NIST 800-53 (ABBREVIATED)

SERVING EDUCATION K-12 AND SMB

VIRTUE

VALUE

VISION

Minerva Logo

STANDARD MAPPING

Based on the Texas Cyber Security Framework

FunctionCategorySub-CategoryNIST Sub-CategoryObjectiveRoadmap Recommendations
Identify (ID)Privacy & Confidentiality (PC)PC-1AP-2Ensuring the appropriate security of retained information and approved sharing under defined conditions with required safeguards and assurance. Includes the requirements of HIPAA, Texas Business & Commerce Code, and agency defined privacy policies that include and expand upon regulatory and legal requirements for establishing contractual/legal agreements for appropriate and exchange and protection.1) Ensuring the appropriate security of retained information and approved sharing under defined conditions with required safeguards and assurance.

2) Check for appropriate Identity Access Mgmt. (IAM) i.e. Onboarding & Off boarding processes, Principle of Least Privilege Access.

3) Establish and adhere to data retention policy.

4) Adherence to data protection requirements of FERPA, Texas Business & Commerce Code, Texas Education Code and entity defined privacy policies.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PC-2AR-1
PC-3AR-3
PC-4AR-7
PC-5AR-8
PC-6 CA-3
PC-7DI-1
PC-8DI-2
PC-9DM-1
PC-10DM-2
PC-11DM-3
PC-12IP-1
PC-13IP-2
PC-14IP-3
PC-15SC-8
PC-16SI-7
PC-17SE-1
PC-18TR-1
PC-19TR-2
PC-20TR-3
PC-21UL-1
PC-22UL-2
Data Classification (DC)DC-1CM-8Data classification provides a framework for managing data assets and information resources based on utility to the organization, intrinsic financial value and impact of loss and other associated risks. To apply the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations, data, whether electronic or printed, must be classified. The data owner should consult with the Information Security organization and legal counsel on the classification of data as Restricted, Confidential, Agency-Internal, or Public. Consistent use of data classification reinforces with users the expected level of protection of data assets in accordance with required security policies.1)Establish a documented Data Classification policy which clearly define levels of classification.

2)Data Owners should consult with ITS and legal counsel regarding data classification on information not governed by federal, state or local regulations including FERPA, Texas Business & Commerce Code, Texas Education Code.

3) Review data and its classification on a regular basis to assure compliance.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
DC-2CM-10
DC-3MP-3
DC-4MP-4
DC-5PL-4
DC-6PM-05
DC-7RA-2
DC-8SE-1
Critical Information Asset Inventory (AI)AI-1CM-8Identification and prioritization of all of the organization's information assets so that they are prioritized according to criticality to the business, so that protections can be applied commensurate with the assets importance.1) Identification and prioritization of all the organization's information assets so that they are prioritized per criticality to the business impact, measure of risk and ability to implement including hardware (servers, workstations, laptops, networking infrastructure), software and where sensitive and critical information assets are located (i.e. Databases) and what application(s) have access.
AI-2CA-3
AI-3CP-2
AI-4PL-8
AI-5RA-2
AI-6PM-5
Enterprise Security Policy, Standards and Guidelines (PS)PS-1AC-1Maintain the organization’s security policy framework, standards, and guidelines. Defines the acceptable use policy for agency information resources. Contributes to the definition of enterprise standards and secure configuration standards to ensure alignment to security specifications and risk management requirements. There will be situations where the strict application of an information security standard would significantly impair the functionality of a service. The exception management process provides a method for evaluating the risks associated with non-compliant conditions and tracking the exception until expiration. 1)Ensure organizations security policy framework and standards including a violation policy and process are in place and regularly maintained.

2)Include an Exception Policy to handle exceptions as the they may arise which includes a procedure to track and recertify any exemptions. No exemptions should be permanent.

3)Establish a regularly updated formal acknowledgement process for users to sign off on reviewing and acknowledgment and adherence to the policies.

