Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.

Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.

Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.

[This statement is referring to the concept of 'always off' production access, where accounts used to access production are off unless turned on for a specific situation. This is a security best practice but is not required by any framework.]

All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

All access to Production Systems must be logged.

All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

Implement and/or review controls designed to protect Production Data from improper alteration or destruction.

Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.

Ensure [COMPANY NAME] Customer Production Data is segmented and only accessible to Customers authorized to access data.

All Production Data at rest is stored on encrypted volumes using encryption keys managed by [COMPANY NAME].

[If your encryption keys are managed by your cloud service provider, then you should modify this statement to reflect that process.]

Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.

Definition of the information to be protected

Duration of the agreement

Required actions upon termination of agreement

Responsibilities and actions to avoid unauthorized disclosure

Ownership of information, trade secrets and intellectual property

Permitted use of the confidential information and rights to use information

Audit and monitor activities that involve confidential information

Process of notification and reporting of unauthorized disclosure or information leakage

Information return or destruction terms when agreement is terminated

Actions in case of breach of agreement

Periodic review

Statutory, regulatory or contractual requirements

Type of data (e.g., accounting records,database records, audit logs)

Type of storage media (e.g., paper, hard drive, server)

Authorization to access or manage stored data

Proper identification of records and their retention period

Technology change and ability to access data throughout retention period

Acceptable timeframe and format to retrieve data

Appropriate methods of disposal

Nature, sensitivity, confidentiality, and value of the information

Size of data being transferred

Impact of loss during transit

All external data transmission must be encrypted end-to-end using encryption keys managed by [COMPANY NAME]. This includes, but is not limited to, cloud infrastructure and third party vendors and applications.

[This requirement is required for ISO 27001 but is not required for all other frameworks.]

All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.

Interface characteristics;

Security and privacy requirements, controls, and responsibilities for each system; and,

Impact level of the information communicated.

Restricted and sensitive data is not allowed to be sent over electronic end-user messaging channels such as email or chat, unless end-to-end encryption is enabled.

Messages must be protected from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization.

Messages must be reviewed prior to sending to ensure correct addressing and transportation of the message.

The reliability and availability of the messaging channel must be verified.

All applicable legal requirements will be adhered to.

Use of external public services such as instant messaging, social networking or file sharing will require prior approval and authorization.

Publicly accessible networks will be controlled by stronger authentication.

Create, read, update, or delete confidential information, including confidential authentication information such as passwords;

Create, update, or delete information not covered in above;

Initiate a network connection;

Accept a network connection;

User authentication and authorization for activities covered above such as user login and logout;

Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes;

System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes;

Application process startup, shutdown, or restart;

Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault; and

Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention System (IDS/IPS), anti-virus system, or anti-spyware system.

Type of action – examples include authorize, create, read, update, delete, and accept network connection.

Subsystem performing the action – examples include process or transaction name, process or transaction identifier.

Identifiers (as many as available) for the subject requesting the action – examples include user name, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.

Identifiers (as many as available) for the object the action was performed on – examples include file names accessed, unique identifiers of records accessed in a database, query parameters used to determine records accessed in a database, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.

Before and after values when action involves updating a data element, if feasible.

Date and time the action was performed, including relevant time-zone information if not in Coordinated Universal Time.

Whether the action was allowed or denied by access-control mechanisms.

Description and/or reason-codes of why the action was denied by the access-control mechanism, if applicable.

The system will support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Note that the construction of an actual enterprise-level log management mechanism is outside the scope of this document.

The system will also ensure clock synchronization for the accuracy of audit logs. A clock linked to a radio time broadcast from a national atomic clock can be used as the master clock for logging systems. A network time protocol will be used to keep all of the servers in synchronization with the master clock.

System administrators are not permitted to erase or de-activate logs of their own activities.

Real-time copying of logs to a system outside the control of a system administrator or operator.

Monitoring system and network administration activities by using an intrusion detection system managed outside of the control of system and network administrators.

Frequent review of logs to maintain accountability of privileged users.