
security,
availability,
processing integrity,
Illustrative Types
Criteria Illustrative Risks of Controls
confidentiality, or
privacy, or any
combination
thereof]. For those
users whose access
is administered by
the entity, user
system credentials
are removed when
user access is no
longer authorized.
Workforce access to
protected resources is
created or modified
by the security group
based on an
authorized change
request from the
system's asset owner.
Contractor and
vendor IDs are
created by the
security group based
on an authorized
change request from
the contractor office.
These IDs are valid
for the lesser of the
expected period of
relationship or XX
days.
Privileged customer
accounts are created
based on a written
authorization request
from the designated
customer point of
contact. These
accounts are used by
customers to create
customer user access
accounts and their
related privileges.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
System security is
configured to require
internal and external
users to change their
passwords upon their
initial system sign-on
and thereafter every
XX days after their
initial sign-on.
A user that is no On a daily basis, the
longer authorized human resources
continues to access system sends an
system resources. automated feed to
the active directory
and the VPN for
removal of access for
personnel for whom
it is the last day of
employment. The list
is used by security
personnel to remove
access. The removal
of the access is
verified by the
security manager.
On a weekly basis,
the human resources
system sends to the
security group a list
of terminated
personnel whose
access is to be
removed. The list is
used by security
personnel to remove
access. The removal
of the access is
verified by a security
manager.
Illustrative Types
Criteria Illustrative Risks of Controls
On a weekly basis,
the contractor office
sends to the security
group a list of
terminated vendors
and contractors
whose access is to be
removed. The list is
used by security
personnel to remove
access. The removal
of the access is
verified by a security
manager.
Entity policies
prohibit the
reactivation or use of
a terminated
workforce member's
ID without written
approval of the chief
information security
officer. Requests for
reactivation are
made using the
change management
record system and
must include the
purpose and
justification of the
access (for business
need), the systems
that are to be
reactivated, and the
time period for which
the account will be
active (no more than
XX days). The
account is reset with
a new password and
is activated for the
time period
requested. All use of
the account is logged
and reviewed by
security personnel.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Account sharing is
prohibited unless a
variance from policy
is granted by the
chief information
security officer as
might be provided by
the entity using an
account and
password vaulting
software product that
provides account
sharing under tightly
controlled
circumstances, the
active logging of each
use, and the resetting
of the account
password after each
use. Otherwise,
shared accounts are
permitted for low
risk applications (for
example, an
informational system
where access with
shared IDs cannot
compromise
segregation of duties)
or when system
technical limitations
require their use (for
example, UNIX root
access). The chief
information security
officer must approve
the use of all shared
accounts. Mitigating
controls are
implemented when
possible (for example,
required use of su
when accessing the
UNIX root account).
Illustrative Types
Criteria Illustrative Risks of Controls
CC5.3 Internal and Internal and Entity standards are
external users are external users are established for
identified and not identified when infrastructure and
authenticated when accessing software hardening
accessing the system information system and configuration
components (for components. that include
example, requirements for
infrastructure, implementation of
software, and data) access control
to meet the entity's software, entity
commitments and configuration
system standards, and
requirements as standardized access
they relate to [insert control lists.
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
Account sharing is
prohibited unless a
variance from policy
is granted by the
chief information
security officer as
might be provided by
the entity using an
account and
password vaulting
software product that
provides account
sharing under tightly
controlled
circumstances, active
logging of each use,
and the resetting of
the account password
after each use.
Otherwise, shared
accounts are
permitted for low
risk applications (for
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
example,
informational system
where access with
shared IDs cannot
compromise
segregation of duties)
or when system
technical limitations
require their use (for
example, UNIX root
access). The chief
information security
officer must approve
the use of all shared
accounts. Mitigating
controls are
implemented when
possible (for example,
required use of su
when accessing the
UNIX root account).
Valid user identities The online
are assumed by an application
unauthorized person authenticates the
to access the system. legitimacy of each
customer user
privileges by
matching each users'
ID upon entry to a
single customer
account number.
Requests for access
(for example, user
attempts to access) to
system records
require the matching
of the customer
account number.
Applications provide
reporting
functionality on user
entitlements.
Illustrative Types
Criteria Illustrative Risks of Controls
Two-factor
authentication and
use of encrypted VPN
channels help to
ensure that only
valid external users
gain remote and local
access to IT system
components.
Infrastructure
components and
software are
configured to use the
active directory
shared sign-on
functionality when
available. Systems
not using the shared
sign-on functionality
are configured to
require a separate
user ID and
password.
Applications provide
reporting
functionality on user
entitlements.
External user access External users can
credentials are only access the
compromised, system remotely
allowing an through the use of
unauthorized person the VPN, secure
to perform activities sockets layer (SSL),
reserved for or other encrypted
authorized persons. communication
system.
Password complexity
standards are
established to enforce
control over access
control software
passwords.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Administrative
accounts are set up,
and the user
administration
function is
segregated for
managing privileged
accounts.
CC5.4 Access to data, Valid internal or When possible,
software, functions, external users formal role-based
and other IT obtain unauthorized access controls to
resources is access to the system limit access to the
authorized and resulting in a system and
modified or removed breakdown in infrastructure
based on roles, segregation of duties components are
responsibilities, or or an increase in the created and enforced
the system design risk of intentional by the access control
and changes to meet malicious acts or system. When it is
the entity's error. not possible,
commitments and authorized user IDs
system with two-factor
requirements as authentication are
they relate to [insert used.
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
User access requests
for a specific role are
approved by the
user's manager and
submitted to the
security group via
the change
management record
system. Separation of
duties exists between
individuals who
request access,
authorize access,
grant access, and
review access.
Illustrative Types
Criteria Illustrative Risks of Controls
Access granted When possible,
through the formal role-based
provisioning process access controls to
compromises limit access to the
segregation of duties system and
or increases the risk infrastructure
of intentional components are
malicious acts or created and enforced
error. by the access control
system. When it is
not possible,
authorized user IDs
with two-factor
authentication are
used.
Roles are reviewed
and updated by both
asset owners and the
risk and controls
group on an annual
basis. Access change
requests resulting
from the review are
submitted to the
security group via a
change request
record.
CC5.5 Physical access to Unauthorized An ID card-based
facilities housing the persons gain physical access
system (for example, physical access to control system has
data centers, backup system components been implemented
media storage, and resulting in damage within the perimeter
other sensitive to components of facilities and at
locations, as well as (including threats to the entry and exit
sensitive system personnel), points of sensitive
components within fraudulent or areas within these
those locations) is erroneous facilities.
restricted to processing,
authorized unauthorized logical
personnel to meet access, or
the entity's compromise of
commitments and information.
system
requirements as
they relate to [insert
the principle(s)
addressed by the
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
ID cards that include
a workforce member
picture must be worn
at all times when
accessing or leaving
the facility.
ID cards are created
by the human
resources
department during
the workforce
member orientation
period and
distributed after all
required background
investigations are
completed. ID cards
initially provide
access only to
non-sensitive areas.
Access to sensitive
areas is added to ID
cards by the physical
security director
based on a request
for access approved
by the owner of the
sensitive area and
after required
background
investigations have
been performed and
any issues resolved.
Requests for access
and changes to access
are made, approved,
and communicated
through the change
management record
system.
Illustrative Types
Criteria Illustrative Risks of Controls
The contractor office
may request ID cards
for vendors and
contractors. Cards are
created by the physical
security director upon
approval of authorized
manager. Requests
are made, approved,
and communicated
through the change
management record
system.
Visitors must be
signed in by an
authorized workforce
member before a
single-day visitor
badge that identifies
them as an authorized
visitor can be issued.
Visitor badges are for
identification purposes
only and do not permit
access to any secured
areas of the facility.
All visitors must be
escorted by a
workforce member
when visiting facilities
where sensitive
system and system
components are
maintained and
operated.
Formerly appropriate Owners of sensitive
physical access areas of the facilities
becomes review the list of
inappropriate due to names and roles of
changes in user job those granted physical
responsibilities or access to their areas
system changes, on a semiannual basis
resulting in a to check for continued
breakdown in business need.
segregation of duties Requests for changes
or an increase in the are made through the
risk of intentional change management
malicious acts or record system.
error.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
A formerly Owners of sensitive
authorized person areas of the facilities
continues to access review access to their
system resources areas on a
after that person is semiannual basis.
no longer Requests for changes
authorized. are made through the
change management
record system.
Vendors are asked to
review a list of
personnel with ID
cards on a
semiannual basis,
recertify access
entitlements, and
request any
modifications. The
contractor office
requests changes
based on the vendor
review.
On a daily basis, as
of the last day of
employment, the
human resources
system sends to
physical security a
list of terminated
personnel for whom
it is the last day of
employment and
whose access is to be
removed and their
pass cards to be
disabled.
A user obtains the On a weekly basis,
identification the contractor office
credentials and sends to the security
authentication group a list of
credentials of a terminated vendors
formerly authorized and contractors for
person and uses whom access is to be
them to gain removed.
unauthorized access
to the system.
Illustrative Types
Criteria Illustrative Risks of Controls
On a weekly basis, or
immediately upon
termination of
employment, the
human resources
system sends to the
physical security
group a list of
terminated personnel
for whom access is to
be removed.
Personnel are
required to return
their ID cards during
exit interviews, and
all ID badges are
disabled prior to exit
interviews.
Therefore, personnel
must be physically
escorted from the
entity's facilities at
the completion of the
exit interview.
The sharing of access
badges and tailgating
are prohibited by
policy.
Mantraps or other
physical devices are
used for controlling
access to highly
sensitive facilities.
Doors that bypass
mantraps can only be
opened by the ID
cards of designated
members of
management.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
A monitoring process
exists to monitor
entry or exit points.
Measures such as,
but not limited to,
alarm systems,
surveillance
cameras, trained
security guards, and
so forth are adopted.
The information (for
example, logs, tapes,
and so forth) is
maintained for an
agreed to period of
time for future
reference.
CC5.6 Logical access Threats to the Defined entity
security measures system are obtained standards exist for
have been through external infrastructure and
implemented to points of software hardening
protect against connectivity. and configuration
[insert the that include
principle(s) requirements for
addressed by the implementation of
engagement: access control
security, software, entity
availability, configuration
processing integrity standards, and
confidentiality, or standardized access
privacy, or any control lists that
combination thereof] define which
threats from sources privileges are
outside the attributable to each
boundaries of the user or system
system to meet the account.
entity's
commitments and
system
requirements.
Illustrative Types
Criteria Illustrative Risks of Controls
External points of
connectivity are
protected by a
firewall complex,
network
segmentation, data
loss prevention
(DLP), and several
layers of defense to
prevent
unauthorized
external users from
gaining access to the
organization's
internal systems and
devices.
Firewall hardening
standards are based
on relevant
applicable technical
specifications that
are compared against
product and industry
recommended
practices and
updated periodically.
Security Incident and
Event Management
(SIEM) software
continually collects
firewall logs and
parses the entries
using business rules
and known threat
signatures and
creates alerts to the
security and network
operations teams
when anomalous
traffic or packets are
identified so that
firewall rules can be
immediately updated
to reduce security
threat risks in the
network, systems,
and data stores.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
External access to
nonpublic sites is
restricted through the
use of user
authentication and
message encryption
systems such as VPN
and SSL.
Authorized connections Firewall rules and the
to the system are online system limit the
compromised and used times when remote
to gain unauthorized access can be granted
access to the system. and the types of
activities and service
requests (for example,
disable copy/paste or
remote print and drive
mappings) that can be
performed from
external connections.
Data stored Data written to the data
temporarily outside its storage systems within
normal location (for the disaster recovery
example, stored during facility is subject to
disaster recovery sanitization procedures
testing) is accessed by at the conclusion of
unauthorized persons. disaster recovery
testing prior to the
return of control of
storage to the facility
vendor.
CC5.7 The transmission, Nonpublic information VPN, SSL, secure file
movement, and is disclosed during transfer program
removal of information transmission over (SFTP), and other
is restricted to public communication encryption technologies
authorized internal paths. are used for defined
and external users and points of connectivity
processes and is and to protect
protected during communications
transmission, between the processing
movement, or removal, center and users
enabling the entity to connecting to the
meet its commitments processing center from
and system within or external to
requirements as they customer networks.
relate to [insert the
principle(s) addressed
by the engagement:
security, availability,
processing integrity,
confidentiality, or
privacy, or any
combination thereof].
Illustrative Types
Criteria Illustrative Risks of Controls
Entity policies
prohibit the
transmission of
sensitive information
over the Internet or
other public
communications
paths (for example,
email) unless it is
encrypted.
DLP software is used
to scan for sensitive
information in
outgoing
transmissions over
public
communication
paths. Information
that is restricted
(Social Security
numbers [SSNs],
dates of birth, and so
forth) is blocked,
stripped, or both
from outgoing
transmissions.
Removable media Backup media are
(for example, USB encrypted during
drives, DVDs, or creation.
tapes) are lost,
intercepted, or
copied during
physical movement
between locations.
Storage for
workstations and
laptops is encrypted.
Removable media for
workstations and
laptops are encrypted
automatically by the
software. Removable
media is readable
only by other
entity-owned devices.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Other removable
media are produced
by data center
operations and are
transported via
courier.
Use of removable
media is prohibited
by policy except
when authorized by
management
Removable media Storage for
used to make workstations and
unauthorized copies laptops is encrypted.
of software or data Removable media for
are taken beyond these devices is
the boundaries of encrypted
the system. automatically by the
software. Removable
media is readable
only by other
entity-owned devices.
Backup media are
encrypted during
creation.
CC5.8 Controls have been Malicious or The ability to install
implemented to otherwise software on
prevent or detect unauthorized code is workstations and
and act upon the used to intentionally laptops is restricted
introduction of or unintentionally to IT support
unauthorized or compromise logical personnel.
malicious software access controls or
to meet the entity's system functionality
commitments and through data
system transmission,
requirements as removable media,
they relate to [insert and portable or
the principle(s) mobile devices.
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
Illustrative Types
Criteria Illustrative Risks of Controls
Antivirus software is
installed on
workstations,
laptops, and servers
supporting such
software. The
antivirus program
covers any piece of
hardware that may
be accessing the
network, both
internally and
externally, as well as
bring your own
device (BYOD).
Antivirus software is
configured to receive
an updated virus
signature at least
daily. A network
operation receives a
report of devices that
have not been
updated in 30 days
and follows up on the
devices.
Business owners The ability to install
obtain and install applications on
applications without systems is restricted
proper to change
authorization. implementation and
system
administration
personnel.
CC6.0 Common Criteria Related to System Operations
CC6.1 Vulnerabilities of Vulnerabilities that Logging and
system components could lead to a monitoring software
to [insert the breach or incident is used to collect data
principle(s) are not detected in a from system
addressed by the timely manner. infrastructure
engagement: components and
security, endpoint systems; to
availability, monitor system
processing integrity, performance,
confidentiality, or potential security
privacy, or any threats and
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
combination thereof] vulnerabilities, and
breaches and resource utilization;
incidents due to and to detect unusual
malicious acts, system activity or
natural disasters, or service requests. This
errors are identified, software sends a
monitored, and message to the
evaluated, and operations center
countermeasures and security
are designed, organization and
implemented, and automatically opens
operated to a priority incident or
compensate for problem ticket and
known and newly change management
identified system record item.
vulnerabilities to
meet the entity's
commitments and
system
requirements as
they relate to [insert
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
Call center personnel
receive telephone and
email requests for
support, which may
include requests to
reset user passwords
or notify entity
personnel of potential
breaches and
incidents. Call center
personnel follow
defined protocols for
recording, resolving,
and escalating
received requests.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Corrective measures to Operations and security
address breaches and personnel follow defined
incidents are not protocols for resolving
implemented in a and escalating reported
timely manner. events. This includes root
cause analysis that is
escalated to management
as required.
Resolution of security
events (incidents or
problems) is reviewed at
the daily and weekly
operations and security
group meetings.
Internal and external
users are informed of
incidents in a timely
manner and advised of
corrective measure to be
taken on their part.
Corrective measures Resolution of events is
are not effective or reviewed at the weekly
sufficient. operations and security
group meetings.
Change management
requests are opened for
events that require
permanent fixes.
Lack of compliance The resolution of events
with policies and is reviewed at the weekly
procedures is not operations and security
addressed through group meetings. Relevant
sanctions or remedial events with effects on
actions, resulting in internal and external
increased users or customers are
noncompliance in the referred to user and
future. customer care
management to be
addressed.
Entity policies include
probation, suspension,
and termination as
potential sanctions for
workforce member's
misconduct.
Breaches and incidents Change management
recur because requests are opened for
preventive measures events that require
are not implemented permanent fixes.
after a previous event.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
For high severity
incidents, a root
cause analysis is
prepared and
reviewed by
operations
management. Based
on the root cause
analysis, change
requests are
prepared and the
entity's risk
management process
and relevant risk
management data is
updated to reflect the
planned incident and
problem resolution.
CC7.3 Change Identified breaches, For high severity
management incidents, and other incidents, a root
processes are system impairments cause analysis is
initiated when are not considered prepared and
deficiencies in the during the change reviewed by
design or operating management operations
effectiveness of lifecycle. management. Based
controls are on the root cause
identified during analysis, change
system operation requests are
and are monitored to prepared and the
meet the entity's entity's risk
commitments and management process
system and relevant risk
requirements as management data is
they relate to [insert updated to reflect the
the principle(s) planned incident and
addressed by the problem resolution.
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
Illustrative Types
Criteria Illustrative Risks of Controls
A process exists to
manage emergency
changes.
CC7.4 Changes to system System changes are System change
components are not authorized by requests must be
authorized, those responsible for reviewed and
designed, developed, the design and approved by the
configured, operation of the owner of the
documented, tested, system, resulting in infrastructure or
approved, and changes to the software and the
implemented to system that impairs change advisory
meet the entity's its ability to meet board prior to work
[insert the commitments and commencing on the
principle(s) system requested change.
addressed by the requirements. Separate personnel
engagement: are responsible to
security, authorize changes
availability, and to implement the
processing integrity, changes.
confidentiality, or
privacy, or any
combination thereof]
commitments and
system
requirements.
System changes do Functional and
not function as detailed designs are
intended, resulting prepared for other
in a system that than minor changes
does not meet (more than XX
commitments and hours). Functional
system designs are reviewed
requirements. and approved by the
application or
infrastructure and
software owner, and
detailed designs are
approved by the
director of
development for the
application and the
change advisory
board prior to work
commencing on the
requested change or
development project.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Test plans and test data
are created and used in
required system and
regression testing. Test
plans and test data are
reviewed and approved by
the testing manager prior
to and at the completion of
testing, and they are
reviewed by the change
advisory board prior to
newly developed or
changed software being
authorized for migration to
production. Security
vulnerability testing is
included in the types of
tests performed on
relevant application,
database, network, and
operating system changes.
System and regression
testing is prepared by the
testing department using
approved test plans and
test data. Deviations from
planned results are
analyzed and submitted to
the developer.
Security vulnerability
scans on developed source
and object code libraries
using Static Code Analysis
tools are performed.
Management remediates
significant security
vulnerabilities and coding
defects prior to compiling
computer programs and
integrating them into the
production environment.
Code review or
walkthrough is required
for high impact changes
that meet established
criteria (that mandate
code reviews and
walkthroughs). These are
performed by a peer
programmer who does not
have responsibility for the
change.
Illustrative Types
Criteria Illustrative Risks of Controls
Changes are reviewed
and approved by the
change advisory board
prior to
implementation.
Established entity
standards exist for
infrastructure and
software hardening and
configuration that
include requirements
for implementation of
access control software,
entity configuration
standards, and
standardized access
control lists.
Changes to hardening
standards are reviewed
and approved by the
director in
infrastructure
management.
Unauthorized Separate environments
changes are made to are used for
the system, resulting development, testing,
in a system that does and production.
not meet Developers do not have
commitments and the ability to make
system requirements. changes to software in
testing or production.
Logical access controls
and change
management tools
restrict the ability to
migrate from
development, test, and
production to change
deployment personnel.
Changes are reviewed
and approved by the
change advisory board
prior to
implementation.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Unforeseen system A turnover process
implementation that includes
problems impair verification of
system operation, operation and back
resulting in a out steps is used for
system that does not every migration.
function as
designed.
Postimplementation
procedures that are
designed to verify the
operation of system
changes are performed
for a defined period, as
determined during
project planning, after
the implementation
for other than minor
changes, and results
are shared with
internal and external
users and customers
as required to meet
commitments and
system requirements.
Incompatible duties The change
exist within the management process
change management has defined the
process, particularly following roles and
between approvers, assignments:
designers,
implementers, Authorization of
change
testers, and owners,
requestsowner or
resulting in the
business unit
implemented system
manager
not functioning as
intended. Development
application design
and support
department
Testingquality
assurance
department
Implementation
software change
management group
Illustrative Types
Criteria Illustrative Risks of Controls
Additional Criteria for Availability
A1.1 Current processing Current processing Processing capacity is
capacity and usage capacity is not monitored on an
are maintained, sufficient to meet ongoing basis in
monitored, and availability accordance with SLAs,
evaluated to manage commitments and key performance
capacity demand and system requirements indicators (KPIs), and
to enable the in the event of the other performance
implementation of loss of individual related parameters.
additional capacity to elements within the
help meet the entity's system components.
availability
commitments and
system requirements.
Critical infrastructure
components have been
reviewed for criticality
classification and
assignment of a
minimum level of
redundancy.
Processing capacity is Processing capacity is
not monitored, monitored on a daily
planned, and basis.
expanded or modified,
as necessary, to
provide for the
continued availability
of the system to meet
the entity's
commitments and
system requirements.
Future processing
demand is forecasted
and compared to
scheduled capacity on
an ongoing basis.
Forecasts are reviewed
and approved by
senior operations
management. Change
requests are initiated
as needed based on
approved forecasts.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
A1.2 Environmental Environmental Environmental
protections, vulnerabilities and protections have been
software, data changing installed including
backup processes, environmental the following:
and recovery conditions are not
infrastructure are identified or Cooling systems
authorized, addressed through Battery and
designed, developed, the use of natural gas
implemented, environmental generator backup
operated, approved, protections resulting in the event of
maintained, and in a loss of system power failure
monitored to meet availability. Redundant
the entity's communications
availability lines
commitments and Smoke detectors
system
requirements.
Dry pipe
sprinklers
Vermin and pest
control
Environmental Operations personnel
vulnerabilities are monitor the status of
not monitored or environmental
acted upon protections during
increasing the each shift. Alert
severity of an mechanisms have
environmental been installed to
event. communicate any
discrepancies in
environmental
thresholds.
Environmental
protections receive
maintenance on at
least an annual
basis.
Software or data are Weekly full-system
lost or not available and daily
due to processing incremental backups
error, intentional are performed using
act, or an automated
environmental system.
event.
Illustrative Types
Criteria Illustrative Risks of Controls
Backups are
monitored for failure
using an automated
system, and the
incident
management process
is automatically
invoked.
Backups are
transported and
stored offsite by a
third-party storage
provider in an
environmentally
controlled setting,
transported by
authorized courier (if
stored offsite), and
when encryption is
not present,
accompanied by
chaperon.
Availability Business continuity
commitments and and disaster recovery
system plans have been
requirements are developed, updated,
not met due to a lack and tested annually.
of recovery
infrastructure.
The entity has
contracted with a
third-party recovery
facility to permit the
resumption of IT
operations in the
event of a disaster at
the IT data center.
The entity uses a
multilocation
strategy for its
facilities to permit
the resumption of
operations at other
entity facilities in the
event of loss of a
facility.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
A1.3 Recovery plan Recovery plans are Business continuity
procedures not suitably and disaster recovery
supporting system designed and plans, including
recovery are tested backups are not restoration of
to help meet the sufficient to permit backups, and
entity's availability recovery of system emergency
commitments and operation to meet notification systems
system the entity's are tested annually.
requirements. commitments and
system
requirements.
Test results are
reviewed and the
contingency plan is
adjusted.
Additional Criteria for Processing Integrity
PI1.1 Procedures exist to Software or data are Weekly full-system
prevent, or detect lost or not available and daily
and correct, due to processing incremental backups
processing errors to error, intentional are performed using
meet the entity's act, or an automated
processing integrity environmental system.
commitments and event.
system
requirements.
Backups are
monitored for failure
using an automated
system, and the
incident
management process
is automatically
invoked.
Backups are
transported and
stored offsite by a
third-party storage
provider.
Illustrative Types
Criteria Illustrative Risks of Controls
Environmental Environmental
vulnerabilities are protections have been
not addressed installed including
through the use of the following:
environmental
protections, Cooling systems
resulting in a loss of Battery and
system availability. natural gas
generator backup
in the event of
power failure
Redundant
communications
lines
Smoke detectors
Dry pipe
sprinklers
Environmental Operations personnel
vulnerabilities are monitor the status of
not monitored or environmental
acted upon, protections during
increasing the each shift.
severity of an
environmental
event.
Environmental
protections receive
maintenance on at
least an annual
basis.
Current processing Processing capacity
capacity is not is monitored on a
sufficient to meet daily basis.
processing
requirements,
resulting in
processing errors.
Critical
infrastructure
components have a
defined level of
redundancy based on
risk assessment.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
PI1.2 System inputs are Inputs are captured Application edits limit
measured and recorded incorrectly. input to acceptable
completely, accurately, value ranges.
and timely to meet the
entity's processing
integrity commitments
and system
requirements.
The data preparation
clerk batches
documents by date
received and enters the
date and number of
sheets on the batch
ticket. Batched forms
are scanned by a
purchased imaging
system. Upon
completion of the
scanning process, the
scanned sheets are
compared to the count
per the batch ticket by
the scanning operator.
Scanned images are
processed through the
optical character
recognition (OCR)
system. Key fields
including customer
identifier, customer
name, and record type
are validated by the
system against records
in the master data file.
Text from free-form
sections from scan
sheets is manually
entered. This
information is input
twice by two separate
clerks. The input
information is
compared, and records
with differences are
sent to a third clerk for
resolution.
Inputs are not captured System edits require
or captured completely. mandatory fields to be
complete before record
entry is accepted.
Illustrative Types
Criteria Illustrative Risks of Controls
The data preparation
clerk batches
documents by date
received and enters the
date and number of
sheets on the batch
ticket. Batched forms
are scanned by a
purchased imaging
system. Upon
completion of the
scanning process, the
sheets scanned are
compared to the count
per the batch ticket by
the scanning operator.
