Overview

At Nexus Horizons we believe in putting our customers and security first. Below you will find a number of resources available related to our companies security, controls, and compliance. If you have any questions please email us at notarealemail@notarealcompany.com.

Compliance

Health Insurance Portability and Accountability Act (HIPAA)

ISO 27001:2022 Information security management system (ISMS)

General Data Protection Regulation (GDPR) - 2016

SOC 2® - SOC for Service Organizations: Trust Services Criteria - 2017 with March 2020 Updates

Security

GOV-01 - Cybersecurity & Data Protection Governance Program

Mechanisms exist to facilitate the implementation of cybersecurity & data protection governance controls.

GOV-15.1 - Select Controls

Mechanisms exist to compel data and/or process owners to select required cybersecurity & data privacy controls for each system, application and/or service under their control.

GOV-17 - Cybersecurity & Data Privacy Status Reporting

Mechanisms exist to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

AAT-02.2 - AI & Autonomous Technologies Internal Controls

Mechanisms exist to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT).

AAT-10.1 - AI TEVV Trustworthiness Assessment

Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy behavior and operation including security, anonymization and disaggregation of captured and stored data for approved purposes.

AAT-10.5 - AI TEVV Resiliency Assessment

Mechanisms exist to evaluate the security and resilience of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.

AST-01.1 - Asset-Service Dependencies

Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function.

AST-04 - Network Diagrams & Data Flow Diagrams (DFDs)

Mechanisms exist to maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows.

AST-04.1 - Asset Scope Classification

Mechanisms exist to determine cybersecurity & data privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties).

AST-05 - Security of Assets & Media

Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.

AST-20 - Video Teleconference (VTC) Security

Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.

AST-21 - Voice Over Internet Protocol (VoIP) Security

Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.

AST-29 - Radio Frequency Identification (RFID) Security

Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.

BCD-02.4 - Data Storage Location Reviews

Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data.

BCD-07 - Alternative Security Measures

Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.

BCD-09 - Alternate Processing Site

Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.

BCD-11.2 - Separate Storage for Critical Information

Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.

CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes

Mechanisms exist to include a cybersecurity and/or data privacy representative in the configuration change control review process.

CHG-02.4 - Automated Security Response

Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).

CHG-03 - Security Impact Analysis for Changes

Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.

CHG-06 - Control Functionality Verification

Mechanisms exist to verify the functionality of cybersecurity and/or data privacy controls following implemented changes to ensure applicable controls operate as designed.

CHG-06.1 - Report Verification Results

Mechanisms exist to report the results of cybersecurity & data privacy function verification to appropriate organizational management.

CLD-02 - Cloud Security Architecture

Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.

CLD-03 - Cloud Infrastructure Security Subnet

Mechanisms exist to host security-specific technologies in a dedicated subnet.

CLD-04 - Application & Program Interface (API) Security

Mechanisms exist to ensure support for secure interoperability between components with Application & Program Interfaces (APIs).

CLD-06.2 - Multi-Tenant Event Logging Capabilities

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.

CLD-06.3 - Multi-Tenant Forensics Capabilities

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.

CLD-06.4 - Multi-Tenant Incident Response Capabilities

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.

CLD-11 - Cloud Access Security Broker (CASB)

Mechanisms exist to utilize a Cloud Access Security Broker (CASB), or similar technology, to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from misuse of cloud resources.

CLD-13 - Hosted Systems, Applications & Services

Mechanisms exist to specify applicable cybersecurity & data protection controls that must be implemented on external systems, consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external systems, applications and/or services.

CLD-14 - Prohibition On Unverified Hosted Systems, Applications & Services

Mechanisms exist to prohibit access to, or usage of, hosted systems, applications and/or services until applicable cybersecurity & data protection control implementation is verified.

CPL-01.2 - Compliance Scope

Mechanisms exist to document and validate the scope of cybersecurity & data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.

CPL-01.3 - Ability To Demonstrate Conformity

Mechanisms exist to ensure the organization is able to demonstrate conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.

CPL-02 - Cybersecurity & Data Protection Controls Oversight

Mechanisms exist to provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership.

CPL-02.2 - Periodic Audits

Mechanisms exist to conduct periodic audits of cybersecurity & data protection controls to evaluate conformity with the organization's documented policies, standards and procedures.

