Skip to main content
All CollectionsEvidence Library
Example Evidence for Not Monitored Controls (NIST 800-53r5)
Example Evidence for Not Monitored Controls (NIST 800-53r5)
Updated over 3 months ago

Example Evidence for Not Monitored NIST 800-53r5 Controls

NIST SP 800-53r5 is a comprehensive control framework that provides guidelines and controls for managing and securing federal information systems. The following is a list of example evidence that can be provided when preparing for your NIST 800-53r5 audit. It is important to note that your auditor will likely request additional evidence. The list below includes the controls from NIST 800-53r5.

Code

NIST 800-53r5 Requirement

Name

Example Evidence

DCF-7

SA-11-00, CM-04-01

Separate Testing and Production Environments

1. Screenshots from test and production environments for the application

DCF-11

AC-06-07, PS-02-00, PS-04-02, PS-05-00, PE-02-00, PE-03-00, PE-06-00, AC-02-00, AC-03-00, AC-05-00, AC-06-00, AC-06-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02

Annual Access Control Review

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)

2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

DCF-12

CM-06-00, CM-02-00, PL-10-00, PL-11-00, SA-08-00

Hardening Standards in Place

1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed.

2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.

DCF-16

AU-03-03, CA-01-00, CA-02-00, CA-02-01

Annual Risk Assessment

1. Most recently completed risk assessment report.

DCF-17

RA-03-00, CP-02-01, CP-06-00, CP-06-01, CP-06-02, CP-06-03, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-08-03, CA-02-00, CA-05-00, CP-04-01, CP-04-02, CP-08-00, CP-08-01, CP-08-02, IR-02-01, IR-04-01, IR-08-00

Remediation Plan

1. Documented remediation plans for risks identified during the risk assessment.

DCF-19

CA-02-02, CA-08-00, CA-08-01

Annual Penetration Tests

1. Most recently completed annual penetration test.

DCF-20

CM-08-01, CM-12-00, PM-05-01, SA-22-00, CP-02-08, CM-08-00, CM-08-02, CP-03-00, RA-09-00

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

PL-08-00, SA-17-00, SC-07-21, AC-06-00, AC-18-00, SC-07-08

Architectural Diagram

1. Approved Architectural Diagram

DCF-22

AC-04-00, AC-18-00

Network Diagram

1. Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

DCF-26

CP-01-00, CP-02-00, CP-02-01, CP-02-03, CP-06-00, CP-06-01, CP-06-02, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-04-00, CP-04-01, CP-04-02, IR-03-02, IR-07-00

BCP/DR Tests Conducted Annually

1. Most recently completed BCP/DR test.

DCF-35

CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-07-00, IR-07-01, IR-08-00

Security Team Communicates in a Timely Manner

1. Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-42

PS-09-00, AC-06-02

Defined Management Roles & Responsibilities

1. Roles and Responsibilities section from the information security policy.

DCF-43

PS-04-02, PE-02-00

Termination/Offboarding Checklist

1. Formal documented termination checklist/help desk ticket for a recent terminated employee.

DCF-56

SA-09-00, SR-08-00

Vendor Register and Agreements

1. Executed Agreement/contract between the entity and key vendors.

DCF-57

SA-09-02, SR-03-00

Vendor Compliance Monitoring


1. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk.

2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this).

DCF-58

AC-18-00, IA-11-00, IA-07-00, IA-12-03

Authentication Protocol

1. If SSO is an option, screenshots of a user logging in with SSO.

2. If username and password is an option, screenshots of a user logging in with a username and password.

3. Screenshots of MFA being required for employee users.

4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-59

AC-06-10, PS-09-00, AC-01-00, AC-03-00, AC-05-00, AC-06-00, AC-06-01, AC-06-02, IA-07-00

Role-Based Security Implementation

1. Screenshots from the application showing how users are assigned roles.

DCF-62

AC-02-05, AC-11-00, AC-12-00, SC-10-00, IA-11-00

Inactivity and Browser Exit Logout

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login.

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.

DCF-69

PM-10-00, IA-12-00, IA-12-02, IA-12-04, IA-12-05, AC-03-00, AC-05-00, AC-06-00, CP-03-00, IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02, IA-07-00

System Access Granted

1.Formal, documented access request form/help desk ticket for a recent new hire.

DCF-72

AC-06-05, AC-17-02, IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-04-04, IA-05-00, IA-05-01

Unique SSH

1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.

2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.

DCF-74

SI-05-01

Customers Informed of Changes

1. Example emails communicating changes to customers.

2. Screenshots of banners warning customers of downtime prior to system maintenance.

DCF-76

SI-02-00, SI-02-02, SI-05-01, CM-03-04, CM-04-02, CM-05-00

Critical Change Management

1. Formal, documented emergency change procedures for critical changes.

DCF-79

AC-17-01, AU-06-01, AU-07-00, AU-09-02, AU-12-01, PL-09-00, AU-02-00, AU-03-01, AU-06-03, SI-04-00, SI-04-02

Logs Centrally Stored

1. Screenshots from the location where logs of system activity are stored.

DCF-80

AC-17-01, AU-04-00, AU-05-00, AU-05-02, AU-06-00, AU-07-00, AU-10-00, AU-12-00, AU-12-03, CM-05-01, SI-04-04, SI-04-05, SI-04-12, PE-08-01, AC-02-04, AU-01-00, AU-02-00, SI-04-00, SI-04-02

Log Management System

1. Screenshots from the location where logs of system activity are stored.

DCF-86

PM-06-00, AU-01-00, AU-03-01

Operational Monitoring


1. Screenshots from the systems used to monitor for system availability issues.

2. Screenshots showing how personnel would be alerted of availability issues and who would be alerted.

DCF-91

SI-04-14, AC-06-01

Intrusion Detection System in Place

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

AC-17-00, AC-17-01, AC-17-02, AC-17-03, AC-18-01, SC-07-07, AC-18-00

Encrypted Remote Production Access

1. screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

DCF-95

AU-04-00, CP-02-02

Monitoring Processing Capacity and Usage

1. Evidence that management reviewed processing capacity and usage reports on a quarterly basis

DCF-97

CP-02-02

Auto-Scale Configuration

1. Screenshot of auto scaling configurations for EC2 instances.

DCF-98

CP-09-01, CP-09-02, CP-09-03, CP-09-05, CP-09-08

Daily Backup Statuses Monitored

1. Tickets showing that backup failures were monitored and resolved.

DCF-100

CP-09-01, CP-09-02, CP-10-00, CP-10-02, CP-10-04, CP-04-01, CP-04-02, IR-07-00

Backup Integrity and Completeness

1. Screenshots showing a backup snapshot was restored completely and accurately.

2. Evidence from the annual DR tests showing that backups were restored completely and accurately.

DCF-109

SR-12-00

Disposal of Sensitive Data on Hardware

1. Data Deletion Policy or equivalent policy documenting this policy and procedure.

DCF-110

SI-10-00

Application Edits

1. Screenshots of users entering data into the application to confirm that the application limits input values to only valid values.

DCF-112

PT-02-00, PT-05-00, SC-07-24

Provide Notice of Privacy Practices

1. Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.

DCF-114

PM-20-00, PM-20-01

Privacy Policy Publicly Available

1. Screenshot of privacy practices posted on the entity's website.

DCF-115

AC-03-14, PT-03-00, PT-04-00, PT-05-00

Privacy Policy Inclusions

1. Formal, documented privacy practices from the entity's website.

DCF-116

AC-03-14, SI-12-01, SI-12-02

Accept The Privacy Policy

1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.

DCF-117

PM-25-00, SA-08-33, SI-12-01, SI-12-02

Minimal Information Required

1. Screenshot of all information that the user can enter when providing data through the application.

DCF-120

PM-22-00

Annual Review of Purposes

1. Meeting minutes for management's annual review of privacy policies

DCF-121

SC-07-24, SI-12-01

Purposeful Use Only

1. Section from privacy practices/policy that covers this item.

DCF-122

AC-03-14

Requests for Deletion

1. Example requests for deletion of personal information and evidence that the data was deleted timely.

DCF-123

SI-12-03, SR-12-00

Data Destruction Policy

1. Formal, documented data deletion policy.

DCF-124

IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02

Require Authentication for Access

1. Screenshots of a user authenticating to the application prior to seeing their information.

DCF-126

SI-18-00, SI-18-04

Users Can Update their Information

1. Screenshots of a user modifying their personal information within the application.

DCF-131

IR-01-00, IR-04-01, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01, IR-07-00, IR-07-01, IR-08-00

Incident Report Template and Process

1. Formal, documented incident response procedures.

DCF-134

IR-06-03, IR-08-01

3rd Parties and Vendors Given Instructions on Breach Reporting

1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.