Scanned images are
processed through the
OCR system. Key fields,
including customer
identifier, customer
name, and record type,
are validated by the
system against records
in the master data file.
Text from free-form
sections from scan
sheets is manually
entered. This
information is input
twice by two separate
clerks. The input
information is
compared, and records
with differences are
sent to a third clerk for
resolution.
Electronic files received
contain batch control
totals. During the load
processing data
captured is reconciled
to batch totals
automatically by the
application.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Inputs are not Electronic files are
captured in a processed when
timely manner. received. The
application monitors
files that fail to process
completely and
generates an incident
management error
record.
Manual forms for data
entry are batched upon
receipt. Batches are
traced to batches
entered for processing
daily by the date entry
supervisor, and
differences are
investigated.
The final Inputs are coded with
disposition of input identification numbers,
cannot be traced to registration numbers,
its source to registration
validate that it was information, or time
processed correctly, stamps to enable them
and the results of to be traced from initial
processing cannot input to output and
be traced to initial final disposition and
input to validate from output to source
completeness and inputs.
accuracy.
PI1.3 Data is processed Data is lost during Input record counts are
completely, processing. traced from entry to
accurately, and final processing. Any
timely as differences are
authorized to meet investigated.
the entity's
processing
integrity
commitments and
system
requirements.
Data is Application regression
inaccurately testing validates key
modified during processing for the
processing. application during the
change management
process.
Illustrative Types
Criteria Illustrative Risks of Controls
Output values are
compared against prior
cycle values. Variances
greater than X percent
are flagged on the
variance report, logged to
the incident
management system,
and investigated by the
output clerk. Resolutions
are documented in the
incident management
system. Open incidents
are reviewed daily by the
operations manager.
Daily, weekly, and
monthly trend reports
are reviewed by the
operations manager for
unusual trends.
Newly created data Application regression
is inaccurate. testing validates key
processing for the
application during the
change management
process.
The system compares
generated data to
allowable values. Values
outside the allowable
values are written to the
value exception report.
Items on the value
exception report are
reviewed by the output
clerk on a daily basis.
Processing is not Scheduling software is
completed within used to control the
required submission and
timeframes. monitoring of job
execution. An incident
management record is
generated automatically
in the service
management system
when processing errors
are identified.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
PI1.4 Data is stored and Data is not A mirror image of
maintained available for use as application data files is
completely, committed or created nightly and
accurately, and in a agreed. stored on a second
timely manner for system for use in
its specified life recovery and restoration
span to meet the in the event of a system
entity's processing disruption or outage.
integrity
commitments and
system
requirements.
Stored data is Logical access to stored
inaccurate. data is restricted to the
application and
database
administrators.
Stored data is Data is reconciled on a
incomplete. monthly basis by rolling
forward prior period
balances with monthly
activity and comparing
results to the stored
data balances.
PI1.5 System output is System output is Application regression
complete, accurate, not complete. testing validates key
and distributed to processing for the
meet the entity's application during the
processing integrity change management
commitments and process.
system
requirements.
Output values are
compared against prior
cycle values. Variances
greater than X percent
are flagged on the
variance report, logged
to the incident
management system,
and investigated by the
output clerk.
Resolutions are
documented in the
incident management
system. Open incidents
are reviewed daily by
the operations manager.
Illustrative Types
Criteria Illustrative Risks of Controls
On a monthly basis,
total records
processed are
compared with total
records received via
electronic
submission, manual
entry, and sheet
scanned by the OCR
system.
System output is not Application
accurate. regression testing
validates key
processing for the
application during
the change
management process.
Output values are
compared against
prior cycle values.
Variances greater
than X percent are
flagged on the
variance report,
logged to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident
management system.
Open incidents are
reviewed daily by the
operations manager.
Daily, weekly, and
monthly trend
reports are reviewed
by the operations
manager for unusual
trends.
System output is Application security
provided to restricts output to
unauthorized approved user IDs.
recipients.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
System output is Output is generated by
not available to the system based on a
authorized master schedule.
recipients. Changes to the master
schedule are managed
through the change
management process
and are approved by
the customer service
executive. On a daily
basis, an automated
routine scans output
files to validate that all
required output has
been generated. The
routine generates an
incident record for any
missing output.
Incident tickets are
managed through the
incident management
process.
PI1.6 Modification of Data is modified by Application regression
data, other than an unauthorized testing validates key
routine transaction process or processing for the
processing, is procedure resulting application during the
authorized and in inaccurate or change management
processed to meet incomplete data. process.
the entity's
processing
integrity
commitments and
system
requirements.
Access to data is
restricted to authorized
applications through
access control software.
Access rules are created
and maintained by
information security
personnel during the
application
development process.
Illustrative Types
Criteria Illustrative Risks of Controls
Application level
security restricts the
ability to access,
modify, and delete data
to authenticated
internal and external
users who have been
granted access through
a record in the access
control list. Creation
and modification of
access control records
occurs through the
access provisioning
process.
Data is modified Logical access to stored
without data is restricted to the
authorization. application and
database
administrators.
Data is lost or Logical access to stored
destroyed. data is restricted to the
application and
database
administrators.
A mirror image of
application data files is
created nightly and
stored on a second
secure system for use
in recovery and
restoration in the event
of a system disruption
or outage.
Additional Criteria for Confidentiality
C1.1 Confidential Data used in The entity creates test
information is nonproduction data using data
protected during the environments is not masking software that
system design, protected from replaces confidential
development, testing, unauthorized access information with test
implementation, and as committed. information prior to the
change processes to creation of test
meet the entity's databases.
confidentiality
commitments and
system requirements.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Data owners approve
any storage or use of
production information
in nonproduction
environments.
C1.2 Confidential Unauthorized access Access to data is
information within to confidential restricted to authorized
the boundaries of the information is applications through
system is protected obtained during access control software.
against unauthorized processing. Access rules are created
access, use, and and maintained by
disclosure during information security
input, processing, personnel during the
retention, output, and application
disposition to meet development process.
the entity's
confidentiality
commitments and
system requirements.
Logical access other
than through
authorized application
is restricted to
administrators through
database management
system native security.
Creation and
modification of access
control records for the
database management
systems occurs through
the access provisioning
process.
Application level
security restricts the
ability to access, modify,
and delete data to
authenticated internal
and external users who
have been granted
access through a record
in the access control
list. Creation and
modification of access
control records occurs
through the access
provisioning process.
Illustrative Types
Criteria Illustrative Risks of Controls
Unauthorized Application security
access to restricts output to
confidential approved roles or user
information in IDs.
output is obtained
after processing.
Output containing
sensitive information
is printed at the
secure print facility
and is marked with
the legend
"Confidential."
Paper forms are
physically secured
after data entry.
Physical access is
restricted to storage
clerks.
Personal information
(both public and
sensitive information)
involved in business
processes, systems,
and third-party
involvement is clearly
identified and
classified based on
severity and risk
within data
management policies
and procedures. The
quantities of personal
and sensitive
information are
identified.
Awareness training is
provided to personnel
around the policy and
usage of personal
information.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
C1.3 Access to confidential Confidential Application security
information from information restricts output to
outside the transmitted beyond approved user IDs.
boundaries of the the boundaries of
system and disclosure the system is
of confidential provided to
information is unauthorized user
restricted to entity personnel.
authorized parties to
meet the entity's
confidentiality
commitments and
system requirements.
Transmission of digital
output beyond the
boundary of the system
occurs through the use
of authorized software
supporting the
advanced encryption
standard (AES).
Logical access to stored
data is restricted to
application and
database
administrators.
Data is stored in
encrypted format using
software supporting the
AES.
Use of removable media
is prohibited by policy
except when authorized
by management.
Confidential Application security
information is restricts output to
transmitted to approved user IDs.
related parties,
vendors, or other
approved parties
contravening
confidentiality
commitments.
Transmission of digital
output beyond the
boundary of the system
occurs through the use
authorized software
supporting the AES.
Illustrative Types
Criteria Illustrative Risks of Controls
Confidential paper
records are stored in
locked containers in
accordance with the
retention schedule.
The entity has the
capability to identify,
capture, preserve, and
transfer client data, in
the event of a legal
preservation request,
without impacting
other client data.
A nondisclosure or
confidentiality
agreement is signed
by all personnel with
access to confidential
information.
C1.4 The entity obtains Related party and Formal information
confidentiality vendor personnel sharing agreements
commitments that are unaware of the are in place with
are consistent with entity's related parties and
the entity's confidentiality vendors. These
confidentiality commitments. agreements include
system confidentiality
requirements from commitments
vendors and other applicable to that
third parties whose entity. Agreement
products and terms include
services are part of requirements for
the system and have marking and
access to identifying data as
confidential confidential, handling
information. standards for
confidential data in
the custody of related
parties and vendors,
and returning and
disposing of
confidential
information when no
longer required.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Requirements for Formal information
handling of sharing agreements are
confidential in place with related
information are not parties and vendors.
communicated to These agreements
and agreed to by include confidentiality
related parties and commitments
vendors. applicable to that
entity.
C1.5 Compliance with the Related party and Related party and
entity's vendor systems are vendor systems are
confidentiality not suitably subject to review as
commitments and designed or part of the vendor risk
system requirements operating effectively management process.
by vendors and others to comply with Attestation reports
third parties whose confidentiality (SOC 2 reports) are
products and services commitments. obtained and evaluated
are part of the system when available. Site
is assessed on a visits and other
periodic and procedures are
as-needed basis, and performed based on the
corrective action is entity's vendor
taken, if necessary. management
guidelines.
C1.6 Changes to the Confidentiality The chief information
entity's practices and security officer is
confidentiality commitments are responsible for changes
commitments and changed without the to confidentiality
system requirements knowledge or practices and
are communicated to consent of internal commitments. A formal
internal and external and external users. process is used to
users, vendors, and communicate these
other third parties changes to internal and
whose products and external users, related
services are part of parties, and vendors.
the system.
Confidentiality The chief information
practices and security officer is
commitments are responsible for changes
changed without the to confidentiality
knowledge of related practices and
parties or vendors commitments. A formal
resulting in their process is used to
systems not communicate these
complying with the changes to internal and
required practices external users, related
and not meeting the parties, and vendors.
commitments.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
C1.8 The entity disposes Confidential The entity
of confidential information is not
information to meet destroyed in locates and removes
or redacts specified
the entity's accordance with
confidential
confidentiality confidentiality
information as
commitments and commitments and
required.
system system
requirements. requirements. regularly and
systematically
destroys, erases, or
makes anonymous
confidential
information that is
no longer required
for the purposes
identified in its
confidentiality
commitments or
system
requirements.
erases or destroys
records in
accordance with the
retention policies,
regardless of the
method of storage
(for example,
electronic, optical
media, or paper
based).
disposes of original,
archived, backup,
and ad hoc or
personal copies of
records in
accordance with its
destruction policies.
documents the
disposal of
confidential
information.
Illustrative Types
Criteria Illustrative Risks of Controls
Additional Criteria for Privacy
P1.0 Privacy Criteria Related to Notice and Communication of
Commitments and System Requirements
P1.1 The entity provides Data subjects are The entity provides
notice to data not notified of the notice of its privacy
subjects about its purpose for the practices to data
privacy practices to collection, use, and subjects of the system
meet the entity's retention of their (upon data collection,
privacy personal from each mode of
commitments and information collection, and when
system thereby creating any changes are made
requirements. The the potential for to the entity's privacy
notice is updated regulatory practices). The notice
and communicated compliance is
to data subjects in a violation (for
timely manner for example, with readily accessible
and made available
changes to the respect to Fair
when personal
entity's privacy Information
information is first
practices, including Practice Principles
collected from the
changes in the use of FIPPs, the Health
data subject.
personal Insurance
information, to meet Portability and provided in a timely
the entity's privacy Accountability Act manner (that is, at
commitments and [HIPAA], or or before the time
system Federal Trade personal
requirements. Commission) or information is
diminishment of collected, or as soon
the entity's as practical
reputation. thereafter) to
enable data subjects
to decide whether or
not to submit
personal
information to the
entity.
clearly dated to
allow data subjects
to determine
whether the notice
has changed since
the last time they
read it or since the
last time they
submitted personal
information to the
entity.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
In addition, the entity
tracks previous
iterations of the
entity's privacy
notices.
informs data
subjects of a change
to a previously
communicated
privacy notice (for
example, by posting
the notification on
the entity's website,
by sending written
notice via postal
mail, or by sending
an email).
documents the
changes to privacy
practices that were
communicated to
data subjects.
On a quarterly basis,
the CPO and privacy
staff meet to discuss
the new types of
personal information
that is collected and
the effect on privacy
practices, including
detailed use, ability to
opt-out, enhancement
(enrichment) or
inference, sharing,
disclosure, access,
security, retention,
and disposal of
personal information
items. For any new
personal information
that is collected,
systems and processes
are updated to provide
notice to the data
subjects.
Illustrative Types
Criteria Illustrative Risks of Controls
Data subjects are not The entity provides
notified of one or notice of its privacy
more of the following: practices to data
subjects of the system
The collection of (upon data collection,
their personal from each mode of
information or the collection, and when
choice and consent any changes are made
mechanisms in to the entity's privacy
place to opt-out of practices).The CPO
the collection reviews the notice and
The retention, documents his or her
sharing, disclosure approval that the notice
and disposal of includes the following
their personal disclosures:
information
Notification of a
Processes in place mechanism to
to obtain access to, opt-out of the
make changes to, collection and use of
or make contact or their personal
inquiries regarding information upon
personal collection and upon
information changes to the
Additional sources purpose and use of
of the personal personal information
information Policies regarding
collected other retention, sharing,
than provided by disclosure, and
the data subject disposal of their
personal information
The mechanism(s) to
access, make
changes to, or make
inquiries regarding
their personal
information
Additional sources of
personal information
used to enhance,
enrich, or infer
(through
cross-reference)
personal information
already provided by
the data subject
upon collection
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
P1.2 The entity's privacy Internal and The entity provides
commitments are external users are notice of its privacy
communicated to not notified or aware practices to data
external users, as of personal subjects of the system
appropriate, and information (upon data collection,
those commitments collected through from each mode of
and the associated both active and collection, and when
system passive means. any changes are made
requirements are to the entity's privacy
communicated to practices through
internal users to email and surface
enable them to mail).
carry out their
responsibilities.
The privacy Before personal
commitments and information is
system collected, the entity
requirements are communicates to the
not communicated to internal and external
internal and users the purpose and
external users use of the collection of
before personal personal information,
information is including detailed use,
collected, or as soon ability to opt-out,
as practical enhancement
thereafter. (enrichment) or
inference, sharing,
disclosure, access,
security, retention,
and disposal of
personal information.
Internal and Before changes are
external users are made, the entity
not notified of communicates to
changes to the internal and external
privacy users' changes to the
commitments or purpose and use of
system personal information,
requirements for use including changes to
of information in a the detailed use,
timely manner to ability to opt-out,
opt-out of the enhancement
collection or use of (enrichment) or
personal inference, sharing,
information. disclosure, access,
security, retention,
and disposal of
personal information.
Illustrative Types
Criteria Illustrative Risks of Controls
Internal and Before personal
external users are information is
not given sufficient collected, the entity
information communicates to
regarding the nature internal and external
and extent of the users the purpose and
entity's use of use of the collection of
personal personal information,
information. including detailed use,
ability to opt-out,
enhancement
(enrichment) or
inference, sharing,
disclosure, access,
security, retention,
and disposal of
personal information.
P2.0 Privacy Criteria Related to Choice and Consent
P2.1 The entity Consent policies and Policies and
communicates procedures do not procedures containing
choices available address the choice information about
regarding the and consent options. choice and consent
collection, use, A data subject does options include the
retention, not "signify" their following:
disclosure, and agreement
disposal of personal indicating that there Consent is obtained
before the personal
information to the is active
information is
data subjects and communication.
processed or
the consequences,
handled.
if any, of each
choice. Explicit To ensure that
consent for the consent is freely
collection, use, given, requests for
retention, consent are
disclosure, and designed not to be
disposal of personal deceptive
information is intimidating or
obtained from the imply that failure to
data subject or provide consent will
other authorized result in significant
person, if required, negative
and such consent is consequences.
obtained only for When authorization
the purpose for is required (explicit
which the consent), the
information is authorization is
intended consistent obtained in writing.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
with the entity's Implicit consent has
privacy clear actions on how
commitments and a data subject opts
system out.
requirements. The Action by a data
entity's basis for subject to constitute
determining valid consent.
implicit consent for
the collection, use, Requests for
consent are
retention,
designed to be
disclosure, and
appropriate to the
disposal of personal
age and capacity of
information is
the data subject and
documented.
to the particular
circumstances.
Processes are not in On annual basis, the
place to determine privacy staff reviews
whether implicit or collection processes to
explicit consent is determine whether
appropriate for the the consents obtained
collection of personal are appropriate
information. (specifically, whether
implicit or explicit
consent is
appropriately collected
depending on the
collection process).
Data subjects are Annually, the privacy
not notified of staff checks that
choices available notice is provided to
related to collection, internal and external
use, or disclosure of users; that the notice
personal is clear,
information. comprehensive, and
visible to users; and
that it includes the
purpose and intended
use of the collected
personal information,
encompassing detailed
use, consent, ability to
opt-out, authorization,
sharing, disclosure,
access, security,
retention, and
disposal of personal
information.
Illustrative Types
Criteria Illustrative Risks of Controls
Lack of The privacy staff
understanding of reviews quarterly
when consent is relevant privacy laws
required due to and regulations to
specific law or determine whether
regulations. they require the entity
to obtain consent and
reviews and updates
the entity's policies for
conformity to the
requirements.
Denial or withdrawal On an annual basis, the
of consent is not entity sends written
recognized or notification informing
administered. data subjects of their
current choice and
offers them the option
of either confirming or
withdrawing their
previously given
consents. Denial or
withdrawal of consents
is tracked by privacy
staff for further
processing.
Implicit consent is The privacy staff
relied upon when obtains and evaluates
explicit or opt out requirements to
consent is required. determine whether
implicit or explicit
consent applies and
compares such
requirement to
consents used.
Opt-out consent is Explanatory
used without information is provided
communicating the when data subjects are
impact of that choice given the choice to opt
to the user. out.
Sensitive personal The privacy staff
information is reviews procedures to
collected without assess the nature of the
obtaining without information collected to
legal grounds and determine whether
explicit consent. personal information
received requires an
explicit consent.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
The privacy staff
reviews quarterly
relevant privacy laws
and regulations to
determine whether
they require the entity
to obtain consent, or
whether the entity
possesses other legal
ground to process the
data. It also reviews
and updates the
entity's policies for
conformity to the
requirement
There is a lack of On an annual basis,
clear definition at the CPO reviews its
the entity related to policies to ensure the
what personal definition of
information is "sensitive" personal
considered information is
"sensitive" personal properly delineated
information. and communicated to
personnel.
The entity provides
updated training and
awareness to
personnel that
includes defining what
constitutes personal
information and what
personal information
is considered sensitive
Consent is not The privacy office
obtained for new establishes procedures
purposes or uses to assess the need for
when required. obtaining and
recording consents
with respect to new
products, software,
relationships, and
transactions.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Privacy related
complaints are
investigated upon
receipt to identify
whether there were
incidents of unfair or
unlawful practices.
Personal information Members of the privacy
is collected in excess of staff determine whether
the minimum personal information is
necessary information collected only for the
needed to provide purposes identified in
services in accordance the privacy notice and
with privacy only the minimum
commitments and necessary personal
system requirements. information is collected
to fulfill the business
purpose by
reviewing and
approving system
change requests,
when changes involve
use of personal
information or
collection of new
personal information.
reviewing the privacy
policies and personal
information collection
methods of third
parties prior to
contract execution.
reviewing contracts to
determine whether
they include
provisions requiring
that personal
information be
collected fairly
without intimidation
or deception and
lawfully adhering to
all relevant laws and
regulations.
Privacy related
complaints are
investigated on a
bi-weekly basis to
identify whether there
were incidents of unfair
or unlawful practices.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
The entity does not The entity provides
inform data subjects notice of its privacy
that it has acquired practices to data
or is collecting subjects of the system
additional personal (upon data collection,
information; from each mode of
therefore, data collection, and when
subjects are any changes are made
unaware that the to the entity's privacy
entity has personal practices). The notice
information beyond is
what is stated in the
entity's privacy readily accessible
and made available
notice.
when personal
information is first
collected from the
data subject.
provided in a timely
manner (that is, at
or before the time
personal
information is
collected, or as soon
as practical
thereafter) to
enable data subjects
to decide whether or
not to submit
personal
information to the
entity.
clearly dated to
allow data subjects
to determine
whether the notice
has changed since
the last time they
read it or since the
last time they
submitted personal
information to the
entity.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
On an annual basis
the entity reviews
privacy policies and
procedures to ensure
that personal
information is used in
conformity with the
purposes identified
in the entity's
privacy notice.
conformity with the
consent received
from the data
subject.
compliance with
applicable laws and
regulations.
P4.2 The entity retains Personal The entity establishes
personal information is written policies
information retained in excess of related to retention
consistent with the that associated with periods for each type
entity's privacy the stated purpose, of information it
commitments and longer than maintains. The entity
system necessary to fulfill has automated
requirements. the stated purpose system processes in
or longer than place to delete
allowed by law or information in
regulations, thereby accordance with
creating potential specific retention
for compliance requirements.
violations and
increased data
deletes backup
information in
breach exposure. accordance with a
defined schedule.
requires approval
by the CPO for
information to be
retained beyond its
retention period and
specifically marks
such information for
retention.
reviews annually
information marked
for retention.
Illustrative Types
Criteria Illustrative Risks of Controls
Storage locations of An annual review of
personal information the organization's data
are not identified and inventory is performed
tracked, thereby to verify that the
increasing risks of documentation is kept
data breaches. current and includes
the location of the data,
a description of the
data, and identified
data owners.
Personal information The entity has
is retained in a documented its
manner that violates personal information
applicable laws and retention policies and
regulations. procedures, which are
reviewed on at least an
annual basis by legal
counsel for consistency
with applicable laws
and regulations.
Personal information
retention laws and
regulations are
reviewed on at least an
annual basis by
members of the privacy
staff and legal counsel
for any new or revised
applicable laws or
regulations. Entity
retention policies and
procedures are
reviewed for
consistency with
applicable laws and
regulations. Any
personal information
retention policies and
procedures that are not
aligned with the
current applicable laws
and regulations are
escalated to
management for
corrective action (for
example, updating of
the entity's policies and
procedures as
necessary.).
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
P4.3 The entity securely Personal On a weekly basis
disposes of information is not data center personnel
personal destroyed to meet complete a checklist
information the entity's privacy that documents the
consistent with the commitments and entity
entity's privacy system
commitments and requirements and erased or destroyed
records in
system applicable laws and
accordance with its
requirements. regulations, thereby
retention policies,
creating the
regardless of the
potential for
method of storage
compliance
(for example,
violations and
electronic, optical
increased data
media, or paper
breach exposure.
based).
disposed of original,
archived, backup,
and ad hoc or
personal copies of
records in
accordance with its
destruction policies.
documented the
disposal of personal
information.
located and
removed or redacted
specified personal
information about a
data subject as
required within the
limits of technology
(for example,
removing credit
card numbers after
the transaction is
complete).
destroyed, erased,
or made anonymous
personal
information that is
no longer required
for the purposes
identified in its
privacy
commitments or as
required by law or
regulation.
Illustrative Types
Criteria Illustrative Risks of Controls
Data center personnel
complete the preceding
items in accordance
with destruction
procedures and attach
documentation of the
performance of those
procedures to the
checklist. CPO staff
perform quarterly
compliance assessment
for a sample of business
units to verify
compliance with privacy
and security policies by
reviewing the checklists
and associated
documentations.
5.0 Privacy Criteria Related to Access
P5.1 The entity grants Data subjects are not Privacy staff annually
identified and aware of the process review processes that
authenticated data for requesting access involve direct
subjects the ability to or a copy of their communication with
to access their personal information data subjects, online
stored personal creating the potential notices, privacy
information for for compliance statements, mailings,
review and, upon violations or data and training and
request, provides integrity issues. awareness programs for
physical or staff to determine
electronic copies of whether they address
that information to the process for
the data subject providing data subjects
consistent with the with access to their
entity's privacy personal information
commitments and and updating their
system information. The CPO
requirements. If establishes written
access is denied, the procedures to update
data subject is communications to data
informed of the subjects when changes
denial and reason occur to access policies,
for such denial, as procedures, and
required, consistent practices.
with the entity's
privacy
commitments and
system
requirements.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
The entity's privacy
notice is made
available to data
subjects at the time an
agreement for services
is entered into as well
as on the entity's
website, which
explains the process
for providing data
subjects with access to
their personal
information and
updating their
information.
The CPO establishes
written privacy
policies and
procedures that define
how entity personnel
are to respond to
requests by data
subjects to access their
information.
Access is provided to The CPO establishes
unauthorized written procedures to
individuals who are track and monitor the
not authenticated authentication of data
prior to providing subjects before they
them with access. are granted access to
personal information.
Information Annually, the CPO
provided to the data reviews reports that
subject is summarize the
incomplete, response times in
inaccurate, or not providing personal
received in a timely information, the
manner. associated costs
incurred by the entity,
and any charges to the
data subjects. Annual
assessments of the
understandability of
the format for
information provided
to data subjects are
conducted by privacy
staff.
Illustrative Types
Criteria Illustrative Risks of Controls
When data subjects Annually, the CPO
are denied access, reviews reports that
the data subjects are summarize the
not informed of the response time to data
reason for the denial subjects whose access
in accordance with request has been
the entity's privacy denied and reasons
commitments and for such denials, as
system well as any
requirements. communications
regarding challenges.
P5.2 The entity corrects, Requests received The CPO establishes
amends, or appends for corrections, written policies and
personal information amendments, or procedures to
based on information additions are not consistently and
provided by the data processed correctly, uniformly inform
subjects and timely, or by an data subjects of how
communicates such authorized data to update or correct
information to third subject in personal information
parties, as accordance with the held by the entity.
committed or entity's privacy
required, consistent commitments and
with the entity's system
privacy requirements.
commitments and
system
requirements. If a
request for
correction is denied,
the data subject is
informed of the
denial and reason for
such denial
consistent with the
entity's privacy
commitments and
system
requirements.