CPL-03 - Cybersecurity & Data Protection Assessments

Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements.

CPL-03.1 - Independent Assessors

Mechanisms exist to utilize independent assessors to evaluate cybersecurity & data protection controls at planned intervals or when the system, service or project undergoes significant changes.

CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls

Mechanisms exist to regularly review technology assets for adherence to the organization's cybersecurity & data protection policies and standards.

CPL-07 - Grievances

Mechanisms exist to govern the intake and analysis of grievances related to the organization's cybersecurity and/or data protection practices.

CPL-07.1 - Grievance Response

Mechanisms exist to respond to legitimate grievances related to the organization's cybersecurity and/or data protection practices.

CFG-02.8 - Respond To Unauthorized Changes

Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.

MON-01.2 - Automated Tools for Real-Time Analysis

Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.

MON-01.4 - System Generated Alerts

Mechanisms exist to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data privacy and supply chain activities to achieve integrated situational awareness.

MON-01.6 - Host-Based Devices

Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.

MON-01.8 - Security Event Monitoring

Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.

MON-01.11 - Automated Response to Suspicious Events

Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.

MON-01.12 - Automated Alerts

Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.

MON-02 - Centralized Collection of Security Event Logs

Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.

MON-02.1 - Correlate Monitoring Information

Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.

MON-06.2 - Trend Analysis Reporting

Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

MON-08.1 - Event Log Backup on Separate Physical Systems / Components

Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.

MON-10 - Event Log Retention

Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.

MON-16.1 - Insider Threats

Mechanisms exist to monitor internal personnel activity for potential security incidents.

MON-16.2 - Third-Party Threats

Mechanisms exist to monitor third-party personnel activity for potential security incidents.

CRY-10 - Transmission of Cybersecurity & Data Privacy Attributes

Mechanisms exist to ensure systems associate security attributes with information exchanged between systems.

DCH-03.3 - Controlled Release

Automated mechanisms exist to validate cybersecurity & data privacy attributes prior to releasing information to external systems.

DCH-04 - Media Marking

Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.

DCH-04.1 - Automated Marking

Automated mechanisms exist to mark physical media and digital files to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aid Data Loss Prevention (DLP) technologies.

DCH-05 - Cybersecurity & Data Privacy Attributes

Mechanisms exist to bind cybersecurity & data privacy attributes to information as it is stored, transmitted and processed.

DCH-05.1 - Dynamic Attribute Association

Mechanisms exist to dynamically associate cybersecurity & data privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and data privacy policies.

DCH-05.2 - Attribute Value Changes By Authorized Individuals

Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity & data privacy attributes.

DCH-05.3 - Maintenance of Attribute Associations By System

Mechanisms exist to maintain the association and integrity of cybersecurity & data privacy attributes to individuals and objects.

DCH-05.4 - Association of Attributes By Authorized Individuals

Mechanisms exist to provide the capability to associate cybersecurity & data privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).

DCH-05.5 - Attribute Displays for Output Devices

Mechanisms exist to display cybersecurity & data privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.

DCH-05.6 - Data Subject Attribute Associations

Mechanisms exist to require personnel to associate and maintain the association of cybersecurity & data privacy attributes with individuals and objects in accordance with cybersecurity and data privacy policies.

DCH-05.7 - Consistent Attribute Interpretation

Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of cybersecurity & data privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components.

DCH-05.8 - Identity Association Techniques & Technologies

Mechanisms exist to associate cybersecurity & data privacy attributes to information.

DCH-05.10 - Attribute Configuration By Authorized Individuals

Mechanisms exist to provide authorized individuals the capability to define or change the type and value of cybersecurity & data privacy attributes available for association with subjects and objects.

DCH-05.11 - Audit Changes

Mechanisms exist to audit changes to cybersecurity & data privacy attributes and responds to events in accordance with incident response procedures.

DCH-06 - Media Storage

Mechanisms exist to: (1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and (2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.

DCH-07 - Media Transportation

Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.

DCH-11 - Data Reclassification

Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information.

DCH-12 - Removable Media Security

Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.

DCH-13.1 - Limits of Authorized Use

Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: (1) Verifying the implementation of required security controls; or (2) Retaining a processing agreement with the entity hosting the external systems or service.