DCF-135

CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-07-00, IR-07-01, IR-08-00

Notice of Breach to Affected Users

1. Formal, documented breach notification procedures.

2. Breach Notification Template

DCF-137

SI-10-00, SI-18-00, SI-18-04

Data Entry Field Completion Automated

1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields.

DCF-138

SI-18-00, SI-18-04

Confirmation Before Submission

1. Screenshots of a user entering information into the application to confirm that users are asked to confirm that their information is correct, prior to submitting information.

DCF-139

PM-26-00

Contact Information for Privacy Concerns

1. Section from privacy practices on your website showing contact information for how external personnel contact you with inquiries, complaints, and disputes.

DCF-140

PM-26-00

Customer Portal

1. Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues.

DCF-141

PM-26-00

Customer Inquiries Tracked

1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes.

2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary.

DCF-147

PE-02-00, PE-03-00, PE-03-01, PE-04-00, PE-06-01, PE-08-00

Physical Access to Facilities is Protected

1. Physical Access Control Policy

DCF-148

CM-04-02

Regression Testing in Place

1. Example of regression testing that was performed prior to a recent major product release.

DCF-149

AC-20-02, IR-08-01

Removable Media Device Encryption

1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-151

SR-09-00, SR-09-01

FIM (File Integrity Monitoring) Software in Place

1. Screenshots of FIM software.

2. Examples of FIM detecting changes.

DCF-152

SI-02-00, SI-02-02

Virtual Machine OS are Patched Monthly

1. Evidence from servers or patching systems showing that operating systems were patched monthly.

DCF-153

CA-02-00, CA-02-01, IR-07-00, PL-10-00, PL-11-00

Conduct Control Self-Assessments

1. Screenshots of how Drata is used for continuous monitoring of controls.

DCF-154

CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-02-01, IR-02-02, IR-02-03, IR-03-00, IR-03-02, IR-04-01, IR-07-00, IR-08-00, PM-14-00

Annual Incident Response Test

1. Most recently completed incident response tabletop test.

DCF-155

CM-04-02

Code Changes are Tested

1. Screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-158

IA-07-00, IA-12-03

MFA Available for External Users

1. Screenshots from the application showing that customers have the option of using MFA for their accounts.

DCF-160

CA-07-01, PM-06-00, AC-02-04, AU-01-00, AU-02-00, AU-03-01, CA-07-00, CA-07-04, PM-31-00, SI-04-00, SI-04-02

Continuous Control Monitoring

1. Screenshots of how Drata is used for continuous monitoring of controls.

DCF-165

AU-02-00, AU-06-03

Independent Assessment

1. Evidence of testing performed for internal audit.

2. Internal audit report.

DCF-166

PE-17-00, SI-04-12, CP-01-00, CP-02-00, CP-02-01, CP-02-03, CP-02-05, CP-06-00, CP-06-01, CP-06-02, CP-07-04, CP-08-03, CP-09-02, CP-09-03, CP-09-05, CP-09-08, IR-06-03, CA-05-00, CP-03-00, CP-03-01, CP-04-00, CP-04-01, CP-04-02, CP-08-00, CP-08-01, CP-08-02, IR-01-00, IR-02-00, IR-02-01, IR-02-02, IR-02-03, IR-03-02, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01, IR-07-00, IR-07-01, IR-08-00

Business Continuity Plan

1. Business Continuity Plan.

DCF-167

CP-01-00, CP-02-00, CP-02-03, CP-02-05, CP-02-08, CP-06-02, CP-10-00, CP-10-04, IR-07-00, IR-07-01, IR-08-00

Business Impact Analysis

1. Business Impact Analysis (Typically part of the business continuity plan).

DCF-168

AC-20-00, PS-07-00, SA-04-00, SA-04-01, SA-04-02, SA-09-00, SA-09-02, SR-06-00, SR-08-00, SR-02-01, CP-08-04, SC-07-04, SR-01-00, SR-11-01, SR-11-02

Vendor Management Policy

1. Vendor Management Policy.

DCF-171

CP-09-00, CP-09-02, CP-09-03, CP-09-05, CP-09-08, CP-10-00, CP-10-02, CP-10-04, CP-08-00, CP-08-01, CP-08-02

Operating Procedures

1. Will be a part of your ISMS policy.

DCF-172

CM-03-01, CM-04-00, AC-02-02, CA-05-00, CM-03-02, CM-03-04, CM-04-01, CM-04-02, CM-05-00

Organizational Change Management

1. Will be a part of your ISMS policy.

DCF-174

AC-19-00, AC-14-00, SC-18-00

Telework and Endpoint Devices

1. Section from the information security policy

DCF-176

CA-07-00, CA-07-04, CP-04-00, CP-04-01, CP-04-02, SI-04-00

Monitoring Plan

1. Will be a part of your ISMS policy.

DCF-177

AC-06-09, AC-17-01, AU-03-00, AU-04-00, AU-05-00, AU-05-02, AU-06-00, AU-06-01, AU-06-05, AU-07-01, AU-08-00, AU-12-00, CM-05-01, SI-04-20, AU-06-06, CP-10-00, CP-10-02, CP-10-04, AC-02-04, AC-02-12, AU-01-00, AU-02-00, AU-03-01, CM-04-02, SI-04-02

Event Logging

1. Section from the Data Protection Policy

DCF-180

AC-20-01, CA-03-06, CA-09-00, SC-08-00, CP-09-05, MP-05-00, AC-04-00

Secure Information Transfer

1. Section from the Data Protection Policy

DCF-182

AC-19-00, CM-01-00, CM-08-01, CM-08-04, CM-09-00, CM-10-00, CM-12-00, RA-02-00, SA-22-00, CA-03-00, MP-06-07, MP-06-08, PS-04-00, CP-02-08, CP-06-00, CP-06-01, CP-06-02, MP-03-00, MP-04-00, MP-05-00, MP-06-00, MP-06-02, MP-06-03, MP-07-00, AC-02-00, AC-04-00, AC-05-00, CM-03-00, CM-08-00, CM-08-02, CP-03-00, CP-04-00, CP-04-01, CP-04-02, MP-06-01, PM-31-00, SC-07-08

Asset Management Policy

1. Asset Management Policy.

DCF-183

CA-01-00, RA-05-00, RA-05-11, RA-07-00, RA-08-00, CA-02-00

Vulnerability Management

1. Vulnerability Management Policy.

DCF-185

RA-05-02, SI-05-00, SI-05-01

Periodic Dynamic Threat Assessment

1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy.

2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues.

3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan.

DCF-186

SI-19-00

Data De-identification

1. Link to Data Classification Policy

2. Link to Data Protection Policy

DCF-187

CM-06-00, CM-09-00, SA-10-00, SI-04-22

Configuration Management Plan

1. Completed Appendix A within the Change Management Policy

DCF-188

SI-05-01

Communication with Security and Privacy Organizations

1. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security/privacy issues.

2. Screenshots showing that members of your organization responsible for security or privacy belong to industry groups related to security or privacy.

DCF-189

AC-06-09, AU-06-00, AU-06-01, SI-04-00, PM-14-00

Activity Review

1. For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas:

2. Audit log reviews - A ticket from the ticketing system documenting which audit logs were reviewed, who reviewed them, and when the review was completed.

3. Security Incident Tracking Reports - A ticket documenting the review of incident reports including who completed the review and when the review was completed. Or meeting minutes demonstrating that incident reports were reviewed including who attended the meeting and the date.

4. Ticket documenting which system activity logs were reviewed, who reviewed these activity reports, and when the review was completed.

DCF-190

CA-06-00, CM-03-04

Designated Security Officials

1. Can be outlined under the Roles and Responsibilities section of your Information Security Policy, OR

2. Job description of designated Security Official(s) outlining their responsibility for overseeing the organizations’ compliance with the security rule.