The CPO establishes
written procedures to
track data update
and correction
requests and to
validate the accuracy
and completeness of
such data. Annually,
the CPO reviews
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
reports of updates
and correction
requests and
response time to
update records.
Authorized data
subjects are
designated with the
responsibility of
making updates or
amendments to
personal information
when self-service
functionality is
available to the data
subject.
Corrected, amended, The CPO establishes
or appended written procedures to
personal consistently and
information is not uniformly provide
communicated to updated information
vendors or other to vendors or other
third parties that third parties that
previously received previously received
that personal the data subject's
information in personal information.
accordance with the Documentation or
entity's privacy justification is kept
commitments and for not providing
system information updates
requirements. to relevant vendors
and other third
parties.
Data subjects are The CPO establishes
not informed that written policies and
their request to procedures that cover
correct, amend, or relevant aspects
add to personal related to informing
information has data subjects in
been denied or the writing about the
reason for the denial reason a request for
in accordance with correction of personal
the entity's privacy information was
commitments and denied and how they
system may appeal.
requirements.
Illustrative Types
Criteria Illustrative Risks of Controls
The CPO annually
reviews denials to verify
that the justifications for
denying requests for
correction of personal
information were
appropriately
documented and
supported.
The CPO annually
reviews cases that
involve disagreements
over the accuracy and
completeness of personal
information to validate
that the appropriate
justifications and
supporting
documentation is
retained.
P6.0 Privacy Criteria Related to Disclosure and Notification
P6.1 The entity discloses Authorized use and Business unit leaders
personal disclosure scenarios identify and document
Information to third are not defined and authorized uses and
parties with the documented. disclosures of personal
explicit consent of information relevant to
the data subject to their area. On an annual
meet the entity's basis, the uses and
privacy disclosures are reviewed
commitments and and approved by the
system privacy staff.
requirements, and
such consent is
obtained prior to
disclosure.
A PIA is completed for
new types of disclosures
of personal information
and disclosures to new
third-party recipients.
As part of the
assessment, the privacy
staff determines whether
the disclosure is
consistent with notice,
consent, and privacy
commitments and
system requirements.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
As part of the change
management process,
the CPO reviews and
approves new
automated
disclosures and
transmissions to
third parties and
changes to existing
automated
disclosures and
transmissions.
Personal When explicit
information is consent is required,
disclosed to vendors business unit
and other third personnel implement
parties without a process for
obtaining explicit obtaining explicit
consent of the data consent. Updates to
subject and does not the consent process
meet the entity's are reviewed and
privacy approved by the
commitments and CPO.
system
requirements.
Requests for
disclosure are
recorded by business
unit personnel and
compared to
preapproved types of
disclosures before
processing. When
required, consent of
the data subject is
obtained prior to
processing.
Approved data
subject and ad hoc
requests requiring
explicit consent are
rejected if consent is
not received.
Rejections are
recorded in a
repository.
Illustrative Types
Criteria Illustrative Risks of Controls
P6.2 The entity creates Unauthorized When the disclosure
and retains a disclosures are of personal
complete, accurate, made, thereby information requires
and timely record of creating potential for explicit consent, the
authorized data breach. information to be
disclosures of disclosed through
personal information automated processes
consistent with the is compared to the
entity's privacy consent records to
commitments and confirm consent prior
system to disclosure.
requirements.
The entity does not Automated
maintain records for disclosures are
tracking purposes of recorded in a
disclosures made. database of
disclosures that is
retained in
accordance with the
entity's privacy
commitments and
requirements.
Authorized
disclosures are
recorded and retained
in accordance with
the entity's privacy
commitments and
system requirements.
Requests for
disclosure are
recorded by business
unit personnel and
compared to
preapproved types of
disclosures before
processing. Requests
not in accordance
with preapproved
disclosures types are
evaluated for
appropriateness in
consultation with the
privacy officer. When
required, explicit
consent of the data
subject is obtained
prior to processing.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Disclosure requests Requests for
made by data disclosure are
subjects are not recorded by business
recorded. unit personnel,
including the date
received and specific
details regarding the
request (for example,
information
requested, requestor
name, or period of
time requested). The
privacy staff reviews
a report of data
subjects and ad hoc
disclosure requests
on a weekly basis for
unprocessed requests
and unusual activity.
Unprocessed
requests are
investigated, and
unusual requests are
recorded in the
incident
management system
for formal
investigation and
resolution.
P6.3 The entity creates Disclosures An automated
and retains a identified as part of message is sent to
complete, accurate, incident the privacy office
and timely record of management or informing them of
detected or reported reported by data unauthorized
unauthorized subjects and other disclosures and
disclosures of external parties are potential disclosures
personal not identified as detected as part of
information, privacy incidents. the incident
including breaches, management process.
consistent with the Resolution of all
entity's privacy incidents flagged as
commitments and privacy issues must
system be approved by
requirements. privacy staff before
the record is closed.
Illustrative Types
Criteria Illustrative Risks of Controls
Incident management
procedures include
detailed instructions
on how to escalate a
suspected incident to
the Information
Security Team and,
when necessary, to the
Privacy or Legal
department. The
entity has a standard
incident report
template that must be
completed for each
incident. The incident
management
procedures and
templates are
communicated to
personnel who handle
personal information.
P6.4 The entity obtains Contractual Contracts with
privacy commitments agreements are not in vendors or other third
from vendors and place between the parties are required in
other third parties entity and vendors or order to set up a
whose products and other third parties vendor or other third
services are part of involved in the party in the accounts
the system and who processing of personal payable system. On an
have access to information. annual basis, the
personal information privacy staff obtains a
processed by the list of paid vendors or
system that are other third parties and
consistent with the identifies those that
entity's privacy process personal
commitments and information. The
system requirements. privacy staff also
reviews the contracts
with those vendors or
other third parties to
determine whether the
contracts contain
privacy and security
commitments and
system requirements
that are consistent
with those of the
entity commitments
for privacy and
security.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
The vendor or other Vendors or other
third party does not third parties are
implement its required to undergo a
practices in privacy and security
accordance with the assessment supplied
entity's privacy by the entity before
commitments and the entity enters into
system a contract with those
requirements. parties, and
[annually or
biannually]
thereafter, to confirm
that administrative,
technical, and
physical safeguards
are consistent with
the entity's
commitments and
system requirements
and are in place.
Alternatively,
vendors or other
third parties can
provide a privacy
SOC 2 report. If a
SOC 2 report is
provided, the privacy
staff reviews the
report to verify that
the appropriate
regulatory
requirements are
included and met.
The privacy staff
reviews the results of
the submitted
assessment or SOC 2
report to determine
whether there are
privacy or security
risks that require
remediation. The
privacy office
monitors whether
any needed
remediation is
completed timely.
Illustrative Types
Criteria Illustrative Risks of Controls
The entity periodically
reviews contracts to
confirm ongoing
alignment with the
entity's revised
privacy and security
policies and
procedures.
Contracts between Standard contractual
the entity and vendor templates are used for
or other third party contracts involving
do not provide personal information.
instructions, The contracts contain
requirements, or instructions for
commitments for approved handling of
handling personal personal information.
information. Deviations from
standard templates
require approval from
the CPO. Contract
templates are
reviewed on a periodic
basis to determine
whether changes are
required as a result of
changes to system
requirements (for
example, regulatory
requirements or
commitments for
handling personal
information).
P6.5 Compliance with the The vendor or other Standard contractual
entity's privacy third party does not templates are used for
commitments and have the appropriate contracts involving
system requirements privacy and security personal information
by vendors and others capabilities to comply containing the
third parties whose with contractual requirement for an
products and services commitments. independent third
are part of the system party assessment or
and who have access the right to audit the
to personal vendor or third party.
information processed Deviations from
by the system is standard templates
assessed on a periodic require approval from
and as-needed basis, the CPO.
and corrective action
is taken, if necessary.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Vendors and other third
parties are required to
undergo a privacy and
security assessment
prior to entering into a
contract with the entity,
and annually
thereafter, to confirm
that administrative,
technical, and physical
safeguards that are
consistent with those of
the entity are in place.
Alternatively, vendors
and other third parties
can provide a privacy
SOC 2 Report. The
privacy staff reviews
the results of the
assessment or SOC 2
report to determine
whether there are
privacy or security risks
that require
remediation.
Changes in the Standard contractual
vendor's or other templates are used for
third party's privacy contracts involving
procedures or controls personal information
have a detrimental that contain the
impact on the requirement for vendors
processing by the or other third parties to
vendor or other third inform the entity of
party of personal changes to vendor's or
information. other third party's
privacy procedures or
controls that impact the
processing of personal
information. Deviations
from standard
templates require
approval from the CPO.
The entity meets with
the third party on a
quarterly basis to
discuss any changes in
the vendor's or other
third party's privacy
procedures or controls
that impact the
processing of personal
information.
Illustrative Types
Criteria Illustrative Risks of Controls
Upon termination of Standard contractual
a contract, templates are used
assurances are not for contracts
obtained from the involving personal
vendor or other information that
third party to contain requirements
confirm the return for vendors or other
or destruction of third parties to
personal provide
information. documentation that
confirms that
personal information
has been
appropriately
returned or destroyed
in accordance with
the contractual
requirements.
Deviations from
standard templates
require approval
from the CPO.
Vendor or other third
party relationship
managers are
required by policy to
obtain such
assurances and
provide the
supporting
documentation to the
privacy staff. Upon
determination that a
contract is to be
terminated, the
entity provides the
vendor or third party
with a checklist of
procedures to be
performed regarding
the return or
destruction of the
information and a
template for written
certification of the
completion of
procedures.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
P6.6 The entity obtains Vendors and other Standard contractual
commitments from third parties are not templates are used
vendors and other obligated by for contracts
third parties that commitment or involving personal
may have access to requirement to information
personal notify the entity of a containing
information breach or requirements to
processed by the unauthorized notify the entity of a
system to notify the disclosure of breach or
entity in the event of personal unauthorized
actual or suspected information in a disclosure of personal
unauthorized timely manner. information.
disclosures of Deviations from
personal standard templates
information. Such require approval
notifications are from the CPO.
reported to
appropriate
personnel and acted
on to meet the
entity's established
incident response
procedures, privacy
commitments, and
system
requirements.
The vendor's or Prior to contracting
other third party's with vendors and
incident response other third parties,
procedures do not vendors and other
exist. third parties are
required to provide a
copy of their incident
response procedures.
Vendors and other
third parties are
provided with specific
instructions on who
should be contacted
in the event of a
privacy or security
incident as well as
the timeframe in
which the notification
must occur.
Illustrative Types
Criteria Illustrative Risks of Controls
P6.7 The entity provides Unauthorized uses Privacy related
notification of and disclosures are disclosures and
breaches and not assessed to potential disclosures
incidents to affected determine whether identified during the
data subjects, they constitute incident
regulators, and breaches. management process
others consistent are assessed by
with the entity's privacy staff using
privacy predetermined
commitments and assessment
system guidelines.
requirements. Assessments are
documented in the
incident
management system.
Unauthorized uses
and disclosures that
constitute a breach
based on the type,
sensitivity, value,
and amount of
personal information
that is used or
disclosed
inappropriately are
recorded in a
separate repository.
Unauthorized uses A comprehensive
and disclosures are incident
not properly identification and
identified as breach response
breaches. procedure is
documented that
provides examples of
unauthorized uses
and disclosures, as
well as guidelines to
determine whether
an incident
constitutes a breach.
The procedure is
communicated to
personnel who
handle personal
information.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Identified breaches Unauthorized uses
and incidents are and disclosures that
not recorded in constitute a breach
accordance with the based on the type,
entity's privacy sensitivity, value,
commitments and and amount of
system personal information
requirements. that is used or
disclosed
inappropriately are
recorded in a
separate repository.
Breaches and
incidents are
reviewed by the CPO.
Notification of Breach notification
breaches and procedures are
incidents is not reviewed on a
completed in regular basis to
accordance with determine whether
commitments and the procedures are
system aligned with
requirements. commitments and
system requirements.
Breach notification
activities are
reviewed against
breach notification
procedures and
notifications are
approved by the
CPO.
P6.8 The entity provides, Requests for an Requests for an
to the data subjects, accounting of accounting of
an accounting of the disclosures are not disclosures are
personal processed. recorded in a
information held repository. The date
and disclosure of a of completion of the
data subject's processing of the
personal requests and the
information, upon person generating
the data subject's the accounting is
request, consistent documented in the
with the entity's repository.
privacy
commitments and
system
requirements.
Illustrative Types
Criteria Illustrative Risks of Controls
The accounting of Requestor
disclosures is identification
provided to an procedures are
unauthorized defined in the
person. procedures for
processing requests.
The type of
identification
obtained is
documented in the
repository.
The accounting of Predefined queries
disclosures is have been developed
incomplete or for each record of
inaccurate. disclosures. The
request repository
contains a checklist
of each system
application to be
queried. Queries are
automatically
returned to the
processor's
workstation in a
predefined report
format. The
processor stores the
results of each query
to the repository.
Upon completion, the
processor requests
generation of the
disclosure report
from the repository.
The accounting of All queries are based
disclosures contains on the specific
personal requesting data
information for subject's unique
other data subjects. identification
number. Only one
identification
number can be
processed at a time.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
P7.0 Privacy Criteria Related to Quality
P7.1 The entity collects Personal As personal
and maintains information that is information is
accurate, up-to-date, collected is collected, automated
complete, and inaccurate or edit checks and
relevant personal incomplete. balances help ensure
information that data entry fields
consistent with the are completed
entity's privacy properly (for
commitments and example, only 9 digits
system are allowed when
requirements. SSNs are entered).
As personal
information is
collected, users are
asked to confirm that
their information is
correct prior to
submitting the
information to the
entity.
The personal Automated controls
information that is exist to identify and
collected is modified provide notification
inaccurately. within the entity
when personal
information within
the IT systems is
altered. Such
alterations must be
reviewed and
approved by
operations personnel
prior to finalization
of the records.
When personal
information within
the IT systems is
altered, notification
is sent to the data
subject. The entity
requests the data
subject communicate
any inaccuracies
within 30 days.
Illustrative Types
Criteria Illustrative Risks of Controls
The personal Automated controls
information is exist to provide
altered within the notification within the
entity, whether entity when personal
intentionally or information within the
unintentionally, IT application systems
such that it is no is altered. Such
longer accurate and alterations must be
complete. reviewed and
approved by
operations personnel
prior to finalization of
the records.
Information that is Personal information
not relevant to the collected and the
purpose is collected. intended purpose of
Information is collection is compared
collected and used to the privacy notice
for a purpose that is for completeness and
not disclosed to the accuracy.
data subject.
The entity maintains
an up-to-date
inventory of data for
which business units
are required to supply
regular updates. The
CPO reviews the
inventory on a regular
basis.
Changes to the way
that personal
information is
collected and the
purposes for which the
information is used
are communicated to
the appropriate
individuals
responsible for
governance within the
entity. These
individuals assess the
changes, determine
their appropriateness,
and alter the privacy
notice as needed.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
P8.0 Privacy Criteria Related to Monitoring and Enforcement
P8.1 The entity Data subjects are The entity monitors
implements a not informed about the status of privacy
process for receiving, how to contact the controls and the
addressing, entity with entity's adherence to
resolving, and inquiries, the entity's
communicating the complaints, and commitments to
resolution of disputes. customers and data
inquiries, subjects related to
complaints, and the protection of the
disputes from data privacy of customer
subjects and others personal information
and periodically and provides
monitors compliance customers and data
with the entity's subjects with
privacy information on how
commitments and to contact the entity
system with inquiries,
requirements; complaints, and
corrections and disputes.
other necessary
actions related to
identify deficiencies
are taken in a timely
manner.
Inability for a The entity provides
complaint to be an automated,
submitted, which confidential,
creates necessity for customer privacy
data subjects to complaint system for
report complaints to capturing and
regulatory agencies. tracking customer
privacy concerns and
issues.
Customer privacy
concerns captured by
the complaint
tracking system are
shared with the
entity's board of
directors and
relevant oversight
bodies or regulatory
authorities as may be
required by law or
regulation.
Illustrative Types
Criteria Illustrative Risks of Controls
Failure to assess The entity implements
complaints to a Data Privacy Task
determine whether a Force comprising
breach or senior service entity
inappropriate access team leads who are
requires action, such responsible for
as a formal reporting monitoring adherence
or corrective action to the entity's privacy
plan. policies and
procedures. The Data
Privacy Task Force is
responsible for
evaluating customer
privacy concerns and
complaints,
determining whether
urgent reporting or
remediation actions
are required, and
directly responding to
customers on actions
taken to address such
concerns and
complaints.
Corrective action The privacy staff
plans are not monitors the
developed or development and
monitored to ensure execution of corrective
that an issue does action plans that were
not reoccur. developed to address
identified or suspected
privacy incidents and
related data
processing issues that
could affect privacy
controls.
Policies and The privacy staff
procedures are out monitors the
of date and do not continued relevance
support current and applicability of
regulations, the entity's policies
agreements, or and procedures
contracts. related to privacy
regulations,
agreements, and
contracts.
(continued)
Illustrative Types
Criteria Illustrative Risks of Controls
Lack of documented The CPO establishes
activity related to written policies and
monitoring or procedures to
auditing may deem monitor its privacy
the program controls and
ineffective. compliance with the
entity's privacy
policies and
procedures, laws,
regulations, and
other requirements.
Selection of controls
to be monitored and
frequency with which
they are monitored
are based on a risk
assessment.
Annually, compliance
monitoring results
and remediation
activities are
analyzed by the
privacy office and
provided to
management.
Lack of written Written action plans
action plans may are used by
deem the program management to help
ineffective. ensure that the
entity's privacy
program is operating
effectively in
identifying,
monitoring, and
addressing privacy
related concerns.
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
1
Review engagements generally consist of the performance of inquiries and analytical proce-
dures designed to provide a moderate level of assurance (that is, negative assurance). However, the
Assurance Services Executive Committee believes that a practitioner ordinarily could not perform
meaningful analytical procedures on an entity's controls or compliance with requirements of specified
laws, regulations, rules, contracts, or grants to achieve this level of assurance, and it is uncertain
(continued)
(footnote continued)
what other procedures could be identified that, when combined with inquiry procedures, could form
the basis for a review engagement. Also due to this uncertainty, users of a review report are at
greater risk of misunderstanding the nature and extent of the practitioner's procedures. Accordingly,
the feasibility of a review engagement related to trust services is uncertain.
.09 For each of the principles there are detailed criteria that serve as
benchmarks used to measure and present the subject matter and against which
the practitioner evaluates the subject matter. The attributes of suitable criteria
are as follows:
r Objectivity. Criteria should be free from bias.
r Measurability. Criteria should permit reasonably consistent mea-
surements, qualitative or quantitative, of subject matter.
r Completeness. Criteria should be sufficiently complete so that
those relevant factors that would alter a conclusion about sub-
ject matter are not omitted.
r Relevance. Criteria should be relevant to the subject matter.
.10 ASEC has concluded that the trust services criteria for each individual
principle that include the common criteria have all of the attributes of suitable
criteria. In addition to being suitable, AT section 101 indicates that the criteria
must be available to users of the practitioner's report. The publication of the
principles and criteria makes the criteria available to users.
.11 The trust services principles and criteria are designed to be flexible
and enable the achievement of the objectives of users and management. Ac-
cordingly, a practitioner may be engaged to perform an engagement related to
a single principle, multiple principles, or all of the principles.
.12 The environment in which the system operates; the commitments,
agreements, and responsibilities of the entity operating the system; as well as
the nature of the components of the system result in risks that the criteria
will not be met. These risks are addressed through the implementation of
suitably designed controls that, if operating effectively, provide reasonable
assurance that the criteria are met. Because each system and the environment
in which it operates are unique, the combination of risks to meeting the criteria
and the controls necessary to address the risks will be unique. As part of
the design and operation of the system, management of an entity needs to
identify the specific risks that the criteria will not be met and the controls
necessary to address those risks. Appendix B provides examples of risks that
may prevent the criteria from being met as well as examples of controls that
would address those risks. These illustrations are not intended to be applicable
to any particular entity or all-inclusive of the risks to meeting the criteria or
the controls necessary to address those risks.
2
SysTrustSM , SysTrust for Service OrganizationsSM , and WebTrustSM are specific branded as-
surance services offerings developed by the AICPA and Canadian Institute of Chartered Accountants
(CICA) that are based on the trust services principles and criteria. Practitioners must be licensed by
CICA to use these registered service marks. Service marks can only be issued for engagements that re-
sult in an unqualified examination opinion. For more information on licensure, see www.webtrust.org.
3
Personal information is information that is about or can be related to an identifiable individual.
It may include information about customers, employees, and other individuals.
Effective Date
.17 The trust services principles and criteria are effective for periods
ending on or after December 15, 2014. Early implementation is permitted.
.18
Appendix ADefinitions
accuracy. The key information associated with the submitted trans-
action remains accurate throughout the processing of the transac-
tion and that the transaction or service is processed or performed
as intended.
authorization. The processing is performed in accordance with and
subject to the required approvals and privileges defined by policies
governing system processing.
authorized access. Access is authorized only if (a) the access has
been approved by a person designated to do so by management,
and (b) the access does not compromise segregation of duties, con-
fidentiality commitments, or otherwise increase risk to the system
beyond the levels approved by management (that is, access is ap-
propriate).
boundary of the system. The physical and logical perimeter of
that portion of an entity's operations that is used to achieve man-
agement's specific business objectives of a system. The boundary
includes all components of the system for which the entity is respon-
sible, including those provided by vendors and other third parties.
For a privacy or confidentiality engagement, the boundary of the
system includes the components starting with the capture of the
information through its disclosure and final disposition (often re-
ferred to as the information life cycle). The boundary of the system
includes (a) the collection, use, retention, disclosure and de-
identification, or anonymization of the information until its de-
struction and (b) all business segments and locations for the entire
entity or only certain identified segments of the business (for ex-
ample, retail operations but not manufacturing operations or only
operations originating on the entity's website or specified Web do-
mains) or geographic locations (for example, only Canadian opera-
tions).
commitments. Declarations made by management to customers re-
garding the performance of a system. Commitments can be com-
municated through individual agreements, standardized contracts,
service level agreements, or published statements (for example,
security practices statement). An individual commitment may re-
late to one or more principles. The practitioner need only consider
commitments related to the principles on which he or she is en-
gaged to report. Commitments may take many forms including the
following:
r Specification of the algorithm used in a calculation
r Contractual agreement that states the hours a system
will be available
r Published password standards
r Encryption standards used to encrypt stored customer
data
completeness. Transactions are processed or all services are per-
formed without omission.
Illustrative
Criteria Risks Controls
Criteria Common to All [Security, Availability, Processing Integrity, and
Confidentiality] Principles
CC1.0 Common Criteria Related to Organization and Management
CC1.1 The entity has The entity's The entity evaluates
defined organizational its organizational
organizational structure does not structure, reporting
structures, reporting provide the necessary lines, authorities, and
lines, authorities, and information flow to responsibilities as part
responsibilities for manage [security, of its business
the design, availability, planning process and
development, processing integrity, as part of its ongoing
implementation, or confidentiality] risk assessment and
operation, activities. management process
maintenance, and and revises these
monitoring of the when necessary to
system enabling it to help meet changing
meet its commitments commitments and
and requirements as requirements.
they relate to [insert
the principle(s) being
reported on: security,
availability,
processing integrity,
or confidentiality or
any combination
thereof ].
The roles and Roles and
responsibilities of key responsibilities are
managers are not defined in written job
sufficiently defined to descriptions and
permit proper communicated to
oversight, managers and their
management, and supervisors.
monitoring of
[security, availability,
processing integrity,
or confidentiality]
activities.
(continued)
Illustrative
Criteria Risks Controls
Job descriptions are
reviewed by entity
management on an
annual basis for
needed changes and
where job duty
changes are required
necessary changes to
these job descriptions
are also made.
Reporting Reporting
relationships and relationships and
organizational organizational
structure do not structures are
permit effective reviewed periodically
senior management by senior management
oversight of as part of
[security, organizational
availability, planning and adjusted
processing integrity, as needed based on
or confidentiality] changing entity
activities. commitments and
requirements.
Personnel have not Roles and
been assigned responsibilities are
responsibility or defined in written job
delegated descriptions.
insufficient
authority to meet
[security,
availability,
processing integrity,
or confidentiality]
commitments and
requirements.
CC1.2 Responsibility and Personnel have not Roles and
accountability for been assigned responsibilities are
designing, responsibility or defined in written job
developing, delegated descriptions.
implementing, insufficient
operating, authority to meet
maintaining, [security,
monitoring, and availability,
approving the processing integrity,
entity's system or confidentiality]
controls are commitments and
assigned to requirements.
individuals within
Illustrative
Criteria Risks Controls
the entity with
authority to
ensure policies,
and other system
requirements are
effectively
promulgated and
placed in
operation.
Job descriptions are
reviewed on a periodic
basis for needed
changes and updated if
such changes are
identified.
CC1.3 Personnel Newly hired or Job requirements are
responsible for transferred documented in the job
designing, personnel do not descriptions and
developing, have sufficient candidates' abilities to
implementing, knowledge and meet these
operating, experience to requirements are
maintaining, and perform their evaluated as part of
monitoring of the responsibilities. the hiring or transfer
system affecting evaluation process.
[insert the
principle(s) being
reported on:
security,
availability,
processing
integrity, or
confidentiality or
any combination
thereof ] have the
qualifications and
resources to fulfill
their
responsibilities.
The experience and
training of candidates
for employment of
transfer are evaluated
before they assume the
responsibilities of their
position.
(continued)
Illustrative
Criteria Risks Controls
Personnel do not Management
have sufficient establishes skills and
continuous training continued training
to perform their with its commitments
responsibilities. and requirements for
employees.
Management monitors
compliance with
training requirements.
Tools and knowledge Management
resources are evaluates the need for
insufficient to additional tools and
perform assigned resources in order to
tasks. achieve business
objectives, during its
ongoing and periodic
business planning and
budgeting process and
as part of its ongoing
risk assessment and
management process.