DCH-14.3 - Data Access Mapping

Mechanisms exist to leverage data-specific Access Control Lists (ACL) or Interconnection Security Agreements (ISAs) to generate a logical map of the parties with whom sensitive/regulated data is shared.

DCH-24.1 - Automated Tools to Support Information Location

Automated mechanisms exist to identify by data classification type to ensure adequate cybersecurity & data privacy controls are in place to protect organizational information and individual data privacy.

EMB-01 - Embedded Technology Security Program

Mechanisms exist to facilitate the implementation of embedded technology controls.

EMB-02 - Internet of Things (IOT)

Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Internet of Things (IoT).

EMB-03 - Operational Technology (OT)

Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Operational Technology (OT).

EMB-04 - Interface Security

Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).

EMB-11 - Message Queuing Telemetry Transport (MQTT) Security

Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.

EMB-17 - Chip-To-Cloud Security

Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).

EMB-18 - Real-Time Operating System (RTOS) Security

Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).

END-01 - Endpoint Security

Mechanisms exist to facilitate the implementation of endpoint security controls.

END-06.2 - Endpoint Detection & Response (EDR)

Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.

END-09 - Trusted Path

Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.

END-16 - Restrict Access To Security Functions

Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.

END-16.1 - Host-Based Security Function Isolation

Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation.

HRS-01 - Human Resources Security Management

Mechanisms exist to facilitate the implementation of personnel security controls.

HRS-02 - Position Categorization

Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.

HRS-03 - Defined Roles & Responsibilities

Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.

HRS-03.2 - Competency Requirements for Security-Related Positions

Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.

HRS-04 - Personnel Screening

Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.

HRS-05 - Terms of Employment

Mechanisms exist to require all employees and contractors to apply cybersecurity & data privacy principles in their daily work.

HRS-05.6 - Security-Minded Dress Code

Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.

HRS-05.7 - Policy Familiarization & Acknowledgement

Mechanisms exist to ensure personnel receive recurring familiarization with the organization's cybersecurity & data privacy policies and provide acknowledgement.

HRS-07 - Personnel Sanctions

Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.

HRS-10 - Third-Party Personnel Security

Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity & data privacy roles and responsibilities.

HRS-13 - Identify Critical Skills & Gaps

Mechanisms exist to evaluate the critical cybersecurity & data privacy skills needed to support the organization's mission and identify gaps that exist.

HRS-13.2 - Identify Vital Cybersecurity & Data Privacy Staff

Mechanisms exist to identify vital cybersecurity & data privacy staff.

HRS-13.3 - Establish Redundancy for Vital Cybersecurity & Data Privacy Staff

Mechanisms exist to establish redundancy for vital cybersecurity & data privacy staff.

HRS-13.4 - Perform Succession Planning

Mechanisms exist to perform succession planning for vital cybersecurity & data privacy roles.

IAC-10.9 - Multiple Information System Accounts

Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.

IAC-12 - Cryptographic Module Authentication

Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.

IAC-12.1 - Hardware Security Modules (HSM)

Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies.

IAC-18 - User Responsibilities for Account Management

Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.). Passwords must adhere to the following standards: 1. Must be at least 14 characters long 2. Must contain one number 3. Must contain one lower case letter 4. Must contain one upper case letter 5. Must contain one special character 6. Must be rotate every 90 days

IAC-21.1 - Authorize Access to Security Functions

Mechanisms exist to limit access to security functions to explicitly-authorized privileged users.

IAC-21.2 - Non-Privileged Access for Non-Security Functions

Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions.

IAC-21.5 - Prohibit Non-Privileged Users from Executing Privileged Functions

Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures.

IRO-01 - Incident Response Operations

Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity & data privacy-related incidents.

IRO-03 - Indicators of Compromise (IOC)

Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.

IRO-07 - Integrated Security Incident Response Team (ISIRT)

Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity & data privacy incident response operations.

IRO-09 - Situational Awareness For Incidents

Mechanisms exist to document, monitor and report the status of cybersecurity & data privacy incidents to internal stakeholders all the way through the resolution of the incident.

IRO-09.1 - Automated Tracking, Data Collection & Analysis

Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential cybersecurity & data privacy incidents.

IRO-10.1 - Automated Reporting

Automated mechanisms exist to assist in the reporting of cybersecurity & data privacy incidents.