DCF-201

CM-04-02

Firewall and Router Configuration Standards

1. Formal, documented testing and approval procedures for network connections.

2. Formal documented testing and approval procedures for changes to firewall and router configurations.

3. Example documentation supporting a network connection was tested and approved.

4. Example documentation supporting a recent firewall or router change was tested and approved. .

DCF-204

AC-04-00

Dataflow Diagram

1. Formal Data Flow Diagram including the date the diagram was finalized.

DCF-206

SC-07-00

Firewall Configuration

1. Formal, documented firewall and router configuration standards.

2. Screenshots of firewall configurations showing that firewalls are configured in a manner consistent with the Firewall and Router configuration standards.

DCF-208

AC-06-03

Network Management Roles and Responsibilities

1. Skills Matrix or Formal job description including roles and responsibilities for the Network Administrator or similar position.

2. Documented firewall and router configuration standards showing that roles and responsibilities for firewall/router management are identified.

DCF-209

CM-07-00, CM-07-01, SA-04-09

Services, Protocols, and Ports Approval List

1. Firewall and router configuration standards which document a list of approved Services, Protocols, and Ports authorized for use within the environment including approval and justification for each item listed.

DCF-210

CM-07-00, CM-07-01

Insecure Services, Protocols, and Ports List

1. Firewall and router configuration standard which documents a list of any insecure Services, Protocols, and Ports used within the environment and controls/security features implemented to mitigate these weaknesses.

2. If Insecure Services, Protocols, or Ports must be used, screenshots showing that documented security features/compensating controls have been implemented for each insecure Service, Protocol, and Port.

DCF-214

CM-07-00, SC-05-00

Network Traffic Denial

1. Screenshots showing the presence of deny any any rule as the final rule within Firewall or Router rule sets.

2. (Alternate) If Firewall or Router brands do not display this, documentation from the Firewall/Router vendor documenting that this is implicit.

DCF-218

CM-07-00, SC-07-00, SC-07-21

DMZ Implemented

1. Network diagram showing that a DMZ has been implemented.

2. Firewall and Router configurations showing how the DMZ has been established and that it only allows approved Services, Functions, Ports, and Protocols through.

DCF-224

SC-07-08

Prevention of Private IP Information Disclosure

1. Screenshots of firewall and router configurations showing that private IP information will not be disclosed. Commonly accomplished through the implementation of:

- Network Address Translation (NAT).

- Placing internal servers behind proxies.

- Removal or filtering of route advertisements for private networks that use registered addressing.

- Internal use of RFC1918 address space instead of registered addresses.

DCF-226

AC-20-02

Personal Firewall Installed on Portable Devices

1. If public-facing web applications exist, documented policies and procedures which document a requirement for web application security scans (vulnerability scans), and screenshots showing records of these assessments. Documented processes must include guidance for performing assessments:

- At least annually

- After any changes

- By an organization which specializes in application security

- That, at a minimum, all vulnerabilities contained in DCF-314 through DCF-323 are covered.

- That all vulnerabilities are corrected.

- And that the application is reassessed after vulnerabilities have been corrected.

2. OR screenshots from an automated solution which detects and prevents web-based attacks (web application firewall) is in place/ Screenshots must show that:

- The solution sits in front of the public-facing web applications.

- Is actively running and as up-to-date as applicable to your organization.

- Is generating audit logs.

- Is configured to either block web-based attacks or generate an alert which is immediately investigated.

DCF-227

AC-19-00, AC-20-02

Personal Firewall on Portable Devices Configured Properly

1. Screenshots showing personal firewalls are configured according to the standard.

2. Screenshots showing personal firewalls installed/active on laptops or other portable devices.

3. Screenshots showing that personal firewalls cannot be disabled and that settings cannot be changed by non-administrative personnel.

*NOTE - Mark the control out of scope if devices cannot access the organizational systems outside of the network.

*NOTE - This control covers employee-owned and company-owned devices.

DCF-229

AC-06-05, AC-02-02, AC-02-12

Default Accounts Changed

1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.

2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled.

DCF-230

AC-02-03, AC-06-05, AC-02-02

Unnecessary Default Accounts Removed/Disabled

1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.

2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled.

DCF-231

SC-12-01

Changes in Encryption Keys

1. Any policy or procedures documenting a requirement that all default encryption keys must be changed when deploying wireless infrastructure or when someone with knowledge of the encryption keys leave the company.

2. Screenshots showing that vendor supplied encryption keys for wireless networks have been replaced.

DCF-234

AC-19-05, SI-02-00

Updated Firmware on Wireless Devices

1. Wireless device (routers, wireless access points, etc.) hardening procedures.

2. Screenshots showing that firmware on wireless networking devices has been updated.

DCF-236

RA-05-02, RA-07-00

Update Configuration Standards after New Vulnerabilities

1. System hardening procedures.

DCF-237

RA-05-05

System Configuration Standards

1. System hardening procedures which cover the following attributes:

- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts

- Implementing only one primary function per server to prevent functions that require different security levels from coexisting on the same server

- Enabling only necessary services, protocols, daemons, etc., as required for the function of the system

- Implementing additional security features for any required services, protocols or daemons that are considered to be insecure

- Configuring system security parameters to prevent misuse

- Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers

DCF-238

SC-39-00

One Primary Function per Server

1. Screenshots of system configurations for system components in the environment, showing that each component only serves one primary function (For example, web servers, database servers, and DNS should be implemented on separate servers.).

*NOTE - If all your assets are virtualized, then this will be covered in DCF 2391.

DCF-240

AC-18-03

Enable Only Necessary System Function Services

1. Screenshots showing the enabled services being run system components in the environment.

DCF-244

CM-06-00

Common System Security Parameters in Configuration Standards

1. Documented Server configuration standards showing that security parameter settings are contained within the standard.

DCF-247

CM-06-00

Enabled Functions Documented

1. Configuration documentation from system components in the environment showing that enabled functionality is documented including rationale for why the services are enabled.

DCF-250

AC-17-01, AC-18-01

Insecure Remote Login Commands Prevented

1. Screenshots from system components in the environment, showing that insecure remote login commands (such as Telnet) are prevented from connecting to internal systems.

DCF-251

SA-09-00, SA-09-02

Vendor Management Security Policies and Operational Procedures Documented and Accessible

1. Vendor management policy.

2. Operational procedures such as vendor system hardening procedures for system components in the environment.

DCF-266

SC-13-00

Cryptographic Keys Stored Securely

1. Screenshots showing how cryptographic keys are stored securely.

DCF-274

SC-17-00

Secure Key Distribution Procedure

1. Documented procedures for distributing cryptographic keys securely.

DCF-283

CP-09-08

Secure and Encrypted Data Transmission

1. List of all locations where data is transmitted or received over open, public networks.

2. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect potentially sensitive data.

3. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms.

DCF-284

SC-17-00

Only Trusted Keys or Certificates Accepted

1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates.

2. Screenshots showing that keys and certificates used in the environment are trusted.

DCF-291

CM-08-03, SI-03-00

Anti-Virus Capability

1. Vendor documentation for all anti-virus software used within the environment.

2. Screenshots from the anti-virus tools in use to verify that the solutions:

- Detects all known types of malicious software.

- Remove all known types of malicious software.

- Protect against all known types of malicious software (Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits)

DCF-292

SI-03-00, SI-08-00, SI-08-02

Periodic Evaluation of Malware Threats

1. For systems not commonly affected by malicious software, job description of the individuals responsible for evaluating new/emerging malware threats.

2. Screenshots of any tools, group memberships, or mailing lists used to assist in this monitoring.

DCF-297

SI-02-00, SI-02-02

Critical Patches Installed

1. Lists of patches provided by the vendor for systems within the environment.

2. Screenshots from systems within the environment showing that critical security patches have been installed.

DCF-300

AC-02-03, AC-02-02

Removal of Account Information before Application Release

1. Documented SDLC policy or procedures which list a requirement to ensure that pre-production (development, test, staging, QA) accounts, user IDs, and/or passwords are removed from the system before being deployed to production.

DCF-303

SC-02-00

Separation of Duties in Test and Production Environments

1. Documented policies and procedures which require a separation of duties between personnel assigned to test regions and prod regions.

2. Screenshots from the access control configurations/lists showing that separate personnel are assigned roles in test and production regions.