CC1.4 The entity has Personnel do not Management monitors
established adhere to the code of employees' compliance
workplace conduct conduct. with the code of
standards, conduct through
implemented monitoring of customer
workplace and employee
candidate complaints and the use
background of an anonymous
screening third-party
procedures, and administered ethics
conducts hotline.
enforcement
procedures to
enable it to meet
its commitments
and requirements
as they relate to
[insert the
principle(s) being
reported on:
security,
availability,
processing
integrity, or
confidentiality or
any combination
thereof ].
Illustrative
Criteria Risks Controls
Personnel are required
to read and accept the
code of conduct and the
statement of
confidentiality and
privacy practices upon
their hire and to
formally re-affirm
them annually
thereafter.
Candidate has a Senior management
background develops a list of
considered to be characteristics that
unacceptable by would preclude
management of the employee candidate
entity. from being hired based
on sensitivity or skill
requirements for the
given position.
Personnel must pass a
criminal and financial
trust background
check before they may
be hired by the entity
or third party vendors
hired by the entity.
CC2.0 Common Criteria Related to Communications
CC2.1 Information Users misuse the System descriptions
regarding the system due to their are available to
design and failure to authorized external
operation of the understand its users that delineate
system and its scope, purpose, and the boundaries of the
boundaries has design. system and describe
been prepared and relevant system
communicated to components as well as
authorized the purpose and design
internal and of the system.
external system Documentation of the
users to permit system description is
users to available to authorized
understand their users via the entity's
role in the system customer-facing
and the results of website.
system operation.
(continued)
Illustrative
Criteria Risks Controls
A description of the
system is posted on the
entity's intranet and is
available to the entity's
internal users. This
description delineates
the boundaries of the
system and key
aspects of processing.
Users are unaware A description of the
of key organization entity organization
and system support structure, system
functions, processes, support functions,
and roles and processes, and
responsibilities. organizational roles
and responsibilities is
posted on the entity's
intranet and available
to entity internal
users. The description
delineates the parties
responsible,
accountable,
consented, and
informed of changes in
design and operation of
key system
components.
External users fail System descriptions
to address risks for are available to
which they are authorized external
responsible that users that delineate
arise outside the the boundaries of the
boundaries of the system and describe
system. significant system
components as well as
the purpose and design
of the system. The
system description is
available to users via
ongoing
communications with
customers or via the
customer website.
Illustrative
Criteria Risks Controls
CC2.2 The entity's [insert Users The entity's [security,
the principle(s) misunderstand the availability, processing
being reported on: capabilities of the integrity, or
security, system in providing confidentiality]
availability, for [security, commitments
processing availability, regarding the system
integrity, or processing integrity, are included in the
confidentiality or or confidentiality] master services
any combination and take actions agreement and
thereof ] based on the customer-specific
commitments are misunderstanding. service level
communicated to agreements. In
external users, as addition, a summary of
appropriate, and these commitments is
those available on the
commitments and entity's customer
the associated facing website.
system
requirements are
communicated to
internal system
users to enable
them to carry out
their
responsibilities.
The entity fails to Policy and procedures
meet its documents for
commitments due to significant processes
lack of are available on the
understanding on entity's intranet.
the part of personnel
responsible for
providing the
service.
Personnel are required
to attend annual
security,
confidentiality, and
privacy training.
Personnel are required
to read and accept the
entity's code of conduct
and the statement of
security,
confidentiality, and
privacy practices upon
hire and annually
thereafter.
(continued)
Illustrative
Criteria Risks Controls
Processes are monitored
through service level
management procedures
that monitor compliance
with service level
commitments and
agreements. Results are
shared with applicable
personnel and
customers, and actions
are taken and
communicated to
relevant parties,
including customers,
when such
commitments and
agreements are not met.
CC2.3 The entity The system fails to Policy and procedures
communicates the function as designed documents for
responsibilities of due to internal user significant processes
internal and failure to comply with that address system
external users and their responsibilities. requirements are
others whose roles available on the
affect system intranet.
operation.
Personnel are required
to attend annual
security, confidentiality,
and privacy training.
Personnel are required
to read and accept the
code of conduct and the
statement of
confidentiality and
privacy practices upon
hire and annually
thereafter.
Processes are monitored
through service level
management procedures
that monitor compliance
with commitments and
requirements. Results
are shared with
applicable personnel
and customers.
The system fails to Customer
function as designed responsibilities are
due to external users' described on the
failure to meet their customer website and in
responsibilities. system documentation.
(continued)
Illustrative
Criteria Risks Controls
Customer
responsibilities, which
include responsibility
for reporting
operational failures,
incidents, problems,
concerns and
complaints, and the
process for doing so,
are described on the
customer website and
in system
documentation.
CC2.6 System changes Users Proposed system
that affect internal misunderstand changes affecting
and external changes in system customers are
system user capabilities or their published on the
responsibilities or responsibilities in customer website XX
the entity's providing for days before their
commitments and [security, implementation. Users
requirements availability, are given the chance to
relevant to [insert processing integrity, participate in user
the principle(s) or confidentiality] acceptance testing for
being reported on: due to system major changes XX days
security, changes and take prior to
availability, actions based on the implementation.
processing misunderstanding. Changes made to
integrity, or systems are
confidentiality or communicated and
any combination confirmed with
thereof ] are customers through
communicated to ongoing
those users in a communications
timely manner. mechanisms such as
customer care
meetings and via the
customer website.
Management of the
business unit must
confirm understanding
of changes by
authorizing them.
The system change
calendar that describes
changes to be
implemented is posted
on the entity intranet.
(continued)
Illustrative
Criteria Risks Controls
Personnel involved The entity has defined
in the risk a formal risk
management management process
process do not have that specifies risk
sufficient tolerances and the
information to process for evaluating
evaluate risks and risks based on
the tolerance of the identified threats and
entity for those the specified
risks. tolerances.
One or more During the risk
internal or external assessment and
risks, that are management process,
significant, threaten risk management office
the achievement of personnel identify
[security, changes to business
availability, objectives,
processing integrity, commitments and
or confidentiality] requirements, internal
commitments and operations, and
requirements that external factors that
can be addressed by threaten the
security controls, achievement of
are not identified. business objectives and
update the potential
threats to system
objectives.
Identified risks are
rated using a risk
evaluation process and
ratings are reviewed
by management.
The risk and controls
group evaluates the
effectiveness of
controls and mitigation
strategies in meeting
identified risks and
recommends changes
based on its
evaluation.
The risk and controls
group's
recommendations are
reviewed and approved
by senior management.
Illustrative
Criteria Risks Controls
The entity uses a
configuration
management database
and related process to
capture key system
components, technical
and installation
specific
implementation
details, and to support
ongoing asset and
service management
commitments and
requirements.
CC3.2 The entity designs, Controls and Control
develops, and mitigation strategies self-assessments are
implements selected, developed, performed by
controls, including and deployed do not operating units on a
policies and adequately mitigate quarterly basis.
procedures, to risk.
implement its risk
mitigation
strategy.
Internal audits are
performed based on
the annual risk-based
internal audit plan.
Business recovery
plans are tested
annually.
Internal and external
vulnerability scans are
performed quarterly
and annually and their
frequency is adjusted
as required to meet
ongoing and changing
commitments and
requirements.
Deployed controls See CC3.1 illustrative
and mitigation controls.
strategies create
new risks that fail to
be assessed.
(continued)
Illustrative
Criteria Risks Controls
CC3.3 The entity (1) Not all changes that During the risk
identifies and significantly affect assessment and
assesses changes the system are management process,
(for example, identified resulting risk management
environmental, in a failure to personnel identify
regulatory, and reassess related changes to business
technological) that risks. objectives,
could significantly commitments and
affect the system requirements, internal
of internal control operations, and
for [insert the external factors that
principle(s) being threaten the
reported on: achievement of
security, business objectives and
availability, update the potential
processing threats to system
integrity, or objectives.
confidentiality or
any combination
thereof ] and
reassesses risks
and mitigation
strategies based on
the changes and
(2) reassesses the
suitability of the
design and
deployment of
control activities
based on the
operation and
monitoring of
those activities,
and updates them
as necessary.
Changes that are During the risk
not properly assessment and
identified create management process,
risks due to the risk management office
failure of those personnel identify
changes to undergo environmental,
the risk regulatory, and
management technological changes
process. that have occurred.
(continued)
Illustrative
Criteria Risks Controls
Network scans are
performed for
infrastructure
elements to identify
variance from entity
standards.
Assets are assigned
owners who are
responsible for
evaluating access
based on job roles. The
owners define access
rights when assets are
acquired or changed
and periodically
evaluate access for
assets under their
custody or
stewardship.
Online applications
match each user ID to
a single customer
account number.
Requests for access to
system records require
the matching of the
customer account
number against a list
of privileges each user
possesses when
granted access to the
system initially.
Logical access Infrastructure
security measures components and
do not identify or software are
authenticate users configured to use the
prior to permitting shared sign-on
access to IT functionality when
components. available. Systems not
using the shared
sign-on functionality
are required to be
implemented with
separate user ID and
password submission.
Illustrative
Criteria Risks Controls
External access by
employees is permitted
only through a two
factor (for example, a
swipe card and a
password) encrypted
virtual private
network (VPN)
connection.
Logical access A role based security
security measures process has been
do not provide for defined with an access
the segregation of control system that is
duties required by required to use roles
the system design. when possible.
Assets are assigned
owners who are
responsible for
evaluating the
appropriateness of
access based on job
roles. Roles are
periodically reviewed
and updated by asset
owners and the risk
and controls group on
an annual basis.
Access change requests
resulting from the
review are submitted
to the security group
via a change request
record.
For software or
infrastructure that
does not support the
use of role-based
security, a separate
database of roles and
related access is
maintained. The
security group uses
this database when
entering access rules
in these systems.
(continued)
Illustrative
Criteria Risks Controls
Logical access Privileged access to
security measures sensitive resources is
do not restrict access restricted to defined
to system user roles and access
configurations, to these roles must be
privileged approved by the chief
functionality, information security
master passwords, officer. This access is
powerful utilities, reviewed by the chief
security devices, and information security
other high risk officer on a periodic
resources. basis as established by
the chief information
security officer.
CC5.2 New internal and Valid user identities On a daily basis,
external system are granted to employee user IDs are
users are unauthorized automatically created
registered and persons. in or removed from the
authorized prior to active directory and
being issued the VPN systems as of
system credentials the date of
and granted the employment using an
ability to access automated feed of new
the system. User users collected from
system credentials employee changes in
are removed when the human resource
user access is no management system.
longer authorized.
Employee access to
protected resources is
created or modified by
the security group
based on an authorized
change request from
the system's asset
owner.
Contractor and vendor
IDs are created by the
security group based
on an authorized
change request from
the contractor office.
These IDs are valid for
the lesser of the
expected period of
relationship or XX
days.
Illustrative
Criteria Risks Controls
Privileged customer
accounts are created
based on a written
authorization request
from the designated
customer point of
contact. These
accounts are used by
customers to create
customer user access.
System security is
configured to require
users to change their
password upon initial
sign-on and every XX
days thereafter.
A user that is no On a daily basis, the
longer authorized human resources
continues to access system sends an
system resources. automated feed to the
active directory and
the VPN for removal of
access for employees
for whom it is the last
day of employment.
The list is used by
security personnel to
remove access. The
removal of the access is
verified by the security
manager.
On a weekly basis, the
human resources
system sends to the
security group a list of
terminated employees
for whose access is to
be removed. The list is
used by security
personnel to remove
access. The removal of
the access is verified by
a security manager.
(continued)
Illustrative
Criteria Risks Controls
On a weekly basis, the
contractor office sends to
the security group a list of
terminated vendors and
contractors whose access
is to be removed. The list
is used by security
personnel to remove
access. The removal of the
access is verified by a
security manager.
Entity policies prohibit
the reactivation or use of
a terminated employee's
ID without written
approval of the chief
information security
officer. Requests for
reactivation are made
using the change
management record
system and must include
the purpose and
justification of the access
(for business need), the
systems that are to be
reactivated, and the time
period for which the
account will be active (no
more than XX days). The
account is reset with a
new password and is
activated for the time
period requested. All use
of the account is logged
and reviewed by security
personnel.
Account sharing is
prohibited unless a
variance from policy is
granted by the chief
information security
officer as might be
provided by the entity
using an account and
password vaulting
software product that
provides account sharing
controlled circumstances
and active logging of each
use. Otherwise, shared
accounts are permitted
for low risk applications
(for example,
(continued)
Illustrative
Criteria Risks Controls
information security
officer must approve
the use of all shared
accounts. Mitigating
controls are
implemented when
possible (for example,
required use of su
when accessing the
UNIX root account).
Valid user identities The online application
are assumed by an matches each user ID
unauthorized person to a single customer
to access the system. account number.
Requests for access to
system records require
the matching of the
customer account
number.
Two factor
authentication and use
of encrypted VPN
channels help to
ensure that only valid
users gain access to IT
components.
Infrastructure
components and
software are
configured to use the
active directory shared
sign-on functionality
when available.
Systems not using the
shared sign-on
functionality are
configured to require a
separate user ID and
password.
User access Users can only access
credentials are the system remotely
compromised through the use of the
allowing an VPN, secure sockets
unauthorized person layer (SSL), or other
to perform activities encrypted
reserved for communication
authorized persons. system.
Illustrative
Criteria Risks Controls
Password complexity
standards are
established to enforce
control over access
control software
passwords.
CC5.4 Access to data, Valid users obtain When possible, formal
software, functions, unauthorized access role-based access
and other IT to the system controls limit access to
resources is resulting in a system and
authorized and is breakdown in infrastructure
modified or removed segregation of duties components are created
based on roles, or an increase in the and these are enforced
responsibilities, or risk of intentional by the access control
the system design malicious acts or system. When it is not
and changes to error. possible, authorized
them. user IDs with two factor
authentication are used.
User access requests for
a specific role are
approved by the user
manager and are
submitted to the
security group via the
change management
record system.
Access granted When possible, formal
through the role-based access
provisioning process controls limit access to
compromises system and
segregation of duties infrastructure
or increases the risk components and these
of intentional are enforced by the
malicious acts or access control system.
error. When it is not possible,
authorized user IDs
with two factor
authentication are used.
Roles are reviewed and
updated by asset owners
and the risk and
controls group on an
annual basis. Access
change requests
resulting from the
review are submitted to
the security group via a
change request record.
(continued)
Illustrative
Criteria Risks Controls
CC5.5 Physical access to Unauthorized persons An ID card-based
facilities housing gain physical access physical access control
the system (for to system components system has been
example, data resulting in damage implemented within the
centers, backup to components perimeter of facilities
media storage, and (including threats to and at the entry and exit
other sensitive personnel), points of sensitive areas
locations as well as fraudulent or within these facilities.
sensitive system erroneous processing,
components within unauthorized logical
those locations) is access, or compromise
restricted to of information.
authorized
personnel.
ID cards that include an
employee picture must
be worn at all times
when accessing or
leaving the facility.
ID cards are created by
the human resources
department during the
employee orientation
period and distributed
after all required
background
investigations are
completed. ID cards
initially provide access
only to nonsensitive
areas.
Access to sensitive areas
is added to ID cards by
the physical security
director based on a
request for access
approved by the owner
of the sensitive area and
after required
background
investigations have been
performed and any
issues resolved.
Requests for access and
changes to access are
made, approved, and
communicated through
the change management
record system.
Illustrative
Criteria Risks Controls
The contractor office
may request ID cards
for vendors and
contractors. Cards are
created by the physical
security director.
Requests are made,
approved, and
communicated through
the change
management record
system.
Visitors must be
signed in by an
employee before a
single-day visitor
badge that identifies
them as an authorized
visitor can be issued.
Visitor badges are for
identification purposes
only and do not permit
access to any secured
areas of the facility.
All visitors must be
escorted by an entity
employee when
visiting facilities where
sensitive system and
system components are
maintained and
operated.
Formerly Owners of sensitive
appropriate physical areas of the facilities
access becomes review the list of
inappropriate due to names and roles of
changes in user job those granted physical
responsibilities or access to their areas on
system changes a semi-annual basis to
resulting in a check for continued
breakdown in business need.
segregation of duties Requests for changes
or an increase in the are made through the
risk of intentional change management
malicious acts or record system.
error.
(continued)
Illustrative
Criteria Risks Controls
A formerly authorized Owners of sensitive
person continues to areas of the facilities
access system review access to their
resources after that areas on a semi-annual
person is no longer basis. Requests for
authorized. changes are made
through the change
management record
system.
Vendors are asked to
review a list of
employees with ID cards
on a semi-annual basis
and request any
modifications. The
contractor office
requests changes based
on the vendor review.
On a daily basis, as of
the last day of
employment, the human
resources system sends
to physical security a
list of terminated
employees for whom it is
the last day of
employment and whose
access is to be removed
and their pass cards to
be disabled.
A user obtains the On a weekly basis, the
identification contractor office sends to
credentials and the security group a list
authentication of terminated vendors
credentials of a and contractors for
formerly authorized whom access is to be
person and uses them removed.
to gain unauthorized
access to the system.
On a weekly basis, the
human resources system
sends to the physical
security group a list of
terminated employees
for whom access is to be
removed.
(continued)
Illustrative
Criteria Risks Controls
relevant applicable
technical specifications
and these are compared
against product and
industry recommended
practices and updated
periodically.
External access to
nonpublic sites is
restricted through the use
of user authentication
and message encryption
systems such as VPN and
SSL.
Authorized connections Firewall rules and the
to the system are online system limit the
compromised and used times when remote access
to gain unauthorized can be granted and the
access to the system. types of activities and
service requests that can
be performed from
external connections.
CC5.7 The transmission, Nonpublic information VPN, SSL, secure file
movement, and is disclosed during transfer program (SFTP),
removal of transmission over and other encryption
information is public communication technologies are used for
restricted to paths. defined points of
authorized users and connectivity and to
processes, and is protect communications
protected during between the processing
transmission, center and users
movement, or connecting to the
removal enabling the processing center from
entity to meet its within or external to
commitments and customer networks.
requirements as they
relate to [insert the
principle(s) being
reported on: security,
availability,
processing integrity,
or confidentiality or
any combination
thereof ].
Entity policies prohibit
the transmission of
sensitive information over
the Internet or other
public communications
paths (for example,
e-mail) unless it is
encrypted.
(continued)
Illustrative
Criteria Risks Controls
Antivirus software is
installed on
workstations, laptops,
and servers supporting
such software.
Antivirus software is
configured to receive
an updated virus
signature at least
daily. A network
operation receives a
report of devices that
have not been updated
in 30 days and follows
up on the devices.
The ability to install
applications on
systems is restricted to
change
implementation and
system administration
personnel.
CC6.0 Common Criteria Related to System Operations
CC6.1 Vulnerabilities of Vulnerabilities that Logging and
system could lead to a monitoring software is
components to breach or incident used to collect data
[insert the are not detected in a from system
principle(s) being timely manner. infrastructure
reported on: components and
security, endpoint systems and
availability, used to monitor system
processing performance, potential
integrity, or security threats and
confidentiality or vulnerabilities,
any combination resource utilization,
thereof ] breaches and to detect unusual
and incidents due system activity or
to malicious acts, service requests. This
natural disasters, software sends a
or errors are message to the
monitored and operations center and
evaluated and security organization
countermeasures and automatically
are implemented opens a priority
to compensate for incident or problem
known and new ticket and change
vulnerabilities. management system
record item.
Illustrative
Criteria Risks Controls
Call center personnel
receive telephone and
e-mail requests for
support, which may
include requests to
reset user passwords
or notify entity
personnel of potential
breaches and
incidents. Call center
personnel follow
defined protocols for
recording, resolving,
and escalating received
requests.
Security or other Weekly full-system
system configuration and daily incremental
information is backups are performed
corrupted or using an automated
otherwise destroyed, system.
preventing the
system from
functioning as
designed.
CC6.2 [Insert the Breaches and Operations personnel
principle(s) being incidents are not follow defined protocols
reported on: identified, for evaluating reported
security, prioritized, or events. Security
availability, evaluated for effects. related events are
processing assigned to the
integrity, or security group for
confidentiality or evaluation
any combination
thereof ] incidents,
including logical
and physical
security breaches,
failures, concerns,
and other
complaints are
identified, reported
to appropriate
personnel, and
acted on in
accordance with
established
incident response
procedures.
(continued)
Illustrative
Criteria Risks Controls
Corrective measures Operations and security
to address breaches personnel follow defined
and incidents are not protocols for resolving
implemented in a and escalating reported
timely manner. events.
Resolution of security
events (incidents or
problems) is reviewed at
the daily and weekly
operations and security
group meetings.
Internal and external
users are informed of
incidents in a timely
manner and advised of
corrective measure to be
taken on their part.
Corrective measures Resolution of events is
are not effective or reviewed at the weekly
sufficient. operations and security
group meetings.
Change management
requests are opened for
events that require
permanent fixes.
Lack of compliance The resolution of events
with policies and is reviewed at the
procedures is not weekly operations and
addressed through security group meetings.
sanctions or remedial Relevant events with
actions resulting in effects on user or
increased customer are referred to
noncompliance in the user and customer care
future. management to be
addressed.
Entity policies include
probation, suspension,
and termination as
potential sanctions for
employee misconduct.
Breaches and Change management
incidents recur requests are opened for
because preventive events that require
measures are not permanent fixes.
implemented after a
previous event.
Illustrative
Criteria Risks Controls
CC7.0 Common Criteria Related to Change Management
CC7.1 [Insert the Commitments and System change requests
principle(s) being requirements are not are evaluated to
reported on: addressed at one or determine the potential
security, more points during effect of the change on
availability, the system security, availability,
processing integrity, development lifecycle processing integrity,
or confidentiality or resulting in a system and confidentiality
any combination that does not meet commitments and
thereof ] system commitments requirements
commitments and and requirements. throughout the change
requirements are management process.
addressed during
the system
development
lifecycle including
design, acquisition,
implementation,
configuration,
testing,
modification, and
maintenance of
system components.
System changes other
than those classified as
minor require the
approval of the chief
information security
officer and operations
manager prior to
implementation.
CC7.2 Infrastructure, System components During the ongoing risk
data, software, and are not updated for assessment process and
procedures are changes in the periodic planning
updated as requirements and budgeting
necessary to remain resulting in a system processes,
consistent with the that does not meet infrastructure, data,
system system commitments software, and
commitments and and requirements. procedures are
requirements as evaluated for needed
they relate to [insert changes. Change
the principle(s) requests are created
being reported on: based on the identified
security, needs.
availability,
processing integrity,
or confidentiality or
any combination
thereof ].
(continued)
Illustrative
Criteria Risks Controls
For high severity
incidents, a root cause
analysis is prepared and
reviewed by operations
management. Based on
the root cause analysis,
change requests are
prepared and the
entity's risk
management process
and relevant risk
management data is
updated to reflect the
planned incident and
problem resolution.
CC7.3 Change Identified breaches, For high severity
management incidents, and other incidents, a root cause
processes are system impairments analysis is prepared and
initiated when are not considered reviewed by operations
deficiencies in the during the change management. Based on
design or operating management the root cause analysis,
effectiveness of lifecycle. change requests are
controls are prepared and the
identified during entity's risk
system operation management process
and monitoring. and relevant risk
management data is
updated to reflect the
planned incident and
problem resolution.
CC7.4 Changes to system System changes are System change requests
components are not authorized by must be reviewed and
authorized, those responsible for approved by the owner
designed, the design and of the infrastructure or
developed, operation of the software and the change
configured, system resulting in advisory board prior to
documented, tested, changes to the system work commencing on
approved, and that impairs its the requested change.
implemented in ability to meet system
accordance with commitments and
[insert the requirements.
principle(s) being
reported on:
security,
availability,
processing integrity,
or confidentiality or
any combination
thereof ]
commitments and
requirements.
Illustrative
Criteria Risks Controls
System changes do Functional and
not function as detailed designs are
intended resulting prepared for other
in a system that than minor changes
does not meet (more than XX hours).
system Functional designs are
commitments and reviewed and approved
requirements. by the application or
infrastructure and
software owner and
detailed designs are
approved by the
director of
development for the
application and the
change advisory board
prior to work
commencing on the
requested change or
development project.
Test plans and test
data are created and
used in required
system and regression
testing. Test plans and
test data are reviewed
and approved by the
testing manager prior
to and at the
completion of testing,
and reviewed by the
change advisory board
prior to newly
developed or changed
software being
authorized for
migration to
production. Security
vulnerability testing is
included in the types of
tests performed on
relevant application,
database, network,
and operating system
changes.
(continued)
Illustrative
Criteria Risks Controls
System and regression
testing is prepared by
the testing department
using approved test
plans and test data.
Deviations from
planned results are
analyzed and
submitted to the
developer.
Code review or
walkthrough is
required for high
impact changes that
meet established
criteria (that mandate
code reviews and
walkthroughs) and
these are performed by
a peer programmer
that does not have
responsibility for the
change.
Changes are reviewed
and approved by the
change advisory board
prior to
implementation.
Established entity
standards exist for
infrastructure and
software hardening
and configuration that
include requirements
for implementation of
access control
software, entity
configuration
standards, and
standardized access
control lists.
Changes to hardening
standards are
reviewed and approved
by the director in
infrastructure
management.
Illustrative
Criteria Risks Controls
Unauthorized Separate environments
changes are made to are used for
the system resulting development, testing,
in a system that and production.
does not meet Developers do not have
system the ability to make
commitments and changes to software in
requirements. testing or production.
Logical access controls
and change
management tools
restrict the ability to
migrate between
development, test, and
production to change
deployment personnel.
Changes are reviewed
and approved by the
change advisory board
prior to
implementation.
Unforeseen system A turnover process
implementation that includes
problems impair verification of
system operation operation and back out
resulting in a steps is used for every
system that does not migration.
function as
designed.
Post implementation
procedures that are
designed to verify the
operation of system
changes are performed
for one week after the
implementation for
other than minor
changes, and results
are shared with users
and customers as
required to meet
commitments and
requirements.
(continued)
Illustrative
Criteria Risks Controls
Incompatibility duties The change
exist within the management process
change management has defined the
process, particularly following roles and
between approvers, assignments:
designers,
implementers, Authorization of
testers, and owners, change requests
resulting in the owner or business
implemented system unit manager
not functioning as Development
intended. application design
and support
department
Testingquality
assurance
department
Implementation
software change
management group
Additional Criteria for Availability
A1.1 Current processing Current processing Processing capacity is
capacity and usage capacity is not monitored on an ongoing
are maintained, sufficient to meet basis.
monitored and availability
evaluated to commitments and
manage capacity requirements in the
demand and to event of the loss of
enable the individual elements
implementation of within the system
additional capacity components.
to help meet
availability
commitments and
requirements.