IRO-10.3 - Vulnerabilities Related To Incidents

Mechanisms exist to report system vulnerabilities associated with reported cybersecurity & data privacy incidents to organization-defined personnel or roles.

IRO-10.4 - Supply Chain Coordination

Mechanisms exist to provide cybersecurity & data privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.

IRO-11 - Incident Reporting Assistance

Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential cybersecurity & data privacy incidents.

IRO-12.4 - Exposure to Unauthorized Personnel

Mechanisms exist to address security safeguards for personnel exposed to sensitive information that is not within their assigned access authorizations.

IRO-13 - Root Cause Analysis (RCA) & Lessons Learned

Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity & data privacy incidents to reduce the likelihood or impact of future incidents.

IAO-01 - Information Assurance (IA) Operations

Mechanisms exist to facilitate the implementation of cybersecurity & data privacy assessment and authorization controls.

IAO-02 - Assessments

Mechanisms exist to formally assess the cybersecurity & data privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

IAO-02.1 - Assessor Independence

Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity & data privacy control assessments.

IAO-02.2 - Specialized Assessments

Mechanisms exist to conduct specialized assessments for: (1) Statutory, regulatory and contractual compliance obligations; (2) Monitoring capabilities; (3) Mobile devices; (4) Databases; (5) Application security; (6) Embedded technologies (e.g., IoT, OT, etc.); (7) Vulnerability management; (8) Malicious code; (9) Insider threats; (10) Performance/load testing; and/or (11) Artificial Intelligence and Autonomous Technologies (AAT).

IAO-02.4 - Security Assessment Report (SAR)

Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.

IAO-03 - System Security & Privacy Plan (SSPP)

Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical system, application or service, as well as influence inputs, entities, systems, applications and processes, providing a historical record of the data and its origins.

IAO-03.2 - Adequate Security for Sensitive / Regulated Data In Support of Contracts

Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract.

IAO-04 - Threat Analysis & Flaw Remediation During Development

Mechanisms exist to require system developers and integrators to create and execute a Security Testing and Evaluation (ST&E) plan, or similar process, to identify and remediate flaws during development.

IAO-05 - Plan of Action & Milestones (POA&M)

Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.

IAO-06 - Technical Verification

Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical cybersecurity & data privacy controls.

IAO-07 - Security Authorization

Mechanisms exist to ensure systems, projects and services are officially authorized prior to "go live" in a production environment.

MNT-05.6 - Remote Maintenance Comparable Security & Sanitization

Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced.

MNT-07 - Maintain Configuration Control During Maintenance

Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair.

MNT-10 - Maintenance Validation

Mechanisms exist to validate maintenance activities were appropriately performed according to the work order and that security controls are operational.

NET-01 - Network Security Controls (NSC)

Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).

NET-02 - Layered Network Defenses

Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.

NET-02.3 - Cross Domain Solution (CDS)

Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains.

NET-03.8 - Separate Subnet for Connecting to Different Security Domains

Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.

NET-04.2 - Object Security Attributes

Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions.

NET-04.8 - Data Type Identifiers

Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains.

NET-04.9 - Decomposition Into Policy-Related Subcomponents

Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains.

NET-04.10 - Detection of Unsanctioned Information

Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains.

NET-04.11 - Approved Solutions

Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains.

NET-04.13 - Metadata Validation

Automated mechanisms exist to apply cybersecurity and/or data privacy filters on metadata.

NET-04.14 - Application Proxy

Mechanisms exist to terminate, inspect, control and reinitiate application traffic, regardless of the user’s location or the security posture of the surrounding network.

NET-05 - Interconnection Security Agreements (ISAs)

Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection, the interface characteristics, cybersecurity & data privacy requirements and the nature of the information communicated.

NET-05.2 - Internal System Connections

Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated.

NET-06.1 - Security Management Subnets

Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system.

NET-10 - Domain Name Service (DNS) Resolution

Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.

NET-10.4 - Domain Registrar Security

Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details.

NET-12 - Safeguarding Data Over Open Networks

Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks.

NET-14.4 - Remote Privileged Commands & Sensitive Data Access

Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs.

NET-14.5 - Work From Anywhere (WFA) - Telecommuting Security

Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers.