DCF-304

AC-02-02

Test Data Removed before System Activation

1. Screenshots from non-production regions showing that live PAN data is not used within non-production regions.

2. Screenshots from non-production systems showing that test accounts are removed.

DCF-312

AT-02-02, AT-03-00

Annual Training for Developer Secure Coding Techniques

1. Screenshots or exported training records showing that developers have received secure coding training, including how to avoid common software vulnerabilities, within the last 12 months.

DCF-318

SI-11-00

Improper Error Handling

1. Documented software development policies and procedures which include processes to protect custom code from Improper Error Handling which include:

2. Techniques which do not leak information through error messages (usually achieved by presenting generic error messages rather than specific error details).

DCF-319

RA-05-02

High Risk Vulnerabilities

1. Documented software development policies and procedures which include processes to protect custom code from all High Risk Vulnerabilities identified during the vulnerability management process.

DCF-324

RA-05-02, SI-02-02

Public-Facing Web Application Vulnerability Assessment

1. If public-facing web applications exist, documented policies and procedures which document a requirement for web application security scans (vulnerability scans), and screenshots showing records of these assessments. Documented processes must include guidance for performing assessments:

- At least annually

- After any changes

- By an organization which specializes in application security

- That, at a minimum, all vulnerabilities contained in DCF-314 through DCF-323 are covered.

- That all vulnerabilities are corrected.

- And that the application is reassessed after vulnerabilities have been corrected.

2. OR screenshots from an automated solution which detects and prevents web-based attacks (web application firewall) is in place/ Screenshots must show that:

- The solution sits in front of the public-facing web applications.

- Is actively running and as up-to-date as applicable to your organization.

- Is generating audit logs.

- Is configured to either block web-based attacks or generate an alert which is immediately investigated.

DCF-326

AC-06-07, SC-02-00, AC-06-01, AC-06-02

System Access Control Policy

1. Documented System Access Control which documents the following:

- Defining access needs and privilege assignments for each role.

- Restricting access to privileged IDs to the least level of privilege necessary to perform job functions.

- Assigning access based on individual personnel’s job classification and function.

- Documenting approval by authorized parties for all access, including listing the specific privileges approved.

DCF-327

AC-06-05, AC-06-07, AC-06-10, SC-02-00, SC-03-00, AC-02-00, AC-06-01, AC-06-02

System Access Roles Defined

1. Documented access needs for each role within the environment which includes:

- System components and data resources required for the job function.

- Level of privilege required for accessing resources (user, administrator, etc.)

DCF-328

AC-06-01, AC-06-02

Documented Approval by Authorized Parties

1. Screenshots of the privileges assigned to an example user ID.

2. A documented example of an approval for the example user ID provided by an authorized party for access which includes the following:

- Evidence that the documented approval exists.

- That approval was provided by an authorized party.

- That the specific privileges assigned to that user match their assigned privileges.

DCF-329

AC-05-00

Access Control System in Place

1. Screenshots from the access control system for all system components.

DCF-330

AC-06-07, AC-06-10, CA-03-06, AC-05-00, AC-06-01, AC-06-02

Role-Based Access Control System

2. Screenshots showing how the access control system(s) are configured to enforce privilege assignments to individuals based on job classification and function.

DCF-334

AC-06-07, AC-06-10, RA-05-05, AC-06-01, AC-06-02

Privileged and General User ID Authorization

1. Documented policies and procedures for Identity Management which include processes for controlling the addition, deletion, and modification of user IDs, credentials, and other identifier objects.

2. Documented access authorization for an example administrative/privileged user.

3. Screenshots from the example administrative/privileged user showing that the account has only been assigned the approved permissions.

4. Documented access authorization for an example general/non-privileged user.

5. Screenshots from the example general/non-privileged user showing that the account has only been assigned the approved privileges.

DCF-335

AC-02-03, AC-02-05, AC-06-03

Inactive User Accounts Removed

1. Documented policies and procedures for Identity Management which include a requirement to remove or disable user accounts over 90 days old.

2. System user access lists showing that no account inactive for 90 days or more is still active and/or present on the system.

DCF-336

AC-18-01, AC-02-02

Access Management of Accounts Used by Remote 3rd Parties

1. Documented policies and procedures for Identity Management which have a requirement to disable accounts of third parties (vendors) when not in use and enable these accounts on when needed.

2. Screenshots or system user access lists showing that third party user accounts (vendor accounts) are enabled only when needed and disabled after use.

DCF-337

AC-17-01

Access to Accounts Used by Remote 3rd Parties Monitored

1. Documented policies and procedures for Identity Management which state a requirement to monitor access by third party users (vendors) when they are active within the system.

2. Screenshots showing how these accounts and their associated activities are monitored.

DCF-338

AC-07-00

User ID Lockout After Repeated Access Attempts

1. Documented policies and procedures for Identity Management which document a requirement to lock users out of accounts after no more than six unsuccessful attempts.

2. Screenshots of system configurations which implement the documented account lockout requirements.

DCF-340

IR-01-00

Lockout Duration

1. Documented policies and procedures related to Identity Management which state a requirement that locked out accounts will remain locked out for no less than 30 minutes or until unlocked by an administrator.

2. Screenshots of system configurations showing how this account lockout duration is enforced.

DCF-341

AC-11-00, IA-11-00

Reauthentication of Idle Sessions

1. Documented policies and procedures related to Identity Management which include a requirement to re-authenticate terminals or sessions after 15 minutes of inactivity.

2. Screenshots from system configurations showing how this session inactivity timeout is enforced.

DCF-342

IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02

User Authentication Methods

1. Documented policies and procedures which contain guidance on the authentication methods for non-consumer (employee, third party, contractor, but not customer) and administrator accounts.

2. Screenshots showing the authentication methods used for logging into organizational system components.

DCF-355

AC-17-00

MFA for Remote Network Access

1. Screenshots of the system configurations which enforce multi-factor authentication for all remote access into the internal network.

2. Screenshots of the authentication process showing that MFA is required for remote network access for both a non-administrative and administrative user.

DCF-356

AC-02-00

Authentication Policy Inclusions

1. Screenshots showing where employees can find policies and procedures related to Authentication.

2. Documented policies and procedures related to Authentication which include the following:

- Guidance on selecting strong authentication credentials.

- Guidance for how users should protect their authentication credentials.

- Instructions to not use previously used passwords.

- Instructions stating to change a password if the password is suspected to be compromised.

DCF-359

AC-10-00, AC-12-00, IA-05-02

Authentication Mechanism Use

1. If other authentication mechanisms besides passwords (such as smart cards, physical or digital tokens, etc.) are used, documented policies and procedures related to Authentication which state a requirement:

- Authentication mechanisms are assigned to an individual account and not shared.

- Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.

- Screenshots of system configuration settings and/or physical controls as applicable showing that only the intended account can use the authentication mechanism to gain access.

DCF-363

PE-03-00

Entry Controls in Place

1. For each computer room, data center, and other physical area which contains organizational system components:

- Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

- Screenshots or video showing an administrator’s attempt to log into consoles for systems within the environment showing that these systems are “locked” to prevent unauthorized access.

DCF-364

PE-16-00, PE-06-01, PE-06-04

Physical Access Control to Sensitive Areas

1. Pictures showing that video camera or access control mechanisms (or both) are used to monitor the entry/exit points to sensitive areas.

DCF-365

SR-09-00, PE-06-00

Secure Physical Access Control Mechanisms

1. Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-366

PE-06-00, PE-06-01

Physical Access Control Mechanism Data Review

1. Documented procedures around reviewing data from video cameras and/or access control mechanisms.

DCF-367

PE-06-00

Physical Access Control Mechanism Data Retention

1. Screenshots showing that video camera and/or access control mechanism data is stored for at least three months, unless otherwise restricted by law.

DCF-368

PE-04-00, PE-05-00

Restricted Physical Access to Publicly Accessible Network Jacks

1. Documented procedures which detail how publicly accessible network jacks are restricted (such as disabling access to publicly accessible network jacks unless explicitly authorized).

1. Pictures or videos showing how these procedures have been implemented.

DCF-370

PE-03-01

Onsite Identification Management

1. Documented policies and procedures related to Physical Access which include the following elements for identifying and distinguishing between onsite personnel and visitors:

- Identifying onsite personnel and visitors (such as assigning ID badges).

- Handling changes to access requirements.

- Revoking terminated onsite personnel and expired visitor identification (such as ID badges).