Critical infrastructure
components have been
reviewed for criticality
classification and
assignment of a
minimum level of
redundancy.
Processing capacity is Processing capacity is
not monitored, monitored on a daily
planned, and basis.
expanded or modified,
as necessary, to
provide for the
continued availability
of the system in
accordance with
system commitments
and requirements.
(continued)
Illustrative
Criteria Risks Controls
Backups are
transported and stored
offsite by a third-party
storage provider.
System availability Business continuity and
commitments and disaster recovery plans
requirements are not have been developed
met due to a lack of and updated annually.
recovery
infrastructure.
The entity has
contracted with a
third-party recovery
facility to permit the
resumption of IT
operations in the event
of a disaster at it data
center.
The entity uses a
multi-location strategy
for its facilities to
permit the resumption
of operations at other
entity facilities in the
event of loss of a facility.
A1.3 Procedures Recovery plans are Business continuity and
supporting system not suitably designed disaster recovery plans,
recovery in and backups are not including restoration of
accordance with sufficient to permit backups, are tested
recovery plans are recovery of system annually.
periodically tested operation in
to help meet accordance with
availability commitments and
commitments and requirements.
requirements.
Test results are
reviewed and the
contingency plan is
adjusted.
Additional Criteria for Processing Integrity
PI1.1 Procedures exist to Software or data are Weekly full-system and
prevent and detect lost or not available daily incremental
and correct due to processing backups are performed
processing errors to error, intentional act, using an automated
meet processing or environmental system.
integrity event.
commitments and
requirements.
Illustrative
Criteria Risks Controls
Backups are monitored
for failure using an
automated system and
the incident
management process is
automatically invoked.
Backups are
transported and stored
offsite by a third-party
storage provider.
Environmental Environmental
vulnerabilities are protections have been
not addressed installed including the
through the use of following:
environmental
protections resulting Cooling systems
in a loss of system Battery and natural
availability. gas generator backup
in the event of power
failure
Redundant
communications lines
Smoke detectors
Dry pipe sprinklers
(continued)
Illustrative
Criteria Risks Controls
PI1.2 System inputs are Inputs are captured Application edits limit
measured and incorrectly. input to acceptable
recorded value ranges.
completely,
accurately, and
timely in
accordance with
processing integrity
commitments and
requirements.
The data preparation
clerk batches documents
by date received and
enters the date and
number of sheets on the
batch ticket. Batched
forms are scanned by a
purchased imaging
system. Upon
completion of the
scanning process, the
scanned sheets are
compared to the count
per the batch ticket by
the scanning operator.
Scanned images are
processed through the
optical character
recognition (OCR)
system. Key fields
including customer
identifier, customer
name, and record type
are validated by the
system against records
in the master data file.
Text from free form
sections from scan
sheets is manually
entered. This
information is input
twice by two separate
clerks. The input
information is compared
and records with
differences are sent to a
third clerk for
resolution.
Illustrative
Criteria Risks Controls
Inputs are not System edits require
captured or captured mandatory fields to be
completely. complete before record
entry is accepted.
The data preparation
clerk batches documents
by date received and
enters the date and
number of sheets on the
batch ticket. Batched
forms are scanned by a
purchased imaging
system. Upon
completion of the
scanning process, the
sheets scanned are
compared to the count
per the batch ticket by
the scanning operator.
Scanned images are
processed through the
OCR system. Key fields
including customer
identifier, customer
name, and record type
are validated by the
system against records
in the master data file.
Text from free form
sections from scan
sheets is manually
entered. This
information is input
twice by two separate
clerks. The input
information is compared
and records with
differences are sent to a
third clerk for
resolution.
Electronic files received
contain batch control
totals. During the load
processing data
captured is reconciled to
batch totals
automatically by the
application.
(continued)
Illustrative
Criteria Risks Controls
Inputs are not Electronic files
captured in a timely received are processed
manner. as received. The
application monitors
files that fail to process
completely and
generate an incident
management error
record.
Manual forms for data
entry are batched upon
receipt. Batches are
traced to batches
entered for processing
daily by the date entry
supervisor and
differences are
investigated.
The final disposition Inputs are coded with
of input cannot be identification numbers,
traced to its source registration numbers,
to validate that it registration
was processed information, or time
correctly and the stamps to enable them
results of processing to be traced from
cannot be traced to initial input to output
initial input to and final disposition
validate and from output to
completeness and source inputs.
accuracy.
PI1.3 Data is processed Data is lost during Input record counts
completely, processing. are traced from entry
accurately, and to final processing. Any
timely as differences are
authorized in investigated.
accordance with
processing
integrity
commitments and
requirements.
Data is inaccurately Application regression
modified during testing validates key
processing. processing for the
application during the
change management
process.
Illustrative
Criteria Risks Controls
Output values are
compared against prior
cycle values. Variances
greater than X percent
are flagged on the
variance report, logged
to the incident
management system,
and investigated by the
output clerk.
Resolutions are
documented in the
incident management
system. Open incidents
are reviewed daily by
the operations manager.
Daily, weekly, and
monthly trend reports
are reviewed by the
operations manager for
unusual trends.
Newly created data is Application regression
inaccurate. testing validates key
processing for the
application during the
change management
process.
The system compares
generated data to
allowable values. Values
outside the allowable
values are written to the
value exception report.
Items on the value
exception report are
reviewed by the output
clerk on a daily basis.
Processing is not Scheduling software is
completed within used to control the
required timeframes. submission and
monitoring of job
execution. An incident
management record is
generated automatically
when processing errors
are identified.
(continued)
Illustrative
Criteria Risks Controls
PI1.4 Data is stored and Data is not available A mirror image of
maintained for use as committed application data files is
completely and or agreed. created nightly and
accurately for its stored on a second
specified life span system for use in
in accordance with recovery and
processing restoration in the
integrity event of a system
commitments and disruption or outage.
requirements.
Stored data is Logical access to stored
inaccurate. data is restricted to the
application and
database
administrators.
Stored data is Data is reconciled on a
incomplete. monthly basis to help
meet customer
commitments and
requirements.
PI1.5 System output is System output is not Application regression
complete, accurate, complete. testing validates key
distributed, and processing for the
retained in application during the
accordance with change management
processing process.
integrity
commitments and
requirements.
Output values are
compared against prior
cycle values. Variances
greater than five
percent are flagged on
the variance report,
logged to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident management
system. Open incidents
are reviewed daily by
the operations
manager.
Illustrative
Criteria Risks Controls
On a monthly basis,
total records processed
are compared versus
total records received
via electronic
submission, manual
entry, and sheet
scanned by the OCR
system.
System output is not Application regression
accurate. testing validates key
processing for the
application during the
change management
process.
Output values are
compared against prior
cycle values. Variances
greater than x percent
are flagged on the
variance report, logged
to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident management
system. Open incidents
are reviewed daily by
the operations
manager.
Daily, weekly, and
monthly trend reports
are reviewed by the
operations manager for
unusual trends.
System output is Application security
provided to restricts output to
unauthorized approved user IDs.
recipients.
System output is not Application regression
available to testing validates key
authorized processing for the
recipients. application during the
change management
process.
(continued)
Illustrative
Criteria Risks Controls
Output is generated by
the system based on a
master schedule.
Changes to the master
schedule are managed
through the change
management process
and are approved by
the customer service
executive. On a daily
basis, an automated
routine scans output
files to validate that all
required output has
been generated. The
routine generates an
incident record for any
missing output.
Incident tickets are
managed through the
incident management
process.
PI1.6 Modification of Data is modified by Application regression
data is authorized, an unauthorized testing validates key
using authorized process or procedure processing for the
procedures in resulting in application during the
accordance with inaccurate or change management
processing incomplete data. process.
integrity
commitments and
requirements.
Access to data is
restricted to
authorized
applications through
access control
software. Access rules
are created and
maintained by
information security
personnel during the
application
development process.
Application level
security restricts the
ability to access,
modify, and delete
Illustrative
Criteria Risks Controls
data to authenticated
users who have been
granted access through
a record in the access
control list. Creation
and modification of
access control records
occurs through the
access provisioning
process.
Data is modified Logical access to stored
without data is restricted to the
authorization. application and
database
administrators.
Data is lost or Logical access to stored
destroyed. data is restricted to the
application and
database
administrators.
A mirror image of
application data files is
created nightly and
stored on a second
secure system for use
in recovery and
restoration in the
event of a system
disruption or outage.
Additional Criteria for Confidentiality
C1.1 Confidential Data used in The entity creates test
information is nonproduction data using data
protected during environments is not masking software that
the system design, protected from replaces confidential
development, unauthorized access information with test
testing, as committed. information prior to
implementation, the creation of test
and change databases.
processes in
accordance with
confidentiality
commitments and
requirements.
(continued)
Illustrative
Criteria Risks Controls
C1.2 Confidential Unauthorized access Access to data is
information within to confidential restricted to authorized
the boundaries of information is applications through
the system is obtained during access control software.
protected against processing. Access rules are created
unauthorized and maintained by
access, use, and information security
disclosure during personnel during the
input, processing, application development
retention, output, process.
and disposition in
accordance with
confidentiality
commitments and
requirements.
Logical access other
than through authorized
application is restricted
to administrators
through database
management system
native security.
Creation and
modification of access
control records for the
database management
systems occurs through
the access provisioning
process.
Application level
security restricts the
ability to access, modify,
and delete data to
authenticated users who
have been granted
access through a record
in the access control list.
Creation and
modification of access
control records occurs
through the access
provisioning process.
Unauthorized access Application security
to confidential restricts output to
information in output approved roles or user
is obtained after IDs.
processing.
Illustrative
Criteria Risks Controls
Output containing
sensitive information
is printed at the secure
print facility and is
marked with the
legend "Confidential."
Paper forms are
physically secured
after data entry.
Physical access is
restricted to storage
clerks.
C1.3 Access to Confidential Application security
confidential information restricts output to
information from transmitted beyond approved user IDs.
outside the the boundaries of
boundaries of the the system is
system and provided to
disclosure of unauthorized user
confidential entity personnel.
information is
restricted to
authorized parties
in accordance with
confidentiality
commitments and
requirements.
Transmission of digital
output beyond the
boundary of the system
occurs through the use
of authorized software
supporting the
advanced encryption
standard (AES).
Logical access to stored
data is restricted to
application and
database
administrators.
Data is stored in
encrypted format using
software supporting
the AES.
(continued)
Illustrative
Criteria Risks Controls
Confidential Application security
information is restricts output to
transmitted to approved user IDs.
related parties,
vendors, or other
approved parties
contravening
confidentiality
commitments.
Transmission of digital
output beyond the
boundary of the system
occurs through the use
authorized software
supporting the
advanced encryption
standard.
C1.4 The entity obtains Related party and Formal information
confidentiality vendor personnel sharing agreements
commitments that are unaware of the are in place with
are consistent with entity's related parties and
the entity's confidentiality vendors. These
confidentiality commitments. agreements include
requirements, confidentiality
from vendors and commitments
other third parties applicable to that
whose products entity. Agreement
and services terms include
comprise part of requirements for
the system and marking and
have access to identifying data as
confidential confidential, handling
information. standards for
confidential data in the
custody of related
parties and vendors,
and return and
disposal of confidential
information when no
longer required.
Requirements for Formal information
handling of sharing agreements
confidential are in place with
information are not related parties and
communicated to vendors. These
and agreed to by agreements include
related parties and confidentiality
vendors. commitments
applicable to that
entity.
Illustrative
Criteria Risks Controls
C1.5 Compliance with Related party and Related party and
confidentiality vendor systems are vendor systems are
commitments and not suitably subject to review as
requirements by designed or part of the vendor risk
vendors and others operating effectively management process.
third parties to comply with Attestation reports
whose products confidentiality (SOC 2 reports) are
and services commitments. obtained and
comprise part of evaluated when
the system is available. Site visits
assessed on a and other procedures
periodic and are performed based
as-needed basis on the entity's vendor
and corrective management criteria.
action is taken, if
necessary.
C1.6 Changes to Confidentiality The chief information
confidentiality practices and security officer is
commitments and commitments are responsible for changes
requirements are changed without the to confidentiality
communicated to knowledge or ascent practices and
internal and of user entities. commitments. A
external users, formal process is used
vendors, and other to communicate these
third parties changes to users,
whose products related parties, and
and services are vendors.
included in the
system.
Confidentiality The chief information
practices and security officer is
commitments are responsible for changes
changed without the to confidentiality
knowledge of related practices and
parties or vendors commitments. A
resulting in their formal process is used
systems not to communicate these
complying with the changes to users,
required practices related parties, and
and not meeting the vendors.
commitments.
Related party and
vendor agreements are
modified to reflect
changes in
confidentiality
practices and
commitments.
(continued)
Illustrative
Criteria Risks Controls
Related party and
vendor systems are
subject to review as
part of the vendor risk
management process.
Attestation reports
(SOC 2 reports) are
obtained and
evaluated when
available. Site visits
and other procedures
are performed based
on the entity's vendor
management criteria.
1
The first occurrence of each word contained in the glossary is linked to the top of glossary.
Personal Information
Personal information (sometimes referred to as personally identifiable informa-
tion) is information that is about, or can be related to, an identifiable individual.
It includes any information that can be linked to an individual or used to di-
rectly or indirectly identify an individual. Individuals, for this purpose, include
prospective, current, and former customers, employees, and others with whom
2
For example, the Organisation for Economic Co-operation and Development has issued Guide-
lines on the Protection of Privacy and Transborder Flows of Personal Data and the European Union
has issued Directive on Data Privacy (Directive 95/46/EC). In addition, the United States has enacted
the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Chil-
dren's Online Privacy Protection Act. Canada has enacted the Personal Information Protection and
Electronic Documents Act and Australia has enacted the Australian Privacy Act of 1988, as amended
in 2001. A chart comparing these international privacy concepts with generally accepted privacy prin-
ciples can be found online at www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/
RESOURCES/PRIVACY/Pages/default.aspx. Compliance with this set of generally accepted privacy
principles and criteria may not necessarily result in compliance with applicable privacy laws and
regulations, and entities should seek appropriate legal advice regarding compliance with any laws
and regulations.
(continued)
(continued)
Monitoring and
updating the entity's
privacy policies
Delegating authority
for enforcing the
entity's privacy
policies
Monitoring the degree
of compliance and
initiating action to
improve the training
or clarification of
policies and practices
A committee of the board
of directors includes
privacy periodically in its
regular review of overall
corporate governance.
1.2 Procedures and
Controls
1.2.1 Review and Privacy policies and
Approval procedures are
Privacy policies and reviewed and approved
procedures, and by senior management
changes thereto, are or a management
reviewed and approved committee.
by management.
reviewed at least
annually and updated
as needed.
1.2.2 Consistency of Corporate counsel or the In addition to legal
Privacy Policies and legal department and regulatory
Procedures With requirements, some
Laws and determines which
entities may elect to
privacy laws and
Regulations comply with certain
regulations are
Policies and standards, such as
applicable in the
procedures are those published by
jurisdictions in which
reviewed and International
the entity operates.
compared to the Organization for
requirements of identifies other Standardization
standards applicable (ISO), or may be
applicable laws and
to the entity. required to comply
regulations at least
annually and reviews the entity's with certain
whenever changes to privacy policies and standards, such as
such laws and procedures to ensure those published by
regulations are made. they are consistent the payment card
Privacy policies and with the applicable industry, as a
procedures are revised laws, regulations, and condition of doing
to conform with the appropriate standards. business. Entities
requirements of may include such
applicable laws and standards as part of
regulations. this process.
(continued)
(continued)
(continued)
(continued)
(continued)
Preferences may be
changed, and consent
may be withdrawn at
a later time, subject to
legal or contractual
restrictions and
reasonable notice.
The type of consent
required depends on the
nature of the personal
information and the
method of collection (for
example, an individual
subscribing to a
newsletter gives implied
consent to receive
communications from
the entity).
3.1.2 Consequences of At the time of collection,
Denying or the entity informs
Withdrawing Consent individuals of the
When personal following:
information is collected, About the
individuals are informed consequences of
of the consequences of refusing to provide
refusing to provide personal information
personal information or (for example,
of denying or transactions may not
withdrawing consent to be processed)
use personal information
for purposes identified in About the
consequences of
the notice.
denying or
withdrawing consent
(for example, opting
out of receiving
information about
products and services
may result in not
being made aware of
sales promotions)
About how they will
or will not be affected
by failing to provide
more than the
minimum required
personal information
(for example, services
or products will still
be provided)
(continued)
(continued)
Collection
(continued)
(continued)
provide a copy of
personal information,
upon request, in
printed or electronic
form that is
convenient to both the
individual and the
entity.
record requests for
access and actions
taken, including
denial of access and
unresolved complaints
and disputes.
6.2.2 Confirmation of an Employees are The extent of
Individual's Identity adequately trained to authentication depends
The identity of authenticate the identity on the type and
individuals who request of individuals before sensitivity of personal
access to their personal granting the following: information that is made
information is available. Different
authenticated before
Access to their
techniques may be
personal information
they are given access to considered for the
that information. Requests to change different channels, such
sensitive or other as the following:
personal information
(for example, to Web
update information Interactive voice
such as address or response system
bank details) Call center
The entity In person
(continued)
(continued)
(continued)
3
These areas are drawn from ISO/IEC 27002:2005, Information technologySecurity
techniquesCode of practice for information security management. Permission is granted by the
American National Standards Institute (ANSI) on behalf of the International Organization for
Standardization (ISO). Copies of ISO/IEC 27002 can be purchased from ANSI in the United
States at http://webstore.ansi.org/ and in Canada from the Standards Council of Canada at
www.standardsstore.ca/eSpecs/index.jsp. It is not necessary to meet all of the criteria of ISO/IEC
27002:2005 to satisfy Generally Accepted Privacy Principles' criterion 8.2.1. The references associated
with each area indicate the most relevant Generally Accepted Privacy Principles' criteria for this
purpose.
Business continuity
management and
disaster recovery
plans and related
testing
Provision for the
identification of, and
consistency with,
applicable laws and
regulations, defined
commitments,
service-level
agreements, and
other contracts
A requirement that
users, management,
and third parties
confirm (initially and
annually) their
understanding of an
agreement to comply
with the entity's
privacy policies and
procedures related to
the security of
personal information
Procedures to cancel
access privileges and
ensure return of
computers and other
devices used to access
or store personal
information when
personnel are
terminated
The entity's security
program prevents
access to personal
information in
computers, media, and
paper based information
that are no longer in
active use by the
organization (for
example, computers,
media, and paper-based
information in storage,
sold, or otherwise
disposed of).
(continued)
(continued)
(continued)
(continued)
(continued)
remedies to be
available in case of a
breach of personal
information and how
to communicate this
information to an
individual.
recourse and a formal
escalation process to
be in place to review
and approve any
recourse offered to
individuals.
contact information
and procedures to be
followed with any
designated third party
dispute resolution or
similar service (if
offered).
10.2.2 Dispute Resolution The entity has a formally Some regulations
and Recourse documented process in (for example HIPAA
Each complaint is place to and COPPA) have
addressed, and the specific procedures
train employees
and requirements.
resolution is responsible for
documented and handling individuals' Some laws (for
communicated to the complaints and example, PIPEDA)
individual. disputes about the permit escalation
resolution and through the court
escalation processes. system up to the
most senior court.
document and respond
to all complaints in a
timely manner.
periodically review
unresolved disputes
and complaints to
ensure they are
resolved in a timely
manner.
escalate unresolved
complaints and
disputes for review by
management.
identify trends and the
potential need to
change the entity's
privacy policies and
procedures.
(continued)
1
See appendix C, "Illustrative Privacy Examination and Audit Reports."
2
In certain circumstances (such as a report on a third-party service provider), special purpose
privacy reports covering some of the 10 principles could be issued. It is recommended that such
reports contain language that indicates that the privacy principles not covered are essential for
overall assurance of privacy and be "restricted use" reports.
3
See paragraph .58 of AT section 101, Attest Engagements (AICPA, Professional Standards) for
a description of a practitioner's options, if a written assertion is not obtained.
4
See paragraph .64 of AT section 101.
5
The specified users of the report and the practitioner agree upon the procedures to be performed
by the practitioner.
6
In the United States, agreed-upon procedures engagements are performed under paragraph .15
of AT section 201, Agreed-Upon Procedures Engagements (AICPA, Professional Standards). In Canada
(continued)
(footnote continued)
there are no general standards for agreed-upon procedures/specified procedures. A practitioner could,
however, look to the guidance provided by the Canadian Institute of Chartered Accountants (CICA)
handbook section 9100 that contains standards for performing Specified Procedures on Financial
Information Other Than Financial Statements. In specified auditing procedures engagements, the
practitioner is engaged to report to specific users the results of applying specified procedures. In
applying such procedures, the practitioner does not express a conclusion concerning the subject
matter because he or she does not necessarily perform all of the procedures that, in the practitioner's
judgment, would be necessary to provide a high level of assurance. Rather, the practitioner's report
sets out the factual results of the procedures applied, including any exceptions found.
7
WebTrust and SysTrust are two specific attestation or assurance services offerings developed
by the AICPA and the CICA that are based on the Trust Services Principles and Criteria. Practitioners
must be licensed by the CICA to use either the WebTrust or SysTrust seals. When the privacy
engagement incorporates an online segment and the entity has received an examination or audit
report that does not include a qualification or scope limitation, an entity may choose to display a
WebTrust Online Privacy seal. For more information on licensure and Online Privacy Engagements
see www.webtrust.org.
privacy notice related to the Business and with criteria set forth
in Generally Accepted Privacy Principles, issued by the Ameri-
can Institute of Certified Public Accountants and the Canadian
Institute of Chartered Accountants (CICA), and
r Complied with its commitments in its privacy notice, which is
dated xxxx xx, 2009 and [is available at www.ABC-Company/
privacy or accompanies this report].
This assertion is the responsibility of management. Our responsibility is to
express an opinion based on our audit.
Our audit was conducted in accordance with standards for assurance engage-
ments established by the CICA. Those standards require that we plan and
perform our audit to obtain reasonable assurance as a basis for our opinion.
Our audit included (1) obtaining an understanding of ABC Company's controls
over the privacy of personal information, (2) testing and evaluating the oper-
ating effectiveness of the controls, (3) testing compliance with ABC Company's
commitments in its privacy notice and (4) performing such other procedures
as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
In our opinion, ABC Company's management assertion that, during the period
Xxxx xx, 2009 through Yyyy yy, 2009, ABC Company:
r Maintained effective controls over the privacy of personal infor-
mation collected in the Business to provide reasonable assurance
that the personal information was collected, used, retained, dis-
closed, and disposed of in conformity with its commitments in its
privacy notice and with criteria set forth in Generally Accepted
Privacy Principles; and
r Complied with its commitments in its privacy notice referred to
above,
is, in all material respects, fairly stated.
OR
In our opinion, ABC Company management's assertion referred to above is
fairly stated, in all material respects, in conformity with ABC Company's pri-
vacy notice referred to above and with criteria set forth in Generally Accepted
Privacy Principles.
Because of the nature and inherent limitations of controls, ABC Company's
ability to meet the aforementioned criteria and the commitments in its privacy
notice may be affected. For example, fraud, unauthorized access to systems
and information, failure to comply with internal and external policies and
requirements may not be prevented or detected. Also, the projection of any
conclusions, based on our findings, to future periods is subject to the risk that
any changes or future events may alter the validity of such conclusions.
[Name of CA firm]
[City, Province]
Chartered Accountants
[Date]
criteria set forth in the Generally Accepted Privacy Principles; and (2) complied
with its commitments in its privacy notice referred to above.
Because of the nature and inherent limitations of controls, ABC Company's
ability to meet the aforementioned criteria and the commitments in its privacy
notice may be affected. For example, fraud, unauthorized access to systems
and information, and failure to comply with internal or external policies or
requirements may not be prevented or detected. Also, the projection of any
conclusions, based on our findings, to future periods is subject to the risk that
any changes or future events may alter the validity of such conclusions.
[Name of CA firm]
[City, Province]
Chartered Accountants
[Date]
Introduction
Introduction to Trust Service Principles and Criteria for Certification
Authorities Version 2.0
.01 This document provides a framework for third party assurance pro-
viders to assess the adequacy and effectiveness of the controls employed by
certification authorities (CAs). As a result of the technical nature of the activi-
ties involved in securing e-commerce transactions, this document also provides
a brief overview of public key infrastructure (PKI) using cryptography and
trusted third party concepts.
.02 This document replaces version 1.0 of the AICPA/Canadian Institute
of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Il-
lustrations for WebTrust for Certification Authorities (WebTrust Program for
Certification Authorities v1) that was issued in August 2000. Unlike version 1.0,
which was intended to be used by licensed WebTrust 1 practitioners only, this
version is regarded as "open-source" and can be used in the conduct of any as-
surance engagement, internal or external, by any third party service provider.
It also represents an effective benchmark for CAs to conduct self-assessments.
The public accounting profession has continued to play its role, with an intent
to increase consumer confidence in the application of PKI technology by estab-
lishing a basis for providing third party assurance to the assertions made by
CAs.
.03 This document was developed by an AICPA/CICA Task Force using In-
ternational Organization for Standardization (ISO) 21188, "Public key infras-
tructure for financial servicePractices and policy Framework," and version
1.0 of the AICPA/CICA WebTrust Program for Certification Authorities.
.04 Input and approval was also obtained from the Certification Authority
Browser Forum (CA/Browser Forum; see www.cabforum.org) for the content
and control activities contained in this framework. The CA/Browser Forum
was formed among CAs and vendors of Internet browser software and other
applications. This voluntary organization has worked collaboratively in defin-
ing guidelines and means of implementation for the Extended Validation (EV)
Secure Sockets Layer (SSL) Certificate standard as a way of providing a height-
ened security for Internet transactions and creating a more intuitive method
of displaying secure sites to Internet users.
1
WebTrust is an assurance services offering developed by the AICPA and Canadian Institute
of Chartered Accountants (CICA) that is based on the Trust Services Principles and Criteria. Prac-
titioners must be licensed by CICA to use these registered service marks. For more information on
licensure, see www.webtrust.org.
