| Access Control Policy and Procedures | |
 | Access Provisioning The organization implements access enforcement to provision access. |
| Access Termination The organization implements policies and procedures regarding the termination of user accounts and personnel. |
| Identification and Authentication The organization implements policies and procedures regarding the authentication of users. |
| Multi-Factor Authentication The organization implements multifactor authentication for access to privileged accounts. |
Password-Based Authentication The organization implements policies and procedures regarding the use and configuration of passwords. | |
Privileged User Accounts The organization implements policies and procedures that authorize and monitor privileged user accounts. | |
Remote Access The organization implements policies and procedures regarding remote access. | |
Review of User Privileges The organization periodically reviews and adjusts user access privileges. | |
Separation of Duties The organization separates duties and access between pre-production and productions systems. | |
| Business Continuity and Disaster Recovery | |
Capacity Planning The organization performs capacity planning to ensure necessary system function in the event of a disruption. | |
Contingency Plan The organization implements a contingency plan to address system recovery in the even of a disruption or breach. | |
Contingency Plan Testing The organization periodically tests the effectiveness of the contingency plan. | |
System Backup The organization periodically conducts backups of user-level information. | |
System Backup Test The organization periodically tests the reliability of data backup. | |
| Configuration and Change Management | |
Authorized / Unauthorized Software The organization determines policies regarding unauthorized software, including blacklists/allowlists. | |
Change Management and Software Development Life Cycle The organization implements policies and procedures to test, validate, and documents changes to the system. | |
Change Management and Software Development Policy and Procedures The organization develops and shares policies and procedures regarding Change Management and SDLC. | |
Configuration Management The organization implements policies and procedures regarding the management of system configurations. | |
Software Usage Restrictions The organization tracks software usage in order to comply with software contracts and copyright law. | |
| Contingency Planning | |
Capacity Planning The organization performs capacity planning to ensure necessary system function in the event of a disruption. | |
Redundant Secondary System The organization establishes a redundant secondary system to be activated in the event of system disruption. | |
System Backup The organization periodically conducts backups of user-level information. | |
System Backup Test The organization periodically tests the reliability of data backup. | |