DCF-373

MP-02-00, PE-03-00, PE-03-01

Role-Based Physical Access

1. User access control lists from the physical access control system showing that access is role-based.

2. Termination/offboarding checklist showing that physical access was revoked.

DCF-378

PE-08-00

Visitor Log to Facility and Data Storage Areas

1. Pictures showing that visitor log is in place and used for access to the facility as well as any computer, server, datacenter, or data storage rooms.

DCF-379

PE-08-03, PE-08-00

Visitor Log Inclusions

1. Pictures from the visitor log showing that the following information is captured:

- Visitor’s name

- Firm the visitor represents

- Onsite personnel authorizing access

DCF-380

PE-08-01, PE-08-00

Visitor Log Retention

1. Pictures showing that the visitor’s log is retained for at least 3 months.

DCF-381

MP-02-00, MP-04-00

Media Physically Secured

1. Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-382

CP-06-00, CP-06-01, CP-06-02, CP-06-03, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-09-02, CP-09-03, CP-09-05, CP-09-08, CP-10-00, CP-10-02, CP-10-04, CP-04-01

Security Review of Media Backup Storage Location

1. Documented review of the security of the backup media storage location from the last 12 months.

DCF-383

MP-05-00

Media Transfer Procedures

1. Documented policies and procedures related to the distribution of media and covers distribution of all types of media distributed to individuals.

DCF-384

PM-05-01, MP-03-00

Media Classification

1. Screenshots and/or pictures showing how media is classified including labels showing data sensitivity.

DCF-385

MP-05-00

Media Transferred Securely

1. Documented procedures related to media transfer which include acceptable methods of information transfer including authorized couriers and the ability to track media transfers.

2. Screenshots or documentation showing how media transfers are logged.

3. Documentation for a recent media transfer showing that tracking information was logged.

DCF-387

MP-04-00

Media Storage and Accessibility

1. Documented policy and procedures related to Media Storage and Accessibility which includes a requirement for periodic inventory of media.

DCF-388

MP-06-01

Media Inventory Logs

1. Documented media inventory logs.

DCF-390

MP-06-00, MP-06-01

Media Destruction

1. Documented policies and procedures related to Media Destruction.

DCF-391

MP-06-00

Periodic Media Destruction Policy

1. Documented policies and procedures related to Media Destruction which includes:

- Hard-copy materials must be crosscut shredded, incarcerated, or pulped such that they cannot be reconstructed.

- Storage containers used for storing media awaiting destruction must be secured.

- Potentially Sensitive data stored on electronic media must be disposed of in such a way that it is unrecoverable such as secure deletion or physical destruction of media in accordance with industry standards.

DCF-406

AU-07-00, AC-02-04, AU-03-01

Audit Trails Enabled and Active

1. Screenshots showing that audit trails are enabled and active for systems within the environment.

DCF-407

AC-02-11

System Access Linked to Users

1. System user access lists from systems in the environment showing that access is linked to individual users.

DCF-409

AC-06-05, SI-04-20

Audit Trail for Root Admin Privilege Access

1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged.

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-410

AU-03-01

Audit Trail Access

1. Screenshots of audit log settings showing that all access to audit trails/logs is logged.

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-411

AC-02-11, AC-02-12

Invalid Logical Access Attempts

1. Screenshots of audit log settings showing that invalid/failed login attempts are logged.

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-412

AC-02-04

Audit Trail for Identification and Authentication Mechanism Changes

1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged.

2. Screenshots of example logs showing that these log settings are functioning correctly.

DCF-413

AU-09-00, CM-05-01

Audit Trail of Changes to Audit Logs

1. Screenshots of audit log settings showing that the initialization of logging and stopping or pausing of logging are logged.

2. Screenshots showing that these log settings are functioning correctly.

DCF-415

AU-03-00

Audit Trail Entries: User Identification

1. Screenshots of an example log showing that user IDs are captured within log entries.

DCF-416

AU-03-00, AU-07-01

Audit Trail Entries: Event Type

1. Screenshots of an example log showing that the type of event which occurred is captured within log entries.

DCF-417

AU-03-00, AU-08-00

Audit Trail Entries: Date and Time

1. Screenshots of an example log showing that a date and time are associated with log entries.

DCF-419

AU-03-00, AU-07-00, AU-07-01

Audit Trail Entries: Origination

1. Screenshots of an example log showing that the source of the event (IP address or similar source) are captured within log entries.

DCF-420

AU-03-00

Audit Trail Entries: Affected Item Name

1. Screenshots of an example log showing that affected item/resource ID or name is captured within log entries.

DCF-421

AU-08-00, AU-12-01

Critical Clock Synchronization and Update

1. Documented procedures for synchronizing time across system components within the environment which includes the following elements:

- Only the designated central time server may receive time signals from the designated external time source.

- Time signals are received in UTC or International Atomic Time.

- When there is more than one central time server, these time servers are configured to peer with one another.

- Systems may only receive synchronization information from designated central time server(s).

DCF-425

AC-02-11

Need-to-Know Access to Time Data

1. System user access lists and time settings showing that time data is restricted to only those users with a business need for access.

DCF-428

AU-09-00

Secured Audit Trails

1. Screenshots from the logging system showing that audit trails are secured so that they cannot be altered.

DCF-429

AU-09-00, AU-09-04

Limited Access to Audit Trails

1. Screenshots from the logging system or system user access lists showing that audit trails can only be accessed by individuals with a business need to access them.

DCF-430

AU-07-00

Audit Trail Files Protected

1. Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation.

DCF-433

SI-07-00

FIM on Logs

1. Screenshots showing that File Integrity Monitoring Software or other change detection software is configured to generate alerts if logs are altered. Screenshots should show:

- System settings

- Which files are monitored

- Logs/Alerts from the FIM or Change Detection Software

DCF-434

CP-02-01, PE-06-00, PE-06-04

Policy for Critical Systems Daily Log Review

1. Documented policy related to Log Review which states that the following items will be reviewed at least daily:

- All security events.

- Logs of all system components that store, process, or transmit potentially sensitive data.

- Logs from all critical system components.

- Logs of all servers and system components that perform security functions.

DCF-440

AU-11-00

Policy for Audit Log Retention

1. Documented policy related to Audit Log Retention.

DCF-442

AU-07-00, AU-06-03

Audit Logs Available for Analysis

1. Documented policy related to Audit Log Retention which states a requirement that at least 3 months of logs must be available at all times for immediate analysis.

2. Screenshots showing that 3 months of logs are immediately available for analysis.

DCF-443

AU-05-00, AU-05-01, AU-05-02, SC-07-18, SI-02-02

Critical Security Control System Failure Detection and Reporting

1. Documented policies and procedures related to detecting and reporting failures in security controls which cover:

- Firewalls

- IDS/IPS

- FIM

- Anti-virus

- Physical access controls

- Logical access controls

- Audit logging mechanisms

- Segmentation controls (if used)

DCF-444

AU-05-00, AU-05-01, AU-05-02, SI-02-02

Critical Security Control System Failure Alert

1. Screenshots showing how alerts are configured for the following systems:

- Firewalls

- IDS/IPS

- FIM

- Anti-virus

- Physical access controls

- Logical access controls

- Audit logging mechanisms

- Segmentation controls (if used)

DCF-445

AU-05-00, AU-05-01, AU-05-02, SC-24-00, SI-02-02

Critical Security Control System Failure Response

1. Documented policies and procedures for responding to the failure of security controls which cover the following items:

- Restoring security functions

- Identifying and documenting the duration (date and time start to end) of the failure

- Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause.

- Identifying and addressing any security issues that arose during the failure.

- Performing a risk assessment to determine whether further actions are required as a result of the security failure.

- Implementing controls to prevent cause of failure from reoccurring.

- Resuming monitoring of security controls.

DCF-446

SI-02-02

Critical Security Control System Failure Documentation

1. Documented records showing that security control failures were documented and that they include the following elements:

- Identification of causes(s) of the failure, including root cause.

- Duration (date and time start to end) of the security failure.

- Details of the remediation required to address the root cause.

DCF-447

AC-06-03, CA-07-04

Policy for Network Access Monitoring Documented and Accessible

1. Documented policies and procedures related to monitoring all access to network resources and potentially sensitive data.