.05 The principles and criteria for CAs are consistent with standards
developed by the American National Standards Institute (ANSI), the Interna-
tional Organization for Standardization (ISO), and the Internet Engineering
Task Force (IETF). The principles and criteria are also consistent with the
practices established by the CA Browser Forum.
Importance of PKI
.06 PKI provides a means for relying parties (that is, recipients of certifi-
cates, who act in reliance on those certificates or digital signatures, or both,
verified using those certificates) to know that another individual's or entity's
public key actually belongs to that individual or entity. CA organizations or CA
functions, or both, have been established to address this need.
.07 Cryptography is critical to establishing secure e-commerce; however,
it has to be coupled with other secure protocols in order to provide a com-
prehensive security solution. Several cryptographic protocols require digital
certificates (in effect, electronic credentials) issued by an independent trusted
third party (the CA) to authenticate the transaction. CAs have assumed an
increasingly important role in secure e-commerce. Although a large body of
national, international, and proprietary standards and guidelines for the use
of cryptography, the management of digital certificates, and the policies and
practices of CAs exist, these standards have not been applied or implemented
uniformly.
.08 This version is titled, "Trust Services Principles and Criteria for Cer-
tification Authorities Version 2.0." These principles and criteria are intended
to address user (that is, subscriber and relying party) needs and concerns and
are designed to benefit users and providers of CA e-commerce assurance ser-
vices by providing a common body of knowledge that is communicated to such
parties.
Overview
What Is a Public Key Infrastructure?
.09 With the expansion of e-commerce, PKI is growing in importance and
will continue to be a critical enterprise security investment. PKI enables parties
to an e-commerce transaction to identify one another by providing authenti-
cation with digital certificates and allows reliable business communications
by providing confidentiality through the use of encryption and authentication
data integrity and a reasonable basis for nonrepudiation through the use of
digital signatures.
.10 PKI uses public and private key pairstwo mathematically related
keys. Typically, one of the keys is made public by posting it on the Internet, for
example, while the other remains private. Public key cryptography works in
such a way that a message encrypted with the public key can only be decrypted
with the private key and, conversely, a message signed with a private key can
only be verified with the public key. This technology can be used in different
ways to provide the four ingredients required for trust in e-commerce transac-
tions, namely confidentiality, authentication, integrity, and nonrepudiation.
.11 Using PKI, a subscriber (that is, an end entity [or individual] whose
public key is cryptographically bound to his or her identity in a digital cer-
tificate) has an asymmetric, cryptographic key pair (that is, a public key and
.12 A subscriber first obtains a public and private key pair (generated by
the subscriber, or for the subscriber, as a service). The subscriber then goes
through a registration process by submitting his or her public key to a certi-
fication authority or a registration authority (RA), which acts as an agent for
the CA. The CA or RA verifies the identity of the subscriber in accordance with
the CA's established business practices (that may be contained in a certifica-
tion practice statement), and then issues a digital certificate. The certificate
includes the subscriber's public key and identity information and is digitally
signed by the CA, which binds the subscriber's identity to that public key.
The CA also manages the subscriber's digital certificate through the certificate
life cycle (that is, from registration through revocation or expiration). In some
circumstances, it remains important to manage digital certificates even after
expiry or revocation so that digital signatures on stored documents held past
the revocation or expiry period can be validated at a later date.
.18 To determine whether the message came from the customer (that is,
authentication) and to determine whether the message has not been modified
(that is, integrity), the merchant validates the digital signature. To do so, the
merchant must obtain the customer's public key certificate. If the customer did
not send his or her public key certificate as part of the message, the merchant
would typically obtain the customer's public key certificate from an online
repository (maintained by the CA or another party acting as the agent of the CA
.19 Digital signatures can also be used to provide a basis for nonrepudi-
ation so that the signer cannot readily deny having signed the message. For
example, an online brokerage customer who purchases one thousand shares
of stock using a digitally signed order via the Internet should have a difficult
task if he or she later tries to deny (that is, repudiate) having authorized the
purchase.
.21 Extra care is required to secure the CA's signing private key, which is
used for signing user certificates. The trustworthiness of all certificates issued
by a CA depends on the CA's ability to protect its private signing key. CAs
securely back up their private signing key(s) for business continuity purposes
to allow the CA to continue to operate in the event that the CA's private signing
key is accidentally destroyed (but not compromised) as a result of hardware
failure, for example. Except for CA business continuity purposes, generally, no
technical or business reasons exist to back up a private signing key.
.22 On the other hand, and as cited earlier, it is often desirable that a
key pair used for encryption and decryption be securely backed up to ensure
that encrypted data can be recovered when a user forgets his or her password
or otherwise loses access to his or her decryption key. This is analogous to
requiring that the combination to a safe be backed up in case the user forgets
it or becomes incapacitated. As a result, a PKI typically requires two key pairs
for each user: one key pair for encryption and decryption and a second key pair
for signing and signature verification.
.27 The CA then notifies the subscriber of certificate issuance and gives
the subscriber an opportunity to review the contents of the certificate before it is
made public. Assuming the subscriber approves the accuracy of the certificate,
the subscriber will either publish the certificate or have the CA publish it
and make it available to other users. A repository is an electronic certificate
database that is available online. The repository may be maintained by the CA
or a third party contracted for that purpose by the subscriber or by any other
party. Subscribers may obtain other subscriber's certificates and certificate
status information from the repository. For example, if a subscriber's certificate
was revoked, the repository would indicate that the subscriber's certificate has
been revoked and should not be relied on. The ability to update the repository
is typically retained by the CA. Subscribers and other relying parties would
have read-only access to the repository. Because the certificates stored in the
repository are digitally signed by the CA, they cannot be maliciously changed
without detection, even if someone were to hack into the repository.
.28 The following diagram illustrates the relationship between the sub-
scriber and the RA and CA functions.
.29 External registration authorities are required to comply with the rel-
evant provisions of the CA's business practices disclosures, often documented
in a certification practice statement and applicable certificate policy(s). In per-
forming a WebTrust Program for Certification Authorities engagement, the
practitioner must consider how the CA handles the RA function and whether
the RA function is within the scope of the examination. For example, a CA that
2
See www.cabforum.org.
.35 The following diagram illustrates the structure and relationships be-
tween CAs and subscribers operating in a hierarchical model.
.37 The following diagram illustrates the structure and relationships be-
tween CAs and subscribers operating in a cross-certified (shared trust) model.
3
International Telecommunications Union-Telecommunication Standardization Sector Recom-
mendation X.509 (1997) was also standardized by the International Organization for Standardization
(ISO) as ISO/IEC 9594-8.
CA Principles
CA Business Practices Disclosure
.43 The certification authority (CA)
r discloses its business, key life cycle management, certificate life
cycle management, and CA environmental control practices in its
certification practice statement and
r discloses its business, key life cycle management, certificate life
cycle management, and CA environmental control policies in its
certificate policy (if applicable).
.44 The CA maintains effective controls to provide reasonable assurance
that
r the CA's certification practice statement is consistent with its
certificate policy (if applicable), and
r the CA provides its services in accordance with its certificate policy
(if applicable) and certification practice statement (CPS).
.45 The CA must disclose its key and certificate life cycle management
business and information privacy practices. Information regarding the CA's
business practices should be made available to all subscribers and all potential
relying parties, typically by posting on its website. Such disclosure may be
contained in a certificate policy (CP) or CPS, or both, or in other informative
materials that are available to users (subscribers and relying parties).
Service Integrity
.46 The certification authority (CA) maintains effective controls to provide
reasonable assurance that
r the integrity of keys and certificates it manages is established and
protected throughout their life cycles;
r the subscriber information is properly authenticated (for the regis-
tration activities performed by ABC Certification Authority, Inc.);
and
r subordinate CA certificate requests are accurate, authenticated,
and approved.
.47 Effective key management controls and practices are essential to the
trustworthiness of the public key infrastructure. Cryptographic key manage-
ment controls and practices cover CA key generation, CA key storage, backup
and recovery, CA public key distribution (especially when done in the form
of self-signed root certificates), CA key escrow (if applicable), CA key usage,
CA key destruction, CA key archival, the management of CA cryptographic
hardware through its life cycle, and CA-provided subscriber key management
services (if applicable).
Strong key life cycle management controls are vital to guard against key com-
promise, which can damage the integrity of the public key infrastructure.
.48 The user certificate life cycle is at the core of the services provided by
the CA. The CA establishes its standards and practices by which it will deliver
services in its published certification practice statement and certificate policy.
The user certificate life cycle includes the following:
r Registration (that is, the identification and authentication process
related to binding the individual subscriber to the certificate)
r The renewal of certificates (if applicable)
r The rekey of certificates
r The revocation of certificates
r The suspension of certificates (if applicable)
r The timely publication of certificate status information (through
certificate revocation lists or some form of online certificate status
protocol)
r The management of integrated circuit cards (ICCs) holding pri-
vate keys through their life cycle (if applicable)
.49 Effective controls over the registration process are essential because
poor identification and authentication controls jeopardize the ability of sub-
scribers and relying parties to rely on the certificates issued by the CA. Effective
revocation procedures and timely publication of certificate status information
are also critical elements because it is critical for subscribers and relying par-
ties to know when they are unable to rely on certificates that have been issued
by the CA.
CA Environmental Controls
.50 The certification authority (CA) maintains effective controls to provide
reasonable assurance that
r logical and physical access to CA systems and data are restricted
to authorized individuals;
r the continuity of key and certificate management operations is
maintained; and
r CA systems development, maintenance, and operations are prop-
erly authorized and performed to maintain CA systems integrity.
.51 The establishment and maintenance of a trustworthy CA environment
is essential to the reliability of the CA's business processes. Without strong CA
environmental controls, strong key and certificate life cycle management con-
trols are severely diminished in value. CA environmental controls include cer-
tification practice statement and certificate policy management, security pol-
icy management, security management, asset classification and management,
personnel security, physical and environmental security of the CA facility, op-
erations management, system access management, systems development and
maintenance, business continuity management, monitoring and compliance,
and event journaling.
Criteria:
The certification authority (CA) discloses its business practices, including,
but not limited to, the topics listed in RFC 3647, RFC 2527, or WebTrust
Program for Certification Authorities v1 CA Business Practices Disclosure
Criteria (see appendix A) in its certification practice statement.
4
In the event that a replacement for Request for Comments 3647 is issued at a future date, that
version could also be used.
Criteria:
The certification authority discloses its business practices, including, but
not limited to, the topics listed in RFC 3647, RFC 2527, or WebTrust
Program for Certification Authorities v1 (see appendix A) in its certificate
policy.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that its certificate policy management process is effective.
Illustrative Controls:
Certificate Policy Management
1 The policy authority (PA) has the responsibility of defining the
business requirements and policies for using digital certificates and
specifying them in a certificate policy (CP) and supporting
agreements.
2 The PA has final authority and responsibility for specifying and
approving CP(s).
3 CP(s) are approved by the PA in accordance with a defined review
process, including responsibilities for maintaining and tracking
changes to the CP(s).
4 A defined review process exists to assess that the CP(s) are capable
of support by the controls specified in the certification practice
statement.
5 The PA makes available the CPs supported by the CA to subscribers
and relying parties.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that its certification practice statement management processes
are effective.
Illustrative Controls:
Certification Practice Statement Management
1 The policy authority (PA) has final authority and responsibility for
approving the CA's certification practice statement (CPS).
2 Responsibilities for maintaining the CPS have been formally
assigned.
3 The CA's CPS is modified and approved in accordance with a defined
review process.
4 The CA makes available its CPS to all appropriate parties.
5 Revisions to the CA's CPS are made available to appropriate parties.
6 The CA updates its CPS to reflect changes in the environment as
they occur.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that its certification practice statement (CPS) addresses the
topics included in its certificate policy (CP).
Illustrative Controls:
CP and CPS Consistency
1 The policy authority (PA) is responsible for ensuring that the CA's
control processes, as stated in a CPS or equivalent, fully comply
with the requirements of the CP.
2 The CA addresses the requirements of the CP when developing its
CPS.
3 The CA assesses the impact of proposed CPS changes to ensure that
they are consistent with the CP.
4 A defined review process exists to ensure that CP(s) are supported
by the CA's CPS.
3. CA Environmental Controls
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
security is planned, managed, and supported within the organization;
security risks are identified and managed;
the security of CA facilities, systems, and information assets accessed by
third parties is maintained; and
the security of subscriber and relying party information is maintained
when the responsibility for CA subfunctions has been outsourced to
another organization or entity.
Illustrative Controls:
Information Security Policy
1 An information security policy document (that includes physical,
personnel, procedural, and technical controls), is approved by
management, published, and communicated to all employees.
2 The information security policy includes the following:
a. A definition of information security, its overall objectives and
scope, and the importance of security as an enabling mechanism
for information sharing
b. A statement of management intent, supporting the goals and
principles of information security
c. An explanation of the security policies, principles, standards, and
compliance requirements of particular importance to the
organization
d. A definition of general and specific responsibilities for
information security management, including reporting security
incidents
e. References to documentation, which supports the policy
3 A defined review process exists for maintaining the information
security policy, including responsibilities and review dates.
Information Security Infrastructure
4 Senior management or a high-level management information
security committee, or both, have the responsibility to ensure there
is clear direction and management support to manage risks
effectively.
5 A management group or security committee exists to coordinate the
implementation of information security controls and the
management of risk.
6 Responsibilities for the protection of individual assets and for
carrying out specific security processes are clearly defined.
Illustrative Controls:
7 A management authorization process for new information
processing facilities exists and is followed.
Security of Third Party Access
8 Procedures exist and are enforced to control physical and logical
access to CA facilities and systems by third parties (for example,
on-site contractors, trading partners, and joint ventures).
9 If a business need exists for the CA to allow third party access to CA
facilities and systems, a risk assessment is performed to determine
security implications and specific control requirements.
10 Arrangements involving third party access to CA facilities and
systems are based on a formal contract containing necessary
security requirements.
Outsourcing
11 If the CA outsources the management and control of all or some of
its information systems, networks, or desktop environments, the
CA's security requirements are addressed in a contract agreed upon
between the parties.
12 If the CA chooses to delegate a portion of the CA roles and respective
functions to another party, the CA maintains responsibility for the
completion of the outsourced functions and the definition and
maintenance of a statement of its certification practice statement.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that CA assets and subscriber and relying party information
receive an appropriate level of protection based upon identified risks and in
accordance with the CA's disclosed business practices.
Illustrative Controls:
1 Owners are identified for all CA assets and assigned responsibility
for the protection of the assets.
2 Inventories of CA assets are maintained.
3 The CA has implemented information classification and associated
protective controls for information based on business needs and the
business impacts associated with such needs.
4 Information labeling and handling are performed in accordance
with the CA's information classification scheme and documented
procedures.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that personnel and employment practices enhance and support
the trustworthiness of the CA's operations.
Illustrative Controls:
1 The CA employs personnel (that is, employees and contractors) who
possess the relevant skills, knowledge, and experience required for
the job function.
2 Security roles and responsibilities, as specified in the organization's
security policy, are documented in job descriptions.
3 Trusted roles, on which the security of the CA's operation is
dependent, are clearly identified. Trusted roles include, at a
minimum, the following responsibilities:
a. Overall responsibility for administering the implementation of
the CA's security practices
b. Approval of the generation, revocation, and suspension of
certificates
c. Installation, configuration, and maintenance of the CA systems
d. Day-to-day operation of CA systems and system backup and
recovery
e. Viewing and maintenance of CA system archives and audit logs
f. Cryptographic key life cycle management functions (for example,
key component custodians)
g. CA systems development
4 The CA's policies and procedures specify the background checks and
clearance procedures required for trusted roles and nontrusted
roles. As a minimum, verification checks on permanent staff are
performed at the time of job application and periodically for those
individuals undertaking trusted roles.
5 An individual's trusted status is approved prior to gaining access to
systems and facilities or performing actions requiring trusted status.
6 CA employees and trusted roles sign a confidentiality
(nondisclosure) agreement as a condition of employment.
7 Contractors who perform trusted roles are subject to at least the
same background check and personnel management procedures as
employees.
8 Any contract arrangement between contractors and CAs allows
for the provision of temporary contract personnel that explicitly
allows the organization to take measures against contract staff who
violate the organization's security policies. Protective measures may
include
Illustrative Controls:
a. bonding requirements on contract personnel;
b. indemnification for damages due to contract personnel willful,
harmful actions; and
c. financial penalties.
9 Periodic reviews occur to verify the continued trustworthiness of
personnel involved in the activities related to key management and
certificate management.
10 A formal disciplinary process exists and is followed for employees
who have violated organizational security policies and procedures.
The CA's policies and procedures specify the sanctions against
personnel for unauthorized actions, unauthorized use of authority,
and unauthorized use of systems.
11 Physical and logical access to CA facilities and systems is disabled
upon termination of employment.
12 If required based on a risk assessment, duress alarms are provided
for users who might be the target of coercion.
13 All employees of the organization and, when relevant, third party
contractors, receive appropriate training in organizational policies
and procedures. The CA's policies and procedures specify the
following:
a. The training requirements and training procedures for each role
b. Any retraining period and retraining procedures for each role
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
physical access to CA facilities and equipment is limited to authorized
individuals, protected through restricted security perimeters, and is
operated under multiple person (at least dual custody) control;
CA facilities and equipment are protected from environmental hazards;
loss, damage, or compromise of assets and interruption to business
activities are prevented; and
compromise of information and information processing facilities is
prevented.
Illustrative Controls:
CA Facility Physical Security
1 Entry to the building or site containing the CA's certificate
manufacturing facility is achieved only through a limited number of
controlled access points.
2 All critical CA operations take place within a physically secure
facility with at least four layers of security to access sensitive
hardware or software. Such systems are physically separated from
the organization's other systems so that only authorized employees
of the CA can access them.
3 A manned reception area or other means to control physical access
is in place to restrict access to the building or site housing CA
operations to authorized personnel only.
4 Physical barriers are in place (for example, solid walls that extend
from real floor to real ceiling) to prevent unauthorized entry and
environmental contamination to the CAs certificate manufacturing
facility.
5 Physical barriers are in place (for example, Faraday cage) to prevent
electromagnetic radiation emissions for all root CA operations (for
example, key generation and certification of CA certificates) as
disclosed in certificate policy or certification practice statement, or
both.
6 Fire doors on security perimeters around CA operational facilities
are alarmed and conform to local fire regulations.
7 Intruder detection systems are installed and regularly tested to
cover all external doors of the building housing the CA operational
facilities.
8 CA operational facilities are physically locked and alarmed when
unoccupied.
9 All personnel are required to wear visible identification. Employees
are encouraged to challenge anyone not wearing visible
identification.
10 Access to CA operational facilities is controlled and restricted to
authorized persons through the use of multifactor authentication
controls.
11 All personnel entering and leaving CA operational facilities are
logged (that is, an audit trail of all access is securely maintained).
12 Entry, exit, and activities within CA facilities are monitored by
cameras.
13 Visitors to CA facilities are supervised and their date and time of
entry and departure recorded.
14 Third party support services personnel is granted restricted access
to secure CA operational facilities only when required, and such
access is authorized and accompanied.
Illustrative Controls:
15 Access rights to CA facilities are regularly reviewed and updated.
Equipment Security
16 The CA maintains an equipment inventory.
17 Equipment is sited or protected to reduce the risks from
environmental threats and hazards and opportunities for
unauthorized access.
18 Equipment is protected from power failures and other electrical
anomalies.
19 Power and telecommunications within the facility housing the CA
operation, cabling carrying data, or supporting CA services is
protected from interception or damage.
20 Equipment is maintained in accordance with the manufacturer's
instructions or other documented procedures, or both.
21 All items of equipment containing storage media (fixed and
removable disks) are checked to ensure that they do not contain
sensitive data prior to their disposal. Storage media containing
sensitive data is physically destroyed or securely overwritten prior
to disposal or reused.
General Controls
22 Sensitive or critical business information is locked away when not
required and when the CA facility is vacated.
23 Procedures require that personal computers and workstations are
logged off or protected by key locks, passwords, or other controls
when not in use.
24 The movement of materials to and from the CA facility requires
prior authorization.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
the correct and secure operation of CA information processing facilities is
ensured;
the risk of CA systems failure is minimized;
the integrity of CA systems and information is protected against viruses
and malicious software;
damage from security incidents and malfunctions is minimized through
the use of incident reporting and response procedures; and
media are securely handled to protect them from damage, theft, and
unauthorized access.
Illustrative Controls:
Operational Procedures and Responsibilities
1 CA operating procedures are documented and maintained for each
functional area.
2 Formal management responsibilities and procedures exist to control all
changes to CA equipment, software, and operating procedures.
3 Duties and areas of responsibility are segregated in order to reduce
opportunities for unauthorized modification or misuse of information or
services.
4 Development and testing facilities are separated from operational
facilities.
5 Prior to using external facilities management services, risks and related
controls are identified, agreed upon with the contractor, and
incorporated into the contract.
System Planning and Acceptance
6 Capacity demands are monitored and projections of future capacity
requirements made to ensure that adequate processing power and
storage are available.
7 Acceptance criteria for new information systems, upgrades, and new
versions are established and suitable tests of the system carried out
prior to acceptance.
Protection Against Viruses and Malicious Software
8 Detection and prevention controls to protect against viruses and
malicious software are implemented. Employee awareness programs are
in place.
Incident Reporting and Response
9 A formal security incident reporting procedure exists, setting out the
actions to be taken upon receipt of an incident report. This includes a
definition and documentation of assigned responsibilities and escalation
procedures. Any incidents are reported to the policy authority as a
matter of urgency.
10 Users of CA systems are required to note and report observed or
suspected security weaknesses in, or threats to, systems or services as
they are detected.
11 Procedures exist and are followed for reporting hardware and software
malfunctions.
12 Procedures exist and are followed to assess that corrective action is
taken for reported incidents.
13 A formal problem management process exists that allows the types,
volumes, and impacts of incidents and malfunctions to be documented,
quantified, and monitored.
Media Handling and Security
14 Procedures for the management of removable computer media require
the following:
a. If no longer required, the previous contents of any reusable media
that are to be removed from the organization are erased or media is
destroyed.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that CA system access is limited to authorized individuals. Such
controls provide reasonable assurance that
operating system and database access is limited to authorized
individuals with predetermined task privileges;
access to network segments housing CA systems is limited to authorized
individuals, applications, and services; and
CA application use is limited to authorized individuals.
Illustrative Controls:
User Access Management
1 Business requirements for access control are defined and
documented in an access control policy that includes at least the
following:
a. Roles and corresponding access permissions
b. Identification and authentication process for each user
c. Segregation of duties
d. Number of persons required to perform specific CA operations
(that is, m of n rule, where m represents the number of key
shareholders required to perform an operation, and n represents
the total number of key shares)
2 A formal user registration and deregistration procedure for access to
CA information systems and services exists.
3 The allocation and use of privileges is restricted and controlled.
(continued)
Illustrative Controls:
4 The allocation of passwords is controlled through a formal
management process.
5 Access rights for users with trusted roles are reviewed at regular
intervals and updated.
6 Users are required to follow defined policies and procedures in the
selection and use of passwords.
7 Users are required to ensure that unattended equipment has
appropriate protection.
Network Access Control
8 CA employed personnel are provided direct access only to the
services that they have been specifically authorized to use. The path
from the user terminal to computer services is controlled.
9 Remote access to CA systems made by CA employees or external
systems, if permitted, requires authentication.
10 Connections made by CA employees or CA systems to remote
computer systems are authenticated.
11 Access to diagnostic ports is securely controlled.
12 Controls (for example, firewalls) are in place to protect the CA's
internal network domain from any unauthorized access from any
other domain.
13 Controls are in place to limit the network services (for example,
HTTP, FTP, and so forth) available to authorized users in
accordance with the CA's access control policies. The security
attributes of all network services used by the CA organization are
documented by the CA.
14 Routing controls are in place to ensure that computer connections
and information flows do not breach the CA's access control policy.
15 The CA maintains local network components (for example, firewalls
and routers) in a physically secure environment and audits their
configurations periodically for compliance with the CA's
configuration requirements.
16 Sensitive data is encrypted when exchanged over public or
untrusted networks.
Operating System and Database Access Control
17 Operating systems and databases are configured in accordance with
the CA's system configuration standards and periodically reviewed
and updated.
18 Operating system and database patches and updates are applied in
a timely manner when deemed necessary based on a risk
assessment.
Illustrative Controls:
19 Automatic terminal identification is used to authenticate
connections to specific locations and to portable equipment.
20 Access to CA systems requires a secure logon process.
21 All CA personnel users have a unique identifier (user ID) for their
personal and sole use so that activities can be traced to the
responsible individual. When shared or group accounts are required,
other monitoring controls are implemented to maintain individual
accountability.
22 Uses of system utility programs are restricted to authorized
personnel and tightly controlled.
23 Inactive terminals serving CA systems require reauthentication
prior to use.
24 Restrictions on connection times are used to provide additional
security for high risk applications.
25 Sensitive data is protected against disclosure to unauthorized users.
Application Access Control
26 Access to information and application system functions is restricted
in accordance with the CA's access control policy.
27 CA personnel are successfully identified and authenticated before
using critical applications related to certificate management.
28 Sensitive systems (for example, root CA) require a dedicated
(isolated) computing environment.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that CA systems development and maintenance activities are
documented, tested, authorized, and properly implemented to maintain CA
system integrity.
Illustrative Controls:
1 Business requirements for new systems or enhancements to existing
systems specify the control requirements.
2 Software testing and change control procedures exist and are
followed for the implementation of software on operational systems,
including scheduled software releases, modifications, and
emergency software fixes.
(continued)
Illustrative Controls:
3 Change control procedures exist and are followed for the hardware,
network component, and system configuration changes.
4 Test data is protected and controlled.
5 Control is maintained over access to program source libraries.
6 Application systems are reviewed and tested when operating system
changes occur.
7 The implementation of changes is strictly controlled by the use of
formal change control procedures to minimize the risk of corruption
of information systems.
8 Modifications to software packages are discouraged, and all changes
are strictly controlled.
9 The purchase, use, and modification of software are controlled and
checked to protect against possible covert channels and Trojan code.