NET-14.7 - Endpoint Security Validation

Automated mechanisms exist to validate the security posture of the endpoint devices (e.g., software versions, patch levels, etc.) prior to allowing devices to connect to organizational technology assets.

NET-18.5 - Domain Name Verification

Mechanisms exist to ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC).

NET-18.8 - Authenticated Proxy

Mechanisms exist to force systems and processes to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls.

NET-20 - Email Content Protections

Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.

PES-01.1 - Site Security Plan (SitePlan)

Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats.

PES-01.2 - Zone-Based Physical Security

Mechanisms exist to implement a zone-based approach to physical security.

PES-02.2 - Dual Authorization for Physical Access

Mechanisms exist to enforce a "two-person rule" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.).

PES-04 - Physical Security of Offices, Rooms & Facilities

Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.

PES-04.1 - Working in Secure Areas

Physical security mechanisms exist to allow only authorized personnel access to secure areas.

PES-04.3 - Temporary Storage

Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.

PES-05 - Monitoring Physical Access

Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.

PES-05.2 - Monitoring Physical Access To Information Systems

Facility security mechanisms exist to monitor physical access to critical information systems or sensitive/regulated data, in addition to the physical access monitoring of the facility.

PES-06.3 - Restrict Unescorted Access

Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validate the need for access.

PES-07 - Supporting Utilities

Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.

PES-07.1 - Automatic Voltage Controls

Facility security mechanisms exist to utilize automatic voltage controls for critical system components.

PES-07.2 - Emergency Shutoff

Facility security mechanisms exist to shut off power in emergency situations by: (1) Placing emergency shutoff switches or devices in close proximity to systems or system components to facilitate safe and easy access for personnel; and (2) Protecting emergency power shutoff capability from unauthorized activation.

PES-07.3 - Emergency Power

Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source.

PES-07.4 - Emergency Lighting

Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PES-07.5 - Water Damage Protection

Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel.

PES-07.6 - Automation Support for Water Damage Protection

Facility security mechanisms exist to detect the presence of water in the vicinity of critical information systems and alert facility maintenance and IT personnel.

PES-08 - Fire Protection

Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.

PES-08.1 - Fire Detection Devices

Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire.

PES-08.2 - Fire Suppression Devices

Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders.

PES-08.3 - Automatic Fire Suppression

Facility security mechanisms exist to employ an automatic fire suppression capability for critical information systems when the facility is not staffed on a continuous basis.

PES-09 - Temperature & Humidity Controls

Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility.

PES-09.1 - Monitoring with Alarms / Notifications

Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment.

PES-10 - Delivery & Removal

Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.

PES-11 - Alternate Work Site

Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites.

PES-12 - Equipment Siting & Protection

Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

PES-12.1 - Transmission Medium Security

Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.

PES-12.2 - Access Control for Output Devices

Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output.

PES-13 - Information Leakage Due To Electromagnetic Signals Emanations

Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations.

PES-14 - Asset Monitoring and Tracking

Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.

PES-15 - Electromagnetic Pulse (EMP) Protection

Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.

PES-16 - Component Marking

Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component.

PRI-01.6 - Security of Personal Data (PD)

Mechanisms exist to ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.

PRI-08 - Testing, Training & Monitoring

Mechanisms exist to conduct cybersecurity & data privacy testing, training and monitoring activities

PRM-01 - Cybersecurity & Data Privacy Portfolio Management

Mechanisms exist to facilitate the implementation of cybersecurity & data privacy-related resource planning controls that define a viable plan for achieving cybersecurity & data privacy objectives.

PRM-01.1 - Strategic Plan & Objectives

Mechanisms exist to establish a strategic cybersecurity & data privacy-specific business plan and set of objectives to achieve that plan.

PRM-02 - Cybersecurity & Data Privacy Resource Management

Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the cybersecurity & data privacy programs and document all exceptions to this requirement.

PRM-04 - Cybersecurity & Data Privacy In Project Management

Mechanisms exist to assess cybersecurity & data privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.

PRM-05 - Cybersecurity & Data Privacy Requirements Definition

Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC).

PRM-06 - Business Process Definition

Mechanisms exist to define business processes with consideration for cybersecurity & data privacy that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

PRM-08 - Manage Organizational Knowledge

Mechanisms exist to manage the organizational knowledge of the cybersecurity & data privacy staff.