2. Screenshots showing where these policies and procedures are stored and available to employees/contractors.

DCF-448

AC-18-05

Wireless Access Point Detection and Identification

1. Documented policies and procedures related to detecting and identifying authorized and unauthorized wireless access points on at least a quarterly basis.

DCF-449

AC-18-05, CM-08-03, SC-15-00

Unauthorized Wireless Access Points Detected and Identified

1. Documented policies and procedures related to detecting and identifying any unauthorized wireless access points on at least a quarterly basis which includes at least the following devices will be detected:

- WLAN cards inserted into system components

- Portable or mobile devices attached to system components to create a wireless access point

- Wireless devices attached to a network port or network device

DCF-451

AC-17-03, AC-18-05, SI-04-14

Wireless Access Point Automated Monitoring Alerts

1. If automated monitoring is utilized to detect unauthorized wireless access points (for example, Wireless IDS/IPS, NAC, etc.) screenshots of the alerting configuration showing that alerts will be generated and sent to personnel.

DCF-452

AC-17-03

Inventory of Authorized Wireless Access Points

1. Documented inventory of authorized wireless devices including business justification for each wireless access point.

DCF-454

AC-17-03, AC-18-05

Actions Against Unauthorized Wireless Access Points

1. Recent wireless access point identification scan from the past 3 months.

2. Response documentation verifying that any identified unauthorized wireless access points were appropriately responded to according to the Incident Response Plan.

DCF-464

CA-08-00

Penetration Testing Methodology

1. Documentation which defines the methodology used for conducting penetration tests which must include:

- Being based on an industry-accepted penetration testing approach (such as the MITRE attack framework, Cyber Kill Chain, etc.)

- Includes coverage for the entire organizational system perimeter and critical systems.

- Includes testing from both inside and outside the network.

- Includes testing to validate any segmentation and scope reduction controls.

- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI DSS Requirement 6.5.

- Defines network-layer penetration tests to include components that support network functions as well as operating systems.

- Includes review and consideration of threats and vulnerabilities experienced in the past 12 months.

- Specifies retention of penetration testing results and remediation activities.

DCF-465

CA-08-01

External Penetration Testing Scope

1. Scope of Work from the most recent external penetration test which defines:

- That the test will be completed using the approved methodology.

- Will be conducted at least annually.

- Will be conducted after any significant changes to the environment.

- Documented penetration test report from the most recent external penetration test.

DCF-467

CA-08-00

Internal Penetration Testing Scope

1. Scope of Work from the most recent internal penetration test which defines:

- That the test will be completed using the approved methodology.

- Will be conducted at least annually.

- Will be conducted after any significant changes to the environment.

- Documented penetration test report from the most recent internal penetration test.

DCF-478

AU-09-00, CM-03-01, CM-06-00, CM-06-02, SI-07-00, CA-07-04

Change Detection Mechanism in Place

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.

2. Documented list of files which are monitored by the change detection solution.

DCF-479

SI-07-02, SI-07-07

Change Detection Mechanism Alerts

1. Screenshots of the alerting configuration for the change detection solution, including who is alerted.

2. Screenshots of the change detection system configuration settings showing that critical file comparisons are carried out at least weekly.

DCF-480

SI-07-05, SI-07-07

Change Detection Mechanism Alert Response

1. Documented procedures for responding to alerts generated by the change detection system.

DCF-481

AC-02-04, CA-07-04

Policy for Security Monitoring and Testing Documented and Accessible

1. Documented policies and procedures related to security monitoring and testing.

2. Screenshots showing where these policies and procedures are stored and available to employees/contractors.

DCF-488

AC-12-00, AC-17-00, AC-17-01, SC-10-00

Automatic Disconnect of Inactive Remote-Access

1. Documented policies for acceptable use of critical technologies which states that remote access technologies will be disconnected after a specified period of inactivity.

2. Screenshots of remote access technology configurations showing that remote access sessions will be disconnected after a set period of inactivity.

DCF-489

AC-17-00

3rd Party Remote-Access Usage

1. Documented policies for acceptable use of critical technologies which states that remote access technologies will only be enabled for vendors and business partners when required and deactivated immediately after.

DCF-490

AC-17-00

Employee Remote-Access Usage

1. Documented policies for acceptable use of critical technologies which states a requirement that employees are forbidden from copying, moving, or storing potentially sensitive data onto local hard drives and removable media when accessing data remotely.

DCF-503

AT-01-00, AT-02-00, AT-02-03, AT-03-00, AT-03-05

Multiple Methods for Security Awareness

1. Formally documented Data Handling & Security Awareness Training Program which documents that multiple methods will be used to communicate awareness and educate personnel. Example methods include:

- Posters

- Memos

- Letters

- Web-based Training

- Meetings

- Other types of promotions

DCF-511

IR-04-04, IR-06-03, IR-01-00, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01

Incident Response Management

1. Documented Incident Response Plan that addresses the roles, responsibilities, and communication/contact strategies used in the event of a security incident. This should also include a notification of payment brands, at a minimum.

DCF-516

AT-02-02

Security Breach Response Training

1. Documented policies or procedures related to Incident Response or Training which include a requirement to train staff with Incident Response roles on a periodic basis.

DCF-517

CM-08-03, AC-06-01

Security Monitoring System Alerts

1. Documented policies or procedures for Incident Response which cover responding to alerts from security monitoring systems including but not limited to intrusion-detection, intrusion-preventions, firewalls, and file-integrity monitoring systems.

DCF-518

CP-02-01

Incident Response Plan Review and Update

1. Documented Incident Response Plan which includes procedures for incorporating lessons learned and industry developments into the Incident Response Plan.

DCF-526

PM-18-00, SA-08-33, PM-22-00

Scope of Privacy Program

1. Documentation that summarizes the information you’ve collected for DCF-536. Be sure to include Control Activities 1-3.

DCF-527

PM-19-00, PM-22-00

Designated Data Protection Officer

1. Screenshot or documentation that designates a DPO. See Control Activities for additional guidance on the requirements and expectations of the DPO.

DCF-528

PM-22-00

Management of Sensitive Information

1. Data Classification Policy as long as it includes:

- Classification for PII

- Handling procedures for PII

- Any Security Awareness Training materials that include information about handling PII and inform end users how to report security issues.

DCF-529

PT-04-00

Data Subject Consent

1. Documentation that details how consent is obtained from Data Subjects prior to processing their PII.

2. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form.

3. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales.

DCF-536

PM-21-00, PM-22-00

Record of Processing Activity (ROPA)

1. Completed ROPA documentation that includes the elements described in Control Activities A-G (Please see Appendix A of Drata’s latest Data Protection Policy template for more information on ROPAs).

- Be sure to consider your processing activities across different Personas, such as Marketing and Sales Prospects, Customers, Website Visitors, Employees, etc. It can be helpful to complete a separate ROPA per Persona.

- ROPAs are only required in certain circumstances. The Control Activity Note details which circumstances trigger this requirement.

DCF-537

SC-07-24

Data Processing Agreements in Place

1. DPA templates used when sharing PII with third parties (an example DPA has been included in Appendix A of Drata’s latest Vendor Management Policy Template, for reference).

2. Copies of fully executed contracts with third parties that include DPAs.

DCF-538

RA-08-00

Data Protection Impact Assessment (DPIA)

1. Completed DPIA documentation (see Control Activity 1 for information on what needs to be included in the DPIA)

- DPIAs are only required in certain circumstances. Control Activity 2 details which circumstances trigger this requirement.

- Note that DPIAs must be completed prior to processing PII.

- Depending on the complexity of your personal data processing, it can be helpful to conduct separate DPIAs on separate use cases.

DCF-539

PT-07-00, PT-07-01, PT-07-02

Collection of PII from Special Categories

1. Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes:

- Whether or not Special Categories of PII are collected (see Control Activity 1 for details on what PII is considered Special Categories).

- Which allowable conditions are used for collection (see Control Activity 2 for details on which allowable conditions are available).

DCF-540

SI-18-04, PM-26-00

Tracking and Response to Data Subject Requests

1. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them.

DCF-557

IA-02-05

Shared Account Management

1. Link your System Access Control Policy to this control

DCF-558

CM-07-00, CM-07-02, CM-07-05, CM-11-00, SC-07-05

Allow-by-Exception Rule for Authorized Applications

Note: Can be marked out of scope if DCF-559 is implemented.

1. Screenshots from an MDM tool or endpoint device configurations showing that software applications are whitelisted (explicitly allowed).