This includes the authentication of the source of the software. These
controls apply equally to outsourced software development.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance of continuity of operations in the event of a disaster. Such
controls include, at a minimum
the development and testing of a CA business continuity plan that
includes a disaster recovery process for critical components of the CA
system;
the storage of required cryptographic materials (that is, secure
cryptographic device and activation materials) at an alternate location;
the storage of backups of systems, data, and configuration information at
an alternate location; and
the availability of an alternate site, equipment, and connectivity to
enable recovery.
The CA maintains controls to provide reasonable assurance that potential
disruptions to subscribers and relying parties are minimized as a result of
the cessation or degradation of the CA's services.
Illustrative Controls:
1 The CA has a managed process for developing and maintaining its
business continuity plans. The CA has a business continuity
planning strategy based on an appropriate risk assessment.
Illustrative Controls:
2 The CA has a business continuity plan to maintain or restore the
CA's operations in a timely manner following interruption to, or
failure of, critical CA processes. The CA's business continuity plan
addresses the following:
a. The conditions for activating the plans
b. Emergency procedures
c. Fallback procedures
d. Resumption procedures
e. A maintenance schedule for the plan
f. Awareness and education requirements
g. The responsibilities of the individuals
h. Recovery time objective
i. Regular testing of contingency plans
3 The CA's business continuity plans include disaster recovery
processes for all critical components of a CA system, including the
hardware, software, and keys, in the event of a failure of one or
more of these components. Specifically
a. cryptographic devices used for storage of backup CA private keys
are securely stored at an off-site location in order for the CA to
recover in the event of a disaster at the primary CA facility; and
b. the requisite secret key shares or key components needed to use
and manage the disaster recovery cryptographic devices are
securely stored at an off-site location.
4 Backup copies of essential business information are regularly taken.
The security requirements of these copies are consistent with the
controls for the information backed up.
5 The CA identifies and arranges for an alternate site where core
public key infrastructure operations can be restored in the event of a
disaster at the CA's primary site. Fallback equipment and backup
media are sited at a safe distance to avoid damage from disaster at
the main site.
6 The CA's business continuity plans include procedures for securing
its facility to the extent possible during the period of time following
a disaster and prior to restoring a secure environment either at the
original or a remote site.
7 The CA's business continuity plans address the recovery procedures
used if computing resources, software, or data are corrupted or
suspected to be corrupted.
8 Business continuity plans are tested regularly to ensure that they
are up to date and effective.
(continued)
Illustrative Controls:
9 Business continuity plans define an acceptable system outage time,
recovery time, and the average time between failures as disclosed in
the certificate policy (CP) or certification practice statement (CPS),
or both.
10 Business continuity plans are maintained by regular reviews and
updates to ensure their continuing effectiveness.
11 The CA maintains procedures for the termination, notification of
affected entities, and for transferring relevant archived CA records
to a custodian as disclosed in the CP or CPS, or both.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
it conforms with the relevant legal, regulatory, and contractual
requirements;
compliance with the CA's security policies and procedures is ensured;
the effectiveness of the system audit process is maximized and
interference to and from the system audit process is minimized; and
unauthorized CA system usage is detected.
Illustrative Controls:
Compliance With Legal Requirements
1 Relevant statutory, regulatory, and contractual requirements are
explicitly defined and documented.
2 The CA has implemented procedures to comply with legal
restrictions on the use of material in respect of intellectual property
rights and on the use of proprietary software products.
3 Controls are in place to ensure compliance with national
agreements, laws, regulations, or other instruments to control the
access to, or use of, cryptographic hardware and software.
4 Procedures exist to ensure that personal information is protected in
accordance with relevant legislation.
5 The information security policy addresses the following:
a. The information that must be kept confidential by CA or
registration authority
b. The information that is not considered confidential
c. The policy on release of information to law enforcement officials
Illustrative Controls:
d. Information that can be revealed as part of civil discovery
e. The conditions upon which information may be disclosed with
the subscriber's consent
f. Any other circumstances under which confidential information
may be disclosed
6 CA records are protected from loss, unauthorized destruction, and
falsification.
7 Management authorizes the use of information processing facilities,
and controls are applied to prevent the misuse of such facilities.
Review of Security Policy and Technical Compliance
8 Managers are responsible for ensuring that security procedures
within their area of responsibility are carried out correctly.
9 The CA's operations are subject to regular review to ensure timely
compliance with its certification practice statement.
10 CA systems are periodically checked for compliance with security
implementation standards.
System Audit Process
11 Audits of operational systems are planned and agreed to minimize
the risk of disruptions to business processes.
12 Access to system audit tools is protected to prevent possible misuse
or compromise.
Monitoring System Access and Use
13 Procedures for monitoring the use of CA systems are established,
which include the timely identification and follow up of
unauthorized or suspicious activity. Alerting mechanisms are
implemented to detect unauthorized access.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
significant CA environmental, key management, and certificate
management events are accurately and appropriately logged;
the confidentiality and integrity of current and archived audit logs are
maintained;
audit logs are completely and confidentially archived in accordance with
disclosed business practices; and
audit logs are reviewed periodically by authorized personnel.
Illustrative Controls:
Audit Logs
1 The CA generates automatic (electronic) and manual audit logs in
accordance with the requirements of the certificate policy (CP) or
certification practice statement (CPS).
2 All journal entries include the following elements:
a. Date and time of the entry
b. Serial or sequence number of entry (for automatic journal
entries)
c. Kind of entry
d. Source of entry (for example, terminal, port, location, customer,
and so forth)
e. Identity of the entity making the journal entry
Events Logged
3 The CA logs the following CA and subscriber (if applicable) key life
cycle management related events:
a. CA key generation
b. Installation of manual cryptographic keys and its outcome (with
the identity of the operator)
c. CA key backup
d. CA key storage
e. CA key recovery
f. CA key escrow activities (if applicable)
g. CA key usage
h. CA key archival
i. Withdrawal of keying material from service
j. CA key destruction
k. Identity of the entity authorizing a key management operation
l. Identity of the entities handling any keying material (such as
key components or keys stored in portable devices or media)
m. Custody of keys and of devices or media holding keys
n. Compromise of a private key
4 The CA logs the following cryptographic device life cycle
management related events:
a. Device receipt and installation
b. Placing into or removing a device from storage
c. Device activation and usage
d. Device deinstallation
e. Designation of a device for service and repair
f. Device retirement
Illustrative Controls:
5 If the CA provides subscriber key management services, the CA logs the
following subscriber key life cycle management related events:
a. Key generation
b. Key distribution (if applicable)
c. Key backup (if applicable)
d. Key escrow (if applicable)
e. Key storage
f. Key recovery (if applicable)
g. Key archival (if applicable)
h. Key destruction
i. Identity of the entity authorizing a key management operation
j. Key compromise
6 The CA records (or requires that the registration authority [RA] record)
the following certificate application information:
a. The method of identification applied, and information used to meet,
subscriber requirements
b. Record of unique identification data, numbers, or a combination
thereof (for example, applicant's driver's license number) of
identification documents, if applicable
c. Storage location of copies of applications and identification
documents
d. Identity of entity accepting the application
e. Method used to validate identification documents, if any
f. Name of receiving CA or submitting RA, if applicable
g. The subscriber's acceptance of the subscriber agreement
h. When required under privacy legislation, the subscriber's consent to
allow the CA to keep records containing personal data, pass this
information to specified third parties, and publication of certificates
7 The CA logs the following certificate life cycle management related
events:
a. Receipt of requests for certificate(s), including initial certificate
requests, renewal requests, and rekey requests
b. Submissions of public keys for certification
c. Change of affiliation of an entity
d. Generation of certificates
e. Distribution of the CA's public key
f. Certificate revocation requests
g. Certificate revocation
h. Certificate suspension requests (if applicable)
i. Certificate suspension and reactivation
j. Generation and issuance of certificate revocation lists
(continued)
Illustrative Controls:
8 The CA logs the following security-sensitive events:
a. Security-sensitive files or records read or written, including the audit
log itself
b. Actions taken against security-sensitive data
c. Security profile changes
d. Use of identification and authentication mechanisms, both successful
and unsuccessful (including multiple failed authentication attempts)
e. System crashes, hardware failures, and other anomalies
f. Actions taken by individuals in trusted roles, computer operators,
system administrators, and system security officers
g. Change of affiliation of an entity
h. Decisions to bypass encryption and authentication processes or
procedures
i. Access to the CA system or any component thereof
9 Audit logs do not record the private keys in any form (for example,
plaintext or enciphered).
10 CA computer system clocks are synchronized for accurate recording as
defined in the CP or CPS, or both, that specifies the accepted time
source.
Audit Log Protection
11 Current and archived audit logs are maintained in a form that prevents
their modification, substitution, or unauthorized destruction.
12 Digital signatures are used to protect the integrity of audit logs, when
applicable, or are required to satisfy legal requirements.
13 The private key used for signing audit logs is not used for any other
purpose. This applies equally to a symmetric secret key used with a
symmetric message authentication code (MAC) mechanism.
Audit Log Archival
14 The CA archives audit log data on a periodic basis as disclosed in the CP
or CPS, or both.
15 In addition to possible regulatory stipulation, a risk assessment is
performed to determine the appropriate length of time for retention of
archived audit logs.
16 The CA maintains archived audit logs at a secure off-site location for a
predetermined period as determined by risk assessment and legal
requirements.
Review of Audit Logs
17 Current and archived audit logs are only retrieved by authorized
individuals for valid business or security reasons.
18 Audit logs are reviewed periodically according to the practices
established in the CPS. The review of current and archived audit logs
include a validation of the audit logs' integrity and the timely
identification and follow-up of unauthorized or suspicious activity.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that CA key pairs are generated in accordance with the CA's
disclosed business practices and defined procedures specified within
detailed key generation ceremony scripts.
The CA's disclosed business practices include, but are not limited to, the
following:
a. Generation of CA keys is undertaken in a physically secured
environment (see section 3.4).
b. Generation of CA keys is performed by personnel in trusted roles (see
section 3.3) under the principles of multiple person control and split
knowledge.
c. Generation of CA keys occurs within cryptographic modules, meeting the
applicable technical and business requirements as disclosed in the CA's
certification practice statement (CPS).
d. Generation of CA keys is witnessed by an independent party or
videotaped, or both.
e. CA key generation activities are logged.
The CA key generation script includes the following:
a. Definition of roles and participant responsibilities
b. Approval for conduct of the key generation ceremony
c. Cryptographic hardware and activation materials required for the
ceremony
d. Specific steps performed during the key generation ceremony
e. Physical security requirements for the ceremony location
f. Procedures for secure storage of cryptographic hardware and activation
materials following the key generation ceremony
g. Sign-off from participants and witnesses indicating whether the key
generation ceremony was performed in accordance with the detailed key
generation ceremony script
h. Notation of any deviations from the key generation ceremony script
Illustrative Controls:
Generation of CA Keys Including Root CA KeysGeneral
Requirements
1 Generation of CA keys occurs within a cryptographic module,
meeting the applicable requirements of ISO 15782-1/FIPS 140-2 (or
equivalent)/ANSI X9.66 and the business requirements in
accordance with the CPS. Such cryptographic devices perform key
generation using a random number generator or pseudo random
number generator.
2 The CA generates its own key pair in the same cryptographic device
in which it will be used, or the key pair is injected directly from the
device where it was generated into the device where it will be used.
3 CA key generation generates keys that
a. use a key generation algorithm as disclosed within the CA's CP
or CPS, or both.
b. have a key length that is appropriate for the algorithm and for
the validity period of the CA certificate as disclosed in the CA's
CP or CPS, or both. The public key length to be certified by a CA
is less than or equal to that of the CA's private signing key.
c. take into account requirements on parent and subordinate CA
key sizes and have a key size in accordance with the CA's CP or
CPS, or both.
4 CA key generation ceremonies are independently witnessed by
internal or external auditors.
Generation of CA Keys Including Root CA KeysScript
Requirements
5 The CA follows a CA key generation script for key generation
ceremonies that includes the following:
a. Definition and assignment of participant roles and
responsibilities
b. Management approval for conduct of the key generation
ceremony
c. Specific cryptographic hardware, software, and other materials,
including identifying information, for example, serial numbers
d. Specific steps performed during the key generation ceremony
i. Hardware preparation
ii. Operating system installation
iii. CA application installation and configuration
iv. CA key generation
v. CA key backup
vi. CA certificate signing
vii. CA system shutdown
viii. Preparation of materials for storage
Illustrative Controls:
Criteria:
The certification authority (CA) maintains controls to provide reasonable assurance
that CA private keys remain confidential and maintain their integrity. The CA's
private keys are backed up, stored, and recovered by authorized personnel in
trusted roles, using multiple person control in a physically secured environment.
Illustrative Controls:
1 The CA's private (signing and confidentiality) keys are stored and used
within a secure cryptographic device meeting the appropriate ISO 15408
protection profile or FIPS 140-2 level requirement based on a risk
assessment and the business requirements of the CA and in accordance
with the CA's certification practice statement and applicable certificate
policy(s).
2 If the CA's private keys are not exported from a secure, cryptographic
module, then the CA private key is generated, stored, and used within the
same cryptographic module.
3 If the CA's private keys are exported from a secure, cryptographic module
to secure storage for purposes of offline processing or backup and recovery,
then they are exported within a secure key management scheme that may
include any of the following:
a. As cipher-text, using a key which is appropriately secured
b. As encrypted key fragments, using multiple control and split knowledge
and ownership
c. In another secure cryptographic module, such as a key transportation
device, using multiple control
4 Backup copies of the CA's private keys are subject to the same, or greater,
level of security controls as keys currently in use. The recovery of the CA's
keys is carried out in as secure a manner as the backup process, using
multiperson control.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that the integrity and authenticity of the CA public keys, and
any associated parameters, are maintained during initial and subsequent
distribution.
Illustrative Controls:
1 For the root CA distribution process (that is, using a self-signed
certificate), an out-of-band notification mechanism is employed.
When a self-signed certificate is used for any CA, the CA provides a
mechanism to verify the authenticity of the self-signed certificate
(for example, publication of the certificate's fingerprint).
For subsequent or subordinate CA public keys, or both, validation is
completed by using a chaining method or similar process to link
back to the trusted root certificate.
2 The initial distribution mechanism for the CA's public key is
controlled and initially distributed within a certificate using one of
the following methods:
a. Machine readable media (for example, smart card, CD-ROM)
from an authenticated source
b. Embedding in an entity's cryptographic module
c. Other secure means that ensure authenticity and integrity
3 The CA's public key is changed (rekeyed) periodically according to
the requirements of the certification practice statement with
advance notice provided to avoid disruption of the CA services.
4 The subsequent distribution mechanism for the CA's public key is
controlled in accordance with the CA's disclosed business practices.
5 If an entity already has an authenticated copy of the CA's public
key, a new CA public key is distributed using one of the following
methods:
a. Direct electronic transmission from the CA
b. Placing into a remote cache or directory
c. Loading into a cryptographic module
d. Any of the methods used for initial distribution
6 The CA provides a mechanism for validating the authenticity and
integrity of the CA's public keys.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that CA keys are used only for their intended functions in their
predetermined locations.
Illustrative Controls:
1 The activation of the CA private signing key is performed using
multiparty control (that is, m of n) with a minimum value of m (for
example, m greater than two for root CAs).
2 If necessary, based on a risk assessment, the activation of the CA
private key is performed using multifactor authentication (for
example, smart card and password, biometric and password, and so
forth).
3 CA signing key(s) used for generating certificates or issuing
revocation status information, or both, are not used for any other
purpose.
4 The CA ceases to use a key pair at the end of the key pair's defined
operational lifetime or when the compromise of the private key is
known or suspected.
5 An annual review is required by the policy authority on key lengths
to determine the appropriate key usage period with
recommendations acted upon.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
archived CA keys remain confidential and secured and are never put
back into production, and
CA keys are completely destroyed at the end of the key pair life cycle in
accordance with the CA's disclosed business practices.
Illustrative Controls:
CA Key Archival
1 Archived CA keys are subject to the same, or greater, level of
security controls as keys currently in use.
2 All archived CA keys are destroyed at the end of the archive period
using dual control in a physically secure site.
3 Archived keys are only accessed when historical evidence requires
validation. Control processes are required to ensure the integrity of
the CA systems and the key sets.
4 Archived keys are recovered for the shortest possible time period
technically permissible to meet business requirements.
5 Archived keys are periodically verified to ensure that they are
properly destroyed at the end of the archive period.
(continued)
Illustrative Controls:
CA Key Destruction
6 The CA's private keys are not destroyed until the business purpose
or application has ceased to have value or legal obligations have
expired, as disclosed within the CA's certification practice statement
(CPS).
7 Authorization to destroy a CA private key and how the CA's private
key is destroyed (for example, token surrender, token destruction, or
key overwrite) are limited in accordance with the CA's CPS.
8 All copies and fragments of the CA's private key are destroyed at
the end of the key pair life cycle in a manner such that the private
key cannot be retrieved.
9 If a secure cryptographic device is accessible and known to be
permanently removed from service, all CA private keys stored
within the device that have ever been, or potentially could be, used
for any cryptographic purpose are destroyed.
10 If a CA cryptographic device is being permanently removed from
service, then any key contained within the device that has been
used for any cryptographic purpose is erased from the device.
11 If a CA cryptographic device case is intended to provide
tamper-evident characteristics and the device is being permanently
removed from service, then the case is destroyed.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that continuity of operations is maintained in the event of the
compromise of the CA's private keys, and any certificates signed with the
compromised keys are revoked and reissued.
Illustrative Controls:
1 The CA's business continuity plans address the compromise, or
suspected compromise, of a CA's private keys as a disaster.
2 Disaster recovery procedures include the revocation and reissuance
of all certificates that were signed with that CA's private key in the
event of the compromise, or suspected compromise, of a CA's private
signing key.
3 The recovery procedures used if the CA's private key is
compromised include the following actions:
a. How secure key usage in the environment is reestablished
b. How the CA's old public key is revoked
Illustrative Controls:
c. How affected parties are notified (for example, impacted CAs,
repositories, subscribers, and competitive video service providers
d. How the CA's new public key is provided to the end entities and
relying parties, together with the mechanism for their
authentication
e. How the subscriber's public keys are recertified
4 In the event that the CA has to replace its root CA private key,
procedures are in place for the secure and authenticated revocation
of the following:
a. The old CA root public key
b. The set of all certificates (including any self-signed) issued by a
root CA, or any CA, based on the compromised private key
c. Any subordinate CA public keys and corresponding certificates
that require recertification.
5 The CA's business continuity plan for key compromise addresses
who is notified and what actions are taken with system software
and hardware, symmetric and asymmetric keys, previously
generated signatures, and encrypted data.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
devices used for private key storage and recovery, and the interfaces to
these devices, are tested before usage for integrity;
access to CA cryptographic hardware is limited to authorized personnel
in trusted roles, using multiple person control; and
CA cryptographic hardware is functioning correctly.
Illustrative Controls:
1 CA cryptographic hardware is sent from the manufacturer via
registered mail (or equivalent) using tamper-evident packaging.
Upon the receipt of CA cryptographic hardware from the
manufacturer, authorized CA personnel inspects the tamper-evident
packaging to determine whether the seal is intact.
2 Upon the receipt of CA cryptographic hardware from the
manufacturer, acceptance testing and verification of firmware
settings is performed. Upon the receipt of CA cryptographic
hardware that has been serviced or repaired, acceptance testing and
verification of firmware settings is performed.
(continued)
Illustrative Controls:
3 To prevent tampering, CA cryptographic hardware is stored and
used in a secure site, with access limited to authorized personnel
having the following characteristics:
a. Inventory control processes and procedures to manage the
origination, arrival, condition, departure, and destination of each
device
b. Access control processes and procedures to limit physical access
to authorized personnel
c. Recording of all successful or failed access attempts to the CA
facility and device storage mechanism (for example, a safe) in
audit logs
d. Incident handling processes and procedures to handle abnormal
events, security breaches, and investigation and reports
e. Monitoring processes and procedures to verify the ongoing
effectiveness of the controls
4 When not attached to the CA system, the CA cryptographic
hardware is stored in a tamper-resistant container that is stored
securely under multiple controls (that is, a safe).
5 The handling of CA cryptographic hardware, including the following
tasks, is performed in the presence of no less than two trusted
employees:
a. Installation of CA cryptographic hardware
b. Removal of CA cryptographic hardware from production
c. Servicing or repair of CA cryptographic hardware (including
installation of new hardware, firmware, or software)
d. Disassembly and permanent removal from use
6 Devices used for private key storage and recovery, and the
interfaces to these devices, are tested before usage for integrity.
7 Correct processing of CA cryptographic hardware is verified on a
periodic basis.
8 Diagnostic support is provided during troubleshooting of CA
cryptographic hardware in the presence of no less than two trusted
employees.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that escrowed CA private signing keys remain confidential.
Illustrative Controls:
1 If a third party provides CA private key escrow services, a contract
exists that outlines the liabilities and remedies between the parties.
2 If CA private signing keys are held in escrow, escrowed copies of the
CA private signing keys have the same, or greater, level of security
controls as keys currently in use.
Criteria:
If the certification authority (CA) provides subscriber key management
services, the CA maintains controls to provide reasonable assurance that
subscriber keys generated by the CA (or registration authority [RA] or
card bureau) are generated within a secure cryptographic device based on
a risk assessment and the business requirements of the CA in accordance
with the CA's disclosed business practices, and
subscriber keys generated by the CA (or RA or card bureau) are securely
distributed to the subscriber by the CA (or RA or card bureau) in
accordance with the CA's disclosed business practices.
Illustrative Controls:
CA- (or RA or Card Bureau) Provided Subscriber Key Generation
1 Subscriber key generation is performed within a secure
cryptographic device, meeting the applicable ISO 15782-1/FIPS
140-2/ANSI X9.66 requirements based on a risk assessment and the
business requirements of the CA and in accordance with the
applicable certificate policy (CP). Such cryptographic devices
perform subscriber key generation using a random number
generator or pseudo random number generator as specified in the
ANSI X9 or ISO standard ISO/IEC 18032.
2 Subscriber key generation performed by the CA (or RA or card
bureau) uses a key generation algorithm, as specified in the CP.
3 Subscriber key generation performed by the CA (or RA) uses a prime
number generator, as specified in an ANSI X9 or ISO standard.
4 Subscriber key generation performed by the CA (or RA or card
bureau) results in key sizes in accordance with the CP.
(continued)
Illustrative Controls:
5 Subscriber key generation performed by the CA (or RA) is performed
by authorized personnel in accordance with the CA's certification
practice statement.
6 When subscriber key generation is performed by the CA (or RA or
card bureau), the CA (or RA or card bureau) securely (confidentially)
delivers the subscriber key pair(s) generated by the CA (or RA or
card bureau) to the subscriber in accordance with the CP.
Criteria:
If the certification authority (CA) provides subscriber (confidentiality) key
storage, recovery, or escrow services, the CA maintains controls to provide
reasonable assurance that
subscriber private keys stored by the CA remain confidential and
maintain their integrity;
subscriber private keys archived and escrowed by the CA remain
confidential; and
subscriber private keys stored by the CA are completely destroyed at the
end of the key pair life cycle.
Illustrative Controls:
CA-Provided Subscriber Key Storage, Backup, and Recovery
1 Subscriber private keys stored by the CA (or registration authority
[RA]) are stored in encrypted form using a cryptographic algorithm
and key length based on a risk assessment and requirements of the
certificate policy (CP).
2 If the CA generates key pair(s) on behalf of a subscriber, the CA (or
RA) ensures that the subscriber's private keys are not disclosed to
any entity other than the owner (that is, the subscriber) of the keys.
3 If the CA (or RA) generates public and private signing key pair(s), it
does not maintain a copy of any private signing key once the
subscriber confirms receipt of that key.
4 If the CA (or RA) provides subscriber (confidentiality) key storage,
backup, and recovery, subscriber private (confidentiality) key
backup and recovery services are only performed by authorized
personnel.
5 If the CA (or RA) provides subscriber key storage, backup, and
recovery, controls exist to ensure that the integrity of the
subscriber's private (confidentiality) key is maintained throughout
its life cycle.
Illustrative Controls:
CA-Provided Subscriber Key Archival
6 Subscriber private (confidentiality) keys archived by the CA are
stored in encrypted form using a cryptographic algorithm and key
length based on a risk assessment and the requirements of the CP.
7 If the CA provides subscriber (confidentiality) key archival, all
archived subscriber keys are destroyed at the end of the archive
period.
CA-Provided Subscriber Key Destruction
8 If the CA provides subscriber (confidentiality) key storage,
authorization to destroy a subscriber's private key, and the means
to destroy the subscriber's private (confidentiality) key, (for
example, key overwrite) is limited in accordance with the CP.
9 If the CA provides subscriber (confidentiality) key storage, all copies
and fragments of the subscriber's private key are destroyed at the
end of the key pair life cycle.
CA-Provided Subscriber Key Escrow
10 Subscriber private (confidentiality) keys escrowed by the CA are
stored in encrypted form using a cryptographic algorithm and key
length based on a risk assessment and the requirements of the CP.
Criteria:
If the certification authority (CA) (or registration authority [RA]) distributes
subscriber key pairs and certificates using integrated circuit cards (ICCs),
the CA (or RA) maintains controls to provide reasonable assurance that
ICC procurement, preparation, and personalization are securely
controlled by the CA (or RA or card bureau);
ICC application data file (ADF) preparation is securely controlled by the
CA (or RA);
ICC usage is enabled by the CA (or RA or card bureau) prior to ICC
issuance;
ICC deactivation and reactivation are securely controlled by the CA (or
RA);
ICCs are securely stored and distributed by the CA (or RA or card
bureau);
ICCs are securely replaced by the CA (or RA or card bureau); and
ICCs returned to the CA (or RA or card bureau) are securely terminated.
Illustrative Controls:
ICC Procurement
1 If the CA or RA engages a card bureau, then a formal contract exists
between the relevant parties. Although card issuing functions may be
delegated to third parties, the CA retains responsibility and liability for
the ICCs.
2 ICCs are logically protected during transport between the card
manufacturer and the card issuer through the use of a secret transport
key or pass phrase.
3 ICCs issued to subscribers meet the appropriate ISO 15408 protection
profile, ISO card standard (for example, ISO 7810, 7811 parts 1-5, 7813,
7816, 10202) or Federal Information Processing Standards (FIPS) 140-2
level requirement based on a risk assessment and the requirements of
the certificate policy (CP).