RSK-02 - Risk-Based Security Categorization

Mechanisms exist to categorize systems and data in accordance with applicable laws, regulations and contractual obligations that: (1) Document the security categorization results (including supporting rationale) in the security plan for systems; and (2) Ensure the security categorization decision is reviewed and approved by the asset owner.

RSK-05 - Risk Ranking

Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.

RSK-06.1 - Risk Response

Mechanisms exist to respond to findings from cybersecurity & data privacy assessments, incidents and audits to ensure proper remediation has been performed.

RSK-07 - Risk Assessment Update

Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.

RSK-08 - Business Impact Analysis (BIA)

Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks.

RSK-11 - Risk Monitoring

Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of cybersecurity & data privacy controls, compliance and change management.

SEA-01 - Secure Engineering Principles

Mechanisms exist to facilitate the implementation of industry-recognized cybersecurity & data privacy practices in the specification, design, development, implementation and modification of systems and services.

SEA-01.1 - Centralized Management of Cybersecurity & Data Privacy Controls

Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity & data privacy controls and related processes.

SEA-02 - Alignment With Enterprise Architecture

Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity & data privacy principles that addresses risk to organizational operations, assets, individuals, other organizations.

SEA-02.2 - Outsourcing Non-Essential Functions or Services

Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to external service providers and align with the organization's enterprise architecture and security standards.

SEA-03 - Defense-In-Depth (DiD) Architecture

Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

SEA-04.1 - Security Function Isolation

Mechanisms exist to isolate security functions from non-security functions.

SEA-10 - Memory Protection

Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution.

SEA-17 - Secure Log-On Procedures

Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.

SEA-18 - System Use Notification (Logon Banner)

Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides cybersecurity & data privacy notices.

SEA-18.1 - Standardized Microsoft Windows Banner

Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system that provides cybersecurity & data privacy notices.

OPS-01 - Operations Security

Mechanisms exist to facilitate the implementation of operational security controls.

OPS-02 - Security Concept Of Operations (CONOPS)

Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.

OPS-04 - Security Operations Center (SOC)

Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.

OPS-06 - Security Orchestration, Automation, and Response (SOAR)

Mechanisms exist to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

SAT-01 - Cybersecurity & Data Privacy-Minded Workforce

Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.

SAT-02 - Cybersecurity & Data Privacy Awareness Training

Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.

SAT-03 - Role-Based Cybersecurity & Data Privacy Training

Mechanisms exist to provide role-based cybersecurity & data privacy-related training: (1) Before authorizing access to the system or performing assigned duties; (2) When required by system changes; and (3) Annually thereafter.

SAT-03.1 - Practical Exercises

Mechanisms exist to include practical exercises in cybersecurity & data privacy training that reinforce training objectives.

SAT-03.4 - Vendor Cybersecurity & Data Privacy Training

Mechanisms exist to incorporate vendor-specific security training in support of new technology initiatives.

SAT-03.6 - Cyber Threat Environment

Mechanisms exist to provide role-based cybersecurity & data privacy awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.

SAT-03.7 - Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel

Mechanisms exist to ensure cybersecurity & data privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.

SAT-04 - Cybersecurity & Data Privacy Training Records

Mechanisms exist to document, retain and monitor individual training activities, including basic cybersecurity & data privacy awareness training, ongoing awareness training and specific-system training.

SAT-05 - Cybersecurity Knowledge Sharing

Mechanisms exist to improve cybersecurity and data protection knowledge sharing across security personnel allowing for more rapid and effective response to incidents.

TDA-01.1 - Product Management

Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies.

TDA-01.2 - Integrity Mechanisms for Software / Firmware Updates

Mechanisms exist to utilize integrity validation mechanisms for security updates.

TDA-01.3 - Malware Testing Prior to Release

Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.

TDA-01.4 - DevSecOps

Mechanisms exist to integrate cybersecurity and data privacy into Development, Security and Operations (DevSecOps) to prioritize secure practices throughout the Software Development Lifecycle (SDLC).

TDA-02 - Minimum Viable Product (MVP) Security Requirements

Mechanisms exist to ensure risk-based technical and functional specifications are established to define a Minimum Viable Product (MVP).

TDA-02.7 - Cybersecurity & Data Privacy Representatives For Product Changes

Mechanisms exist to include appropriate cybersecurity & data privacy representatives in the product feature and/or functionality change control review process.