2. Screenshot showing that installation of an application not on the approved whitelist has failed for an example endpoint device.

DCF-559

CM-07-00, CM-07-02, CM-11-00

Deny-by-Exception Rule for Unauthorized Applications

Note: Can be marked out of scope if DCF-558 is implemented.

1. Screenshots from an MDM tool or endpoint device configurations showing that software applications are blacklisted (explicitly denied).

2. Screenshot showing that installation of an application on the approved blacklist has failed for an example endpoint device.

DCF-560

CM-08-03, SI-04-22, CM-02-02

Baselines for Detecting Anomalous Behavior

1. Screenshots from your monitoring system showing that alerts are configured to detect suspicious or anomalous activity.

2. Screenshots showing who gets notified when these alerts trigger.

3. An example alert that was sent either as a test or from one of the alerts triggering.

DCF-565

PM-25-00

Managing Test Information

1. Screenshots showing that test information is used within test environments.

2. Formally documented approvals if Production information has been copied to the test environment.

3. Link your SDLC Policy

DCF-567

CM-06-01, PM-04-00, CM-02-02, CM-03-01, CM-02-03, CM-03-02

Change Management Policy

1. Link your Change Management Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-568

AT-04-00

Records of Competence

1. Records showing that all personnel listed in the ISMS Skills Matrix have the qualifications listed such as Resumes, LinkedIn Profiles, Copies of Certifications, etc.

DCF-575

MA-01-00, MA-03-02, MA-03-00, MA-02-02, MA-04-03, MA-04-00, MA-05-01

Maintenance Management Policy

1. Link the Maintenance Management Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-576

SI-01-00, SC-20-00, SC-21-00, SC-22-00

System Information and Integrity Policy

1. Link the System Information and Integrity Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-577

AC-12-00, AC-06-03, AC-17-04, AC-20-00, PL-02-00, PL-01-00, PM-07-00, PM-08-00

System Security Planning Policy

1. Link the System Security Planning Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-578

SA-01-00, SA-04-05, SR-05-00, SR-10-00, SR-11-00

System and Services Acquisition Policy

1. Link the System and Services Acquisition Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-579

AC-02-01, AC-02-00

Automated Access Management System in Place

1. Screenshot of the admin console used to manage system accounts and enforce identification and authentication (e.g. Identity Access Management, Privileged Access Management, and/or Password Manager solutions)

DCF-580

AC-02-13

Disabling High Risk User Accounts

1. Link the System Access Control Policy. Template to create a process for Disabling High Risk User Accounts is covered and outlined in Appendix A

DCF-581

AC-04-04

Encrypted Information Flow Control

1. Screenshots of the rules set on your boundary protection devices that establishes filtering based on packet/header or message information (e.g. Network Access Control system, Intrusion Prevention System, Packet Filtering Firewalls, Content Filtering Gateways, etc.)

DCF-582

AC-07-00

Accounts Unlocked by Admin

1. Screenshot of documented procedure which states that only authorized administrators are allowed to unlock locked accounts

2. Screenshot of Administrative Permissions that shows only administrators have permission to unlock locked accounts

DCF-583

AC-08-00

System Use Notification

1. Screenshot of the notification message or banner that outlines usage conditions prior to logging into the system

(Note: Notification banner is not required if human interface do not exist)

DCF-584

AC-10-00

Limited Concurrent Sessions

1. Link the System Information and Integrity Policy to the control as evidence. This is discussed under the Concurrent Sessions section

DCF-585

AC-14-00

Permitted Actions Without Identification or Authentication

1. List of permissible user actions in the system without having to authenticate (e.g. accessing publicly available company resources, such as the public website, company public knowledge base, etc.)

(Note: Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication. If this is the case, link your System Access Control Policy)

DCF-586

AC-17-04

Remote Access to Security Information and Privileged Commands

1. List or logs of authorized remote execution of privileged commands to security-relevant information

2. Screenshot of Remote Access control configurations

DCF-587

AC-18-04

Wireless Configuration Authorization

1. Screenshot of configuration settings from the network configuration management system that shows the appropriate restrictions to only authorized users

DCF-588

AC-18-05

Wireless Transmission Power Levels Reduced

1. Upload a copy of a wireless signal survey report

DCF-589

AC-20-01

Verified External Systems Controls

1. Link the Data Protection Policy to the control as evidence. This is discussed under the Information Exchange section

DCF-590

AC-21-00

Information Sharing

1. Screenshot of Data Loss Prevention (DLP) system’s configuration and rule set

2. Screenshot of user roles and permissions within the DLP system

DCF-591

AC-22-00

Management of Publicly Accessible Content

1. Document that outlines procedures for receiving proper authorizations prior to content being published publicly (e.g. Review and Approval process via ticketing system or embedded within the document)

DCF-592

AU-03-03

Limit Personally Identifiable Information in Audit Records

1. Link the Data Protection Policy to the control as evidence. This is discussed in the third bullet under the section Log Elements: “Identifiers (as many as available) for the subject..”

2. Screenshot of log management tools’ configuration setting showing rules, filters, and/or regular expressions identifying, masking, or removing Personal Identifiable Information PII elements in the log

3. Screenshot of log management tools or other technologies that shows Personal Identifiable Information (PII) is redacted

DCF-593

AU-06-05, AU-06-06

Correlate Log Records

1. Screenshot of a SIEM tool or company-developed scripts used to correlate and analyze collected audit record information

DCF-594

AU-09-03

Protect Audit Information

1. Evidence of measures to protect integrity of audit tools, such as digital signatures or code signing certificates, either through policy or documentation of procedures

DCF-595

AU-10-00

Non-repudiation Actions

1. Link the Data Protection Policy to the control as evidence. This is discussed in the Logged Activities subsection of the Event Logs section

DCF-596

AU-12-03

Authorized to Modify Logs

1. Link the Data Protection Policy to the control as evidence. This is discussed in the Administrators and Operator Logs subsection of the Event Logs section

DCF-597

CM-02-02

Baseline Configurations

1. Link the Change Management Policy to the control as evidence

2. Screenshot of the Baseline Configuration Files or Templates that defines the desired state of a system

DCF-598

CM-02-03

Previous Baseline Configuration Versions Retained

1. Link the Change Management Policy to the control as evidence.

DCF-599

CM-02-07

High Risk Area System Configuration

1. Documented procedures to secure systems and system components traveling to company-defined high-risk locations

DCF-600

CM-03-01

Automated Configuration Change Management

1. Link the Change Management Policy to the control as evidence

2. Screenshot of the Configuration Management Tool utilized to automate deployment and maintenance of system configurations (e.g. Ansible, Puppet, Chef, etc.)

DCF-601

CM-03-06

Management of Cryptographic Mechanisms

1. Documentation that demonstrates the inclusion of cryptographic mechanisms within the organization’s configuration management process

DCF-602

CP-03-00, PM-13-00, PM-14-00

Role-Based Contingency Training

1. Reviewed, approved, and up-to-date training materials presented to individuals based on their roles and responsibilities

2. Training records showing that all personnel have received training upon hire and at defined intervals

DCF-603

CP-07-04

Alternate Processing Site

1. Link Disaster Recovery Plan and Business Continuity Plan

2. Documentation or records of the configuration settings that should be maintained at the alternate processing site (e.g. power supply, network connectivity, telecommunications, etc.)

DCF-604

CP-10-02

Transaction Recovery Procedures

1. Documented procedures to perform transaction journaling and rollback techniques to recover from transaction failures or errors on identified transaction-based systems

DCF-605

IA-02-12, IA-08-01

PIV Credentials Acceptance

1. Link the System and Services Acquisition Policy to the control as evidence. This is discussed in the Security Controls section

DCF-606

IA-03-00

Device Identification and Authentication

1. Documented procedures to ensure devices are identified and authenticated prior to establishing connection (e.g. network access control, certificate-based authentication, etc.)

DCF-607

IA-04-00

System Identifier Management

1. Documented procedure that defines the personnel involved in selecting, assigning, and authorizing the use of an identifier

2. Screenshot of the tool used to manage assignment of unique identifiers to accounts (e.g. Identity and Access Management (IAM) for individuals, groups, and roles, and Enterprise Asset Management System for devices)

DCF-608

IA-05-01

Management of At-risk Passwords

1. Link the Password Policy to the control as evidence

2. List of commonly used, expected, or compromised passwords (e.g. tools like Thycotic Password Security and Enzoic for Active Directory maintains and regularly updates their list of unsafe passwords)

3. In lieu of a list, Password Managers have built-in security challenge that evaluates password strength (e.g. Keeper Password Manager, LastPass, etc.)