4 The card bureau verifies the physical integrity of ICCs upon receipt
from the card manufacturer.
5 ICCs are securely stored and under inventory control while under the
control of the card issuer.
Card Preparation and Personalization
6 The CA (or RA), as the card issuer, controls ICC personalization (the
loading of common data file [CDF] data and its related cryptographic
keys).
7 Common data that identify the ICC, the card issuer, and the cardholder
are stored by the card issuer in the ICC CDF. CDF activation is
performed by the CA (or RA), as the card issuer, using a securely
controlled process.
8 ICC preparation processes and procedures, including the following, exist
and are followed:
a. Loading of the card operating system
b. Creation of logical data structures (card file system and card security
domains)
c. Loading of applications
d. Logically protecting the ICC to prevent unauthorized modification of
the card operating system, card file system, card security domains,
and applications
9 ICC personalization processes and procedures, including the following,
exist and are followed:
a. The loading of identifying information onto the card
b. Generation of subscriber key pair(s) in accordance with the CP
c. Loading subscriber private key(s) onto the ICC (if generated outside
the card) in encrypted form
d. Loading subscriber certificate(s) onto the ICC
e. Loading the CA and other certificates for the contractual
environment onto the ICC
f. Logically protecting the ICC from unauthorized access
Illustrative Controls:
10 The card bureau or CA (or RA) logs ICC preparation and personalization
in an audit log.
11 An ICC is not issued unless the card has been prepared and
personalized by the card bureau, the CA, or the RA.
12 An ICC is unusable unless in an activated or reactivated state.
ICC Storage and Distribution
13 ICCs are securely stored prior to distribution.
14 Processes and procedures exist and are followed for the distribution,
tracking, and accounting for the safe receipt of subscriber ICCs to
subscribers.
15 ICC initial activation data (initializing personal identification number
[PIN]) is securely communicated to the subscriber or, when applicable,
to the subscriber using an out-of-band method. The subscriber is
encouraged to change the initial activation data upon receipt to make
the card active.
16 ICC distribution is logged by the card bureau or CA (or RA) in an audit
log.
Subscriber ICC Usage
17 The subscriber is provided with a mechanism that protects the access to
the card data, including the private keys stored on the ICC during use
by the subscriber (that is, PIN access control mechanism cardholder
verification method).
18 The subscriber private keys on the ICC are not exported to an
application to undertake cryptographic (that is, signing) functions.
19 The subscriber is required to use a mutual authentication mechanism
for cryptographic application and card functions to ensure system
integrity.
20 The subscriber is required to use an application that displays the
message or the message's digest to the subscriber prior to signing
message (or transaction) data. The subscriber ICC application produces
audit logs of all uses of the ICC. This also includes all attempts in the
private key owner verification process.
21 The ICC is used by the subscriber or, when applicable, the subscriber in
accordance within the terms of the CP.
ICC Deactivation and Reactivation
22 ADF deactivation can be performed only by the CA, as the application
supplier.
23 CDF deactivation can be performed only by the CA, as the card issuer.
24 CDF reactivation is conducted under the control of the CA, as the card
issuer.
25 ADF reactivation is conducted under the control of the CA, as the
application supplier.
(continued)
Illustrative Controls:
26 ADF deactivation, CDF deactivation, CDF reactivation, and ADF
reactivation are logged.
ICC Replacement
27 Processes and procedures exist and are followed for replacement of a
subscriber's lost or damaged ICC.
28 In the event of card loss or damage, subscriber certificates are renewed
or rekeyed in accordance with the CP (see clauses 6.2 and 6.3).
29 ICC replacement is logged by the card bureau or CA (or RA) in an audit
log.
ICC Termination
30 All ICCs returned to the ICC or CA (or RA) are deactivated or securely
destroyed to prevent unauthorized use.
31 CDF termination is controlled by the CA, as the card issuer.
32 ICC termination is logged by the card bureau or CA (or RA) in an audit
log.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
requirements for protection of subscriber keys are communicated to
subscribers, and
any subscriber key management tools provided by the CA support the
requirements of the CA's business practices disclosure.
Illustrative Controls:
Subscriber Key Generation
1 The certificate policy (CP) specifies the appropriate ISO
15782-1/FIPS 140-2 level requirement for cryptographic modules
used for subscriber key generation.
2 The CP specifies the key generation algorithm(s) that is used for
subscriber key generation.
3 The CP specifies the acceptable key sizes for subscriber key
generation.
Subscriber Key Storage, Backup, and Recovery
4 The CA or registration authority (RA) provides, or makes available,
the mechanisms to allow the subscriber to access (that is, private
key owner verification method), manage, and control the usage of
their private keys.
Illustrative Controls:
5 The CP specifies the private key protection requirements for stored
subscriber private keys.
6 The CP states the circumstances and authority of when the
subscriber's private key will be restored and the control processes.
7 The CP specifies the private key protection requirements for backup
copies of subscriber private keys stored by the subscriber.
Subscriber Key Usage
8 Subscriber agreements describe the required processes to be
followed by the subscriber of any use of the cryptographic
mechanism (for example, hardware security module [HSM] or
integrated circuit card [ICC] and software application).
9 The CP specifies the acceptable uses for subscriber key pairs.
10 The CP specifies the requirements for subscriber key usage.
Subscriber Key Archival
11 The CP specifies the private key protection requirements for
archived subscriber private keys.
12 The CP specifies the requirements for destruction of archived
subscriber keys at the end of the archive period.
Subscriber Key Destruction
13 The CP specifies the means through which subscriber key
destruction is performed.
14 The CP or certification practice statement specifies the
requirements for destruction of all copies and fragments of the
subscriber's private key at the end of the key pair life cycle.
Subscriber Cryptographic Hardware Life Cycle Management
15 If required, the CP specifies the requirements for use and handling
of cryptographic hardware and subscriber authentication processes
(and subsequent actions) when the cryptographic hardware is in
other physical locations (that is, an HSM attached to a mainframe
or remote server).
Subscriber Key Compromise
16 The CP specifies the requirements for notification of the CA or RA in
the event of subscriber key compromise.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that
for authenticated certificates
subscribers are accurately identified in accordance with the CA's
disclosed business practices and
subscribers' certificate requests are accurate, authorized, and
complete.
for domain validated certificates
subscribers' domain names are accurately validated in accordance
with the CA's disclosed business practices and
subscribers' certificate requests are accurate and complete.
Illustrative Controls:
Identification and authentication
1 For authenticated certificates, the CA verifies or requires that the
registration authority (RA) verify the credentials presented by a
subscriber, as evidence of identity or authority, to perform a specific
role in accordance with the requirements of the certificate policy
(CP):
a. For individual end entity certificates, the CA or registration
authority (RA) verifies the identity of the person whose name is
to be included in the subscriber distinguished name field of the
certificate. An unauthenticated individual name is not included
in the subscriber distinguished name field.
b. For organizational certificates (including role based, server,
network resource, code signing, and so forth), the CA or RA
verifies the legal existence of the organization's name and the
authority of the requesting party to be included in the
organization attribute in the subscriber distinguished name field
of the certificate. An unauthenticated organization name is not
included in a certificate.
c. For organizational certificates containing a domain name of an
organization, the CA or RA verifies the organization's ownership,
control, or right to use the domain name and the authority of the
requesting party included in the common name attribute of the
subscriber distinguished name field of the certificate. An
unauthenticated domain name is not included in a certificate.
2 For domain-validated certificates, the CA validates or requires that
the RA validate (as determined by the CP) the organization's
ownership, control, or right to use the domain name.
3 The CA or RA verifies the accuracy of the information included in
the requesting entity's certificate request in accordance with the CP.
Illustrative Controls:
4 The CA or RA checks the certificate request for errors or omissions
in accordance with the CP.
5 For end entity certificates, the CA uses the RA's public key
contained in the requesting entity's certificate request to verify the
signature on the certificate request submission.
6 The CA verifies the uniqueness of the subscriber's distinguished
name within the boundaries or community defined by the CP.
7 Encryption and access controls are used to protect the confidentiality
and integrity of registration data in transit and in storage.
8 At the point of registration (before certificate issuance), the RA or
CA informs the subscriber of the terms and conditions regarding use
of the certificate.
9 Before certificate issuance, the CA informs the subscriber of the
terms and conditions regarding use of the certificate.
Certificate Request
10 The CA requires that an entity requesting a certificate must prepare
and submit the appropriate certificate request data (registration
request) to an RA (or the CA) as specified in the CP.
11 The CA requires that the requesting entity submit its public key in
a self-signed message to the CA for certification. The CA requires
that the requesting entity digitally sign the registration request
using the private key that relates to the public key contained in the
registration request in order to
a. allow the detection of errors in the certificate application process
and
b. prove possession of the companion private key for the public key
being registered.
12 The certificate request is treated as acceptance of the terms of
conditions by the requesting entity to use that certificate as
described in the subscriber agreement.
13 The CA validates the identity of the RA authorized to issue
registration requests under a specific CP.
14 The CA requires that RAs submit the requesting entity's certificate
request data to the CA in a message (certificate request) signed by
the RA. The CA verifies the RA's signature on the certificate request.
15 The CA requires that the RA secure that part of the certificate
application process for which it (the RA) assumes responsibility in
accordance with the CA's certification practice statement (CPS).
16 The CA requires that RAs record their actions in an audit log.
17 The CA verifies the authenticity of the submission by the RA in
accordance with the CA's CPS.
Criteria:
The certificate authority (CA) maintains controls to provide reasonable
assurance that certificate renewal requests are accurate, authorized, and
complete.
Illustrative Controls:
Certificate Renewal Request
1 The certificate renewal request includes at least the subscriber's
distinguished name, the serial number of the certificate (or other
information that identifies the certificate), and the requested
validity period. (The CA will only renew certificates that were issued
by the CA itself.)
2 The CA requires that the requesting entity digitally sign the
certificate renewal request using the private key that relates to the
public key contained in the requesting entity's existing public key
certificate.
3 The CA issues a new certificate using the subscriber's previously
certified public key, only if its cryptographic security is still
sufficient for the new certificate's intended lifetime, and no
indications exist that the subscriber's private key has been
compromised.
4 For renewal of authenticated certificates, the CA or the registration
authority (RA) processes the certificate renewal data to verify the
identity of the requesting entity and to identify the certificate to be
renewed.
5 For domain-validated certificates, the CA or the RA processes the
certificate renewal data to revalidate the domain in accordance with
the requirements of the certificate policy (CP).
6 The CA or the RA validates the signature on the certificate renewal
request.
7 The CA verifies the existence and validity of the certificate to be
renewed. The CA does not renew certificates that have been
revoked, expired, or suspended.
8 The CA or the RA verifies that the request, including the extension
of the validity period, meets the requirements defined in the CP.
9 The CA requires that RAs submit the certificate renewal data to the
CA in a message (certificate renewal request) signed by the RA.
10 The CA requires that the RA secures that part of the certificate
renewal process for which it (the RA) assumes responsibility in
accordance with the CP.
11 The CA requires that RAs record their actions in an audit log.
Illustrative Controls:
12 The CA verifies the authenticity of the submission by the RA.
13 The CA verifies the RA's signature on the certificate renewal
request.
14 The CA checks the certificate renewal request for errors or
omissions. This function may be delegated explicitly to the RA.
15 The CA or RA notifies subscribers prior to the expiration of their
certificate of the need for renewal in accordance with the CP.
16 The CA issues a signed notification indicating that the certificate
renewal has been successful.
17 The CA makes the new certificate available to the end entity in
accordance with the CP.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that certificate rekey requests, including requests following
certificate revocation or expiration, are accurate, authorized, and complete.
Illustrative Controls:
1 A certificate rekey request includes, at least, the subscriber's
distinguished name, the serial number of the certificate, and the
requested validity period to allow the CA or the registration
authority (RA) to identify the certificate to rekey.
2 The CA requires that the requesting entity digitally sign, using the
existing private key, the certificate rekey request containing the
new public key.
3 For authenticated certificates, the CA or the RA processes the
certificate rekey request to verify the identity of the requesting
entity and identify the certificate to be rekeyed.
4 For domain-validated certificates, the CA or the RA processes the
certificate rekey request to revalidate the domain in accordance
with the requirements of the CP.
5 The CA or the RA validates the signature on the certificate rekey
request.
6 The CA or the RA verifies the existence and validity of the
certificate to be rekeyed.
7 The CA or the RA verifies that the certificate rekey request meets
the requirements defined in the relevant CP.
(continued)
Illustrative Controls:
8 If an external RA is used, the CA requires that RAs submit the
entity's certificate rekey request to the CA in a message signed by
the RA.
9 If an external RA is used, the CA requires that the RA secure that
part of the certificate rekey process for which it (the RA) assumes
responsibility.
10 If an external RA is used, the CA requires that external RAs record
their actions in an audit log.
11 If an external RA is used, the CA verifies the RA's signature on the
certificate rekey request.
12 The CA or the RA checks the certificate rekey request for errors or
omissions.
13 The CA or RA notifies subscribers prior to the expiration of their
certificate of the need for rekey.
14 Prior to the generation and issuance of rekeyed certificates, the CA
or RA verifies the following:
a. The signature on the certificate rekey data submission
b. The existence and validity supporting the rekey request
c. That the request meets the requirements defined in the CP
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that certificate rekey requests following certificate revocation or
expiration are accurate, authorized, and complete.
Illustrative Controls:
1 Following the revocation or expiration of a subscriber's existing
certificate, the subscriber is required to follow the CA's subscriber
registration procedures to obtain a new certificate.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that certificates are generated and issued in accordance with the
CA's disclosed business practices.
Illustrative Controls:
1 The CA generates certificates using certificate request data and
manufactures the certificate as defined by the appropriate certificate
profile in accordance with ISO 9594/X.509 and ISO 15782-1
formatting rules as disclosed within the certificate policy (CP).
2 Validity periods are set in the CP and are formatted in accordance
with ISO 9594/X.509 and ISO 15782-1 as disclosed within the CP.
3 Extension fields are formatted in accordance with ISO 9594/X.509
and ISO 15782-1 as disclosed within the CP.
4 The CA signs the end entity's public key and other relevant
information with the CA's private signing key.
5 The CA publishes the certificate after the certificate has been
accepted by the requesting entity as disclosed in the CA's business
practices.
6 When a registration authority (RA) is used, the CA notifies the RA
when a certificate is issued to a subscriber for whom the RA
submitted a certificate request.
7 Certificates are issued based on approved subscriber registration,
certificate renewal, or certificate rekey requests in accordance with
the CP.
8 The CA issues a signed notification to the RA when a certificate is
issued to a subscriber for whom the RA submitted a certificate
request.
9 The CA issues an out-of-band notification to the subscriber when a
certificate is issued. When this notification includes initial activation
data, then control processes ensure safe delivery to the subscriber.
10 Whether certificates expire, are revoked, or are suspended, copies of
certificates are retained for the appropriate period of time specified
in the CP.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that upon issuance, complete and accurate certificates are
available to subscribers and relying parties in accordance with the CA's
disclosed business practices.
Illustrative Controls:
1 The CA makes the certificates issued by the CA available to relevant
parties using an established mechanism (for example, a repository,
such as a directory) in accordance with the certificate policy.
2 Only authorized CA personnel administer the CA's repository or
alternative distribution mechanism.
3 The performance of the CA's repository or alternative distribution
mechanism is monitored and managed.
4 The integrity of the repository or alternative distribution
mechanism is maintained and administered.
5 When required under privacy legislation, certificates are made
available for retrieval only in those cases for which the subscriber's
consent is obtained.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that certificates are revoked based on authorized and validated
certificate revocation requests within the time frame in accordance with the
CA's disclosed business practices.
Illustrative Controls:
1 The CA provides a means of rapid communication to facilitate the
secure and authenticated revocation of the following:
a. One or more certificates of one or more subscribers
b. The set of all certificates issued by a CA based on a single public
and private key pair used by a CA to generate certificates
c. All certificates issued by a CA, regardless of the public and
private key pair used
2 The CA verifies or requires that the registration authority (RA)
verify the identity and authority of the entity requesting revocation
of a certificate in accordance with the certificate policy (CP).
3 If an external RA accepts revocation requests, the CA requires that
the RA submit signed certificate revocation requests to the CA in an
authenticated manner in accordance with the CP.
4 If an external RA accepts and forwards revocation requests to the
CA, the CA provides a signed acknowledgement of the revocation
request and confirmation of actions to the requesting RA.
5 The CA updates the certificate revocation list and other certificate
status mechanisms in the time frames specified within the CP and
in accordance with the format defined in ISO 9594/X.509 and ISO
15782-1.
Illustrative Controls:
6 The CA records all certificate revocation requests and their outcome
in an audit log.
7 The CA or RA may provide an authenticated acknowledgement
(signature or similar) of the revocation to the entity who perpetrated
the revocation request.
8 When certificate renewal is supported and when a certificate is
revoked, all valid instances of the certificate are also revoked and
are not reinstated.
9 The subscriber of a revoked or suspended certificate is informed of
the change of status of its certificate.
Criteria:
The certificate authority (CA) maintains controls to provide reasonable
assurance that certificates are suspended based on authorized and
validated certificate suspension requests within the time frame in
accordance with the CA's disclosed business practices.
Illustrative Controls:
1 The CA provides a means of rapid communication to facilitate the
secure and authenticated suspension of the following:
a. One or more certificates of one or more subscribers
b. The set of all certificates issued by a CA based on a single public
and private key pair used by a CA to generate certificates
c. All certificates issued by a CA, regardless of the public and
private key pair used
2 The CA verifies or requires that the external registration authority
(RA) verify the identity and authority of the entity requesting
suspension and reactivation of a certificate in accordance with the
certificate policy (CP).
3 If an external RA accepts suspension requests, the RA submits
signed certificate suspension requests to the CA in an authenticated
manner in accordance with the CP.
4 The CA or RA notifies the subscriber in the event of a certificate
suspension.
5 Certificate suspension requests are processed and validated in
accordance with the requirements of the CP.
(continued)
Illustrative Controls:
6 The CA updates the certificate revocation list (CRL) and other
certificate status mechanisms upon certificate suspension. Changes
in certificate status are completed in a time frame determined by
the CP.
7 Certificates are suspended only for the allowable length of time in
accordance with the CP.
8 Once a certificate suspension (hold) has been issued, the suspension
is handled in one of the following three ways:
a. An entry for the suspended certificate remains on the CRL with
no further action.
b. The CRL entry for the suspended certificate is replaced by a
revocation entry for the same certificate.
c. The suspended certificate is explicitly released and the entry
removed from the CRL.
9 A certificate suspension (hold) entry remains on the CRL until the
expiration of the underlying certificate or the expiration of the
suspension, whichever is first.
10 The CA updates the CRL and other certificate status mechanisms
upon the lifting of a certificate suspension in accordance with the
CA's CP.
11 The CA verifies or requires that the external RA verify the identity
and authority of the entity requesting that the suspension of a
certificate be lifted.
12 Certificate suspensions, and the lifting of certificate suspensions,
are recorded in an audit log.
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that timely, complete, and accurate certificate status information
(including certificate revocation lists [CRL] and other certificate status
mechanisms) is made available to relevant entities (subscribers and relying
parties or their agents) in accordance with the CA's disclosed business
practices.
Illustrative Controls:
1 The CA makes certificate status information available to relevant
entities (relying parties or their agents) using an established
mechanism in accordance with the certificate policy (CP). This is
achieved using the following:
a. Request Response Method. A request signed by the relying party
to the certificate status provider's responder. In turn, the
certificate status provider's responder responds with the
certificate status duly signed. (Online certificate status protocol
[OCSP] is an example protocol using this method.)
b. Delivery Method. A CRL signed by the CA and published within
the policy's time frame.
The following control procedures are applicable when CRLs are
used:
2 The CA digitally signs each CRL that it issues so that entities can
validate the integrity of the CRL and the date and time of issuance.
3 The CA issues CRLs at regular intervals, as specified in the CP,
even if no changes have occurred since the last issuance.
4 At a minimum, a CRL entry identifying a revoked certificate
remains on the CRL until the end of the certificate's validity period.
5 If certificate suspension is supported, a certificate suspension (hold)
entry, with its original action date and expiration date, remains on
the CRL until the normal expiration of the certificate or until the
suspension is lifted.
6 CRLs are archived in accordance with the requirements of the CP,
including the method of retrieval.
7 CAs include a monotonically increasing sequence number for each
CRL issued by that CA.
8 The CRL contains entries for all revoked unexpired certificates
issued by the CA.
9 Old CRLs are retained for the appropriate period of time specified in
the CA's CP.
10 Whether certificates expire, are revoked, or are suspended, copies of
certificates are retained for the appropriate period of time as
disclosed in the CP.
The following control procedures are applicable when online
certificate status mechanisms (for example, OCSP) are used:
11 If an online certificate status collection method (for example, OCSP)
is used, the CA requires that certificate status inquiries (for
example, OCSP requests) contain all required data in accordance
with the CP.
(continued)
Illustrative Controls:
12 Upon the receipt of a certificate status request (for example, an
OCSP request) from a relying party or its agent, the CA returns a
definitive response to the relying party or its agent if
a. the request message is well formed;
b. the certificate status provider responder is configured to provide
the requested service;
c. the request contains the information (that is, certificate identity,
for example, serial number, object identifier, and so forth) needed
by the certificate status provider responder in accordance with
the CP; and
d. the certificate status provider's responder is able to locate the
certificate and interpret its status.
When these conditions are met, the CA or certificate status provider
produces a signed response message indicating the certificate's
status in accordance with the CP. If any of the previous conditions
are not met, then a status of unknown may be returned.
13 All response messages are digitally signed and include all required
data in accordance with the CP.
Criteria:
The parent certification authority (CA) maintains controls to provide
reasonable assurance that
subordinate CA certificate requests are accurate, authenticated, and
approved;
subordinate CA certificate replacement (renewal and rekey) requests are
accurate, authorized, and complete;
new, renewed, and rekeyed subordinate CA certificates are generated
and issued in accordance with the CA's disclosed business practices;
upon issuance, complete and accurate subordinate CA certificates are
available to relevant entities (subscribers and relying parties) in
accordance with the CA's disclosed business practices;
subordinate CA certificates are revoked based on authorized and
validated certificate revocation requests; and
timely, complete, and accurate certificate status information (including
certificate revocation lists [CRLs] and other certificate status
mechanisms) is made available to any entity in accordance with the CA's
disclosed business practices.
Illustrative Controls:
Subordinate CA (sub-CA) Registration
1 The parent certificate policy (CP) specifies the requirements for
submission of sub-CA certification requests.
2 The parent CA authenticates the sub-CA certificate request in
accordance with the parent's CP.
3 The parent CA performs an assessment of the sub-CA certificate
applicant's compliance with the requirements of the parent CA's CP
before approving a sub-CA certificate request or, alternatively, the
sub-CA presents its certification practice statement for assessment.
Sub-CA Renewal
4 When sub-CA certificate renewal is permitted, the parent CA's CP
specifies the requirements for submission of sub-CA renewal
requests.
5 When sub-CA certificate renewal is permitted, the parent CA
authenticates the sub-CA certificate renewal request in accordance
with the CA's CP.
Sub-CA Rekey
6 The parent CA's CP specifies the requirements for submission of
sub-CA rekey requests.
7 The parent CA authenticates the sub-CA certificate rekey request in
accordance with the CP.
Sub-CA Certificate Issuance
8 The parent CA generates certificates
a. using the appropriate certificate profile in accordance with the
CP and ISO 9594/X.509 and ISO 15782-1 formatting rules;
b. with the validity periods formatted in accordance with ISO
9594/X.509, ISO 15782-1, and the CP; and
c. when extensions are used, with extension fields formatted in
accordance with ISO 9594/X.509, ISO 15782-1, and the CP.
9 The parent CA signs the sub-CA certificate with the parent CA's
private signing key.
Sub-CA Certificate Distribution
10 The parent CA makes sub-CA certificates available to relevant
entities (for example, relying parties) using an established
mechanism (for example, a repository, such as a directory) in
accordance with the parent CA's CP.
Sub-CA Certificate Revocation
11 The parent CA verifies the identity and authority of the entity
requesting revocation of a sub-CA certificate in accordance with the
parent CA's CP.
(continued)
Illustrative Controls:
12 The parent CA updates the CRL and other sub-CA certificate status
mechanisms upon certificate revocation in accordance with the
parent CA's CP.
Sub-CA Certificate Status Information Processing
13 The parent CA makes sub-CA certificate status information
available to relying parties using an established mechanism (for
example, CRL, online certificate status protocol, and so forth) in
accordance with the parent CA's CP.
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
(continued)
[City, State]
[Date]
[City, State]
[Date]
[City, State]
[Date]
1
Include the text (restricted to ABC-CA Participants) or similar language if the certification
practice statement is not publicly disclosed.
[City, State]
[Date]
.64
.65
Certificate Distribution
Certificate Revocation
Certificate Suspension (if supported)
Certificate Validation
CA Environmental Controls
Security Management
Asset Classification and Management
Personnel Security
Physical and Environmental Security
Operations Management
System Access Management
Systems Development and Maintenance
Business Continuity Management
Monitoring and Compliance
Audit Logging
Very truly yours,
[Name]
[Title]
Service Integrity
CA Key Life Cycle Management Controls
CA Key Generation
CA Key Storage, Backup, and Recovery
CA Public Key Distribution
CA Key Usage
CA Key Archival and Destruction
CA Key Compromise
CA Cryptographic Hardware Life Cycle Management
CA-Key Escrow (if applicable)
Subscriber Key Life Cycle Management Controls
CA-Provided Subscriber Key Generation Services (if sup-
ported)
CA-Provided Subscriber Key Storage and Recovery Services
(if supported)
Integrated Circuit Card Life Cycle Management (if sup-
ported)
Certificate Life Cycle Management Controls
Subscriber Registration
Certificate Renewal (if supported)
Certificate Rekey
Certificate Issuance
Certificate Distribution
Certificate Revocation
Certificate Suspension (if supported)
Certificate Validation
CA Environmental Controls
Security Management
Asset Classification and Management
Personnel Security
Physical and Environmental Security
Operations Management
System Access Management
Systems Development and Maintenance
Business Continuity Management
Monitoring and Compliance
Audit Logging
Very truly yours,
[Name]
[Title]
888.777.7077 | aicpa.org