TDA-03 - Commercial Off-The-Shelf (COTS) Security Solutions

Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products.

TDA-03.1 - Supplier Diversity

Mechanisms exist to obtain cybersecurity & data privacy technologies from different suppliers to minimize supply chain risk.

TDA-04.1 - Functional Properties

Mechanisms exist to require software developers to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls.

TDA-05 - Developer Architecture & Design

Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: (1) Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture; (2) Accurately and completely describes the required security functionality and the allocation of security controls among physical and logical components; and (3) Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.

TDA-06.5 - Software Design Review

Mechanisms exist to have an independent review of the software design to confirm that all cybersecurity & data privacy requirements are met and that any identified risks are satisfactorily addressed.

TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development

Mechanisms exist to require system developers/integrators consult with cybersecurity & data privacy personnel to: (1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability; (2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and (3) Document the results of the security testing/evaluation and flaw remediation processes.

TDA-09.1 - Continuous Monitoring Plan

Mechanisms exist to require the developers of systems, system components or services to produce a plan for the continuous monitoring of cybersecurity & data privacy control effectiveness.

TDA-09.6 - Secure Settings By Default

Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise.

TDA-10.1 - Test Data Integrity

Mechanisms exist to ensure the integrity of test data through existing cybersecurity & data privacy controls.

TDA-15 - Developer Threat Analysis & Flaw Remediation

Mechanisms exist to require system developers and integrators to develop and implement an ongoing Security Testing and Evaluation (ST&E) plan, or similar process, to objectively identify and remediate vulnerabilities prior to release to production.

TDA-19 - Error Handling

Mechanisms exist to handle error conditions by: (1) Identifying potentially security-relevant error conditions; (2) Generating error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited; and (3) Revealing error messages only to authorized personnel.

TPM-03 - Supply Chain Protection

Mechanisms exist to evaluate security risks associated with the services and product supply chain.

TPM-03.2 - Limit Potential Harm

Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.

TPM-03.3 - Processes To Address Weaknesses or Deficiencies

Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain

TPM-05 - Third-Party Contract Requirements

Mechanisms exist to require contractual requirements for cybersecurity & data privacy requirements with third-parties, reflecting the organization's needs to protect its systems, processes and data.

TPM-05.1 - Security Compromise Notification Agreements

Mechanisms exist to compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes.

TPM-05.2 - Contract Flow-Down Requirements

Mechanisms exist to ensure cybersecurity & data privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.

TPM-05.4 - Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix

Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity & data privacy controls between internal stakeholders and External Service Providers (ESPs).

TPM-05.5 - Third-Party Scope Review

Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity & data privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders.

TPM-05.6 - First-Party Declaration (1PD)

Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity & data privacy controls, including any flow-down requirements to subcontractors.

TPM-05.7 - Break Clauses

Mechanisms exist to include "break clauses" within contracts for failure to meet contract criteria for cybersecurity and/or data privacy controls.

TPM-05.8 - Third-Party Attestation (3PA)

Mechanisms exist to obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for cybersecurity & data privacy controls, including any flow-down requirements to contractors and subcontractors.

TPM-06 - Third-Party Personnel Security

Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.

TPM-08 - Review of Third-Party Services

Mechanisms exist to monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for cybersecurity & data privacy controls.

THR-01 - Threat Intelligence Program

Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.

THR-03.1 - Threat Intelligence Reporting

Mechanisms exist to utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives.

THR-05 - Insider Threat Awareness

Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat.

THR-06.1 - Security Disclosure Contact Information

Mechanisms exist to enable public submissions of discovered or potential security vulnerabilities.

THR-07 - Threat Hunting

Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls.

VPM-03 - Vulnerability Ranking

Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information.

VPM-04.1 - Stable Versions

Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems.

VPM-05.4 - Automated Software & Firmware Updates

Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates.

VPM-08 - Technical Surveillance Countermeasures Security

Mechanisms exist to utilize a technical surveillance countermeasures survey.

WEB-01 - Web Security

Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.

WEB-04 - Client-Facing Web Services

Mechanisms exist to deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.

WEB-07 - Web Security Standard

Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.

WEB-12 - Web Browser Security

Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.