DCF-609

IA-05-02

Public Key Authentication

1. Documented procedures implemented to validate Public Key used for authentication (e.g. mechanisms to check revocation status of certificates used in public key-based authentication)

DCF-610

IA-05-06

Authenticators Protected

1. Documented procedures implemented to protect authenticators (e.g. implemented password requirements, use of MFA, etc.)

DCF-611

IA-06-00

Obscured Authentication Feedback

1. Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback)

DCF-612

IA-08-00

Non-organizational User Authentication

1. Link the System Access Control Policy to the control as evidence. This is discussed in the Unique User Identification section

DCF-613

IA-12-03

Identity Evidence Validation and Verification Methods

1. Link the System Access Control Policy to the control as evidence. This is discussed in the Access Establishment and Modification - Role-Based section

DCF-614

MA-02-02

Automated Maintenance Activities

1. Tools that demonstrate the automated means of managing system maintenance, repair, and replacement (e.g. enterprise asset management system, configuration management databases, IT ticketing system, etc.)

DCF-615

MA-03-00, MA-02-00, MA-03-01, MA-03-03

Managed Use of Maintenance Tools

1. Link the Maintenance Management Policy to the control as evidence. Drata provides a template in your Policy Center.

DCF-616

MA-04-00, MA-04-03

Remote Maintenance

1. Records or logs demonstrating proper authorization process for maintenance and diagnostic activities

2. Screenshot showing the use of secure connection during non-local maintenance sessions (e.g. VPN

DCF-617

MA-05-00, MA-05-01

Maintenance Personnel Authorization

1. Link the Maintenance Management Policy to the control as evidence.

DCF-618

MA-06-00

Timely Maintenance Support

1. Link the Maintenance Management Policy to the control as evidence.

DCF-619

MP-06-01, SR-12-00

Media Sanitization

1. Link the Maintenance Management Policy to the control as evidence.

2. Link the Asset Management Policy to the control as evidence.

DCF-620

PM-03-00

Security/Privacy Resource Planning

1. Documentation showing the resources needed to implement the information security and privacy programs for capital planning and investment requests.

DCF-621

MP-06-01

Test Sanitization

1. Link the Asset Management Policy to the control as evidence.

2. Documented procedures for testing media sanitization equipment and procedures.

DCF-622

PE-05-00

Access Control for Output Devices

1. Link the Asset Management Policy to the control as evidence.

2. Link the Physical Security Policy to the control as evidence.

DCF-623

PM-18-00

Privacy Program Plan

1. Provide your company’s Privacy Program Plan.

DCF-624

PM-24-00

Data Integrity Board

1. List of members of the Data Integrity Board.

2. Bios of each member of the Data Integrity Board.

DCF-625

PE-06-01

Monitoring Physical Access

1. Link the Physical Security Policy.

DCF-626

PM-27-00

Privacy Reporting

1. Privacy Program Plan.

2. Provide a sample of one Privacy Report.

3. Documentation showing the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance

DCF-627

PL-04-01

Social Media Rules

1. Documented rules of behavior for restricting social media, social networking sites, and external sites/application use (may be found in the Acceptable Use Policy or Code of Conduct).

DCF-628

PS-02-00

Risk Designation for Roles

1. Documented procedures for assigning, reviewing, and updating position risk designations (e.g documentation showing the level of risk assigned to each position at your organization).

DCF-629

PT-05-02, PT-06-00, PT-06-01, PT-06-02

Privacy Act Statements

1. Documentation detailing organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals.

DCF-630

PT-07-01

Restricted Use of Social Security Number

1. Documented procedures for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers.

DCF-631

PT-08-00

Matching Program

1. Documented procedures for processing information for the purpose of conducting a matching program.

2. Evidence of approval from the Data Integrity Board to conduct the matching program.

3. Computer Matching Agreement template (or sample of one computer matching agreement).

4. Screenshot showing a matching notice published in the Federal Register.

DCF-632

RA-03-01

Supply Chain Risk Assessment

1. Link the Vendor Management Policy to the control as evidence.

2. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk.

3. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this).

DCF-633

RA-05-04

Corrective Actions for Discoverable Information

1. Link the Vulnerability Management Policy to the control as evidence.

2. Link the Incident Response Plan to the control as evidence.

DCF-634

SA-02-00

Security and Privacy Resource Planning and Allocation

1. Documented procedures for allocating resources for security and privacy programs.

DCF-635

SA-04-10, IA-08-02

Approved PIV Products

1. Documented procedures for selecting and employing only FIPS 201-approved products.

DCF-636

SA-05-00

System Documentation Maintained

1. Architecture Diagram

2. System description documentation.

DCF-637

SA-15-00

Secure Development Process

1. Link the Software Development Lifecycle Policy to the control as evidence.

DCF-638

SC-02-00

Separation of User and System Management Functions

1. System documentation (including system components and services)

2. Documented procedures for obtaining, protecting, and distributing system documentation.

DCF-639

SC-04-00

Shared System Information Security

1. Link the Data Protection Policy to the control as evidence.

2. Copy of the System Security Plan.

DCF-640

SC-07-03

Limit External Connections

1. Link the System Security Planning Policy to the control as evidence.

2. Formal documented network diagram.

DCF-641

SC-07-08

Proxy Server

1. Formal documented Network Diagram

2. Evidence of mechanisms implementing traffic management through authenticated proxy servers at managed interfaces

DCF-642

SC-07-18

Fail Secure for Boundary Protection Devices

1. Link the Incident Response Plan to the control as evidence.

2. Link the Disaster Recovery Policy to the control as evidence.

3. Link the System Security Planning Policy to the control as evidence.

DCF-643

SC-15-00

Remote Activation of Collaborative Devices Prohibited

1. Screenshot(s) showing the mechanisms in place to prohibit remote activation of collaborative computing devices and applications.

DCF-644

SC-18-00

Mobile Code Management

1. Link the System and Information Integrity Policy as evidence.

DCF-645

SC-23-00

Session Authentication Management

1. Link the Encryption Policy to the control as evidence.

DCF-646

SC-39-00

Separate Execution Domain

1. Formal documented architecture diagram

2. Link the Software Development Lifecycle Policy to the control as evidence.

DCF-647

SI-04-10

System Monitoring Tools

1. Link the Data Protection to the control as evidence.

2. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

DCF-648

SI-04-22

Unauthorized Network Services Monitoring and Alert

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-649

SI-06-00

Security and Privacy Function Verification

1. Link the System and Information Integrity Policy to the control as evidence.

2. Link the System Security Planning Policy to the control as evidence.

DCF-650

SI-07-01

Integrity Checks (System and Software)

1. Link the System and Information Integrity Policy to the control as evidence.

2. Screenshots of FIM software.

3. Examples of FIM detecting changes.

DCF-651

SI-07-05

Integrity Violation Automated Response

1. Link the System and Information Integrity Policy to the control as evidence.

2. Example of FIM detecting changes and automatically sending out an alert notifying the appropriate personnel of the suspicious activity.

DCF-652

SI-07-15

Mechanisms for Code Authentication

1. Link the System and Information Integrity Policy to the control as evidence.

2. Screenshots of the cryptographic mechanisms (such as digital signing using trusted certificates) that are in place to authenticate software prior to installation.

DCF-653

SI-08-00

Spam Protection

1. Link the System and Information Integrity Policy to the control as evidence.

2. Screenshot of mechanism(s) in place to protect against spam.

DCF-654

SI-16-00

System Memory Protection

1. Link the System and Information Integrity Policy to the control as evidence.

2. Screenshot(s) of the mechanisms in place to protect system memory from unauthorized code execution.

DCF-655

SR-09-00

Tamper Protection Procedures

1. Link the System and Information Integrity Policy to the control as evidence.

2. Link the Physical Security Policy to the control as evidence.

DCF-656

SC-20-00

Authoritative Source Information

1. Link the System and Information Integrity Policy to the control as evidence.

2. Screenshot(s) showing the mechanisms supporting and/or implementing secure name/address resolution services.

Did this answer your question?