4)The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5)The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PS-2AP-1
PS-3AR-1
PS-4AT-1
PS-5AU-1
PS-6CA-1
PS-7CM-1
PS-8CP-1
PS-10DM-1
PS-11IA-1
PS-12IR-1
PS-13MA-1
PS-14MP-1
PS-15PE-1
PS-16PL-1
PS-17PM-1
PS-18PM-2
PS-19PM-3
PS-20PM-4
PS-21PS-1
PS-22RA-1
PS-23SA-1
PS-24SC-1
PS-25SI-1
Control Oversight and Safeguard Assurance (OA)OA-1AU-1Catalog the security activities that are required to provide the appropriate security of information and information resources throughout the Enterprise. Evaluate the control activities that have been implemented in terms of maturity, scope/breadth of implementation, effectiveness or associated deficiency to assure required protection levels as specified by security policy, regulatory/legal requirements, compliance mandates, or organizational risk thresholds. Ensure that control activities are performed as required and performed in a manner that is auditable and verifiable. Identify control activities that are not implemented or are not effective at achieving the defined control objectives. Oversee the implementation of required controls to ensure ongoing audit readiness and effective control implementations.1) Provide the appropriate security of information and information resources throughout the Enterprise.

2) Review controls and maturity of the 40 controls provided in the Information Security Plan.

3) Self-evaluation of maturity and scope of implementation commensurate to Data Classification.

4) Implement a third-party risk assessment program on a periodic time frame.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
OA-2AU-2
OA-3CA-6
OA-4CA-7
OA-5PM-11
Information Security Risk Management (RM)RM-1RA-1The assessment and evaluation of risk within the information resources and technology to ensure that business operations are capable of delivering programs and services efficiently and effectively within acceptable tolerances potential negative outcomes. 1) Establish and maintain Information Risk Management policy and processes.

2) Identify risks related to controls not meeting established due diligence and develop a Road Map for remediation including budget analysis

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
RM-2RA-2
RM-3RA-3
RM-4PM-1
RM-5PM-12
RM-6PM-16
Security Oversight and Governance (OG)OG-1AR-1The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.1) Establish Security Oversight and Governance Board (including organization leadership team) to ensure enterprise security strategy adheres to enterprise business strategies and overall goals.

2) SOGB should meet on regular basis to review Information Security Program, identified risk and remediation strategies and progress.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
OG-2PM-8
OG-3PM-9
OG-4PM-11
OG-5PM-3
OG-6PM-7
OG-7SA-2
Security Compliance and Regulatory Requirements Management (CR)CR-1AR-6Monitor the legislative and industry landscape to ensure security policy is updated in consideration of changes that are pertinent or applicable to the organization. Facilitate any validation audits, assessments or reporting that is necessary to assure compliance to applicable laws, regulations, or requirements. Includes the HIPAA Privacy Office(r), IRS Safeguard Reviews, and responses to third party inquiries into the security of the organization.1) Monitor legislative landscape to ensure adherence to requirements of FERPA, State Business & Commerce Code, State Education Code and agency defined privacy policies.

2) Facilitate any validation audits, assessments or reporting that is necessary to assure compliance to applicable laws, regulations, or requirements (i.e. Filing of Information Security Plan on even years per SB 1597).

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
CR-2CA-7
CR-3IA-7
CR-4AU-11
CR-5RA-2
Cloud Usage and Security (CS)CS-1AC-20The assessment and evaluation of risk with the use of "cloud" technologies including Software as a Service (SAAS), Platform as a Service (PAAS), and Information as a Service (IAAS), to ensure that business operations are capable of delivering programs and services efficiently and effectively within acceptable tolerances potential negative outcomes. 1) The assessment and evaluation of risk with the use of "cloud" technologies to ensure that business operations can deliver programs and services efficiently and effectively within acceptable tolerances potential negative outcomes.

2) Negotiation of acceptable levels of security should be included in the contract negotiation process.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
CS-2SA-9
CS-3SC-4
CS-4CA-2
CS-5CA-7
CS-6CA-8
CS-7RA-3
CS-8RA-5
CS-9SI-2
CS-10SI-4
CS-11SI-5
Security Assessment and Authorization/ Technology Risk Assessments (AS)AS-1AP-2Evaluate systems and applications in terms of design and architecture in conjunction with existing or available controls to ensure that current and anticipated threats are mitigated within acceptable risk tolerances. Includes an analysis of in-place systems periodically or when significant change occurs as well as the analysis of the introduction of new technology systems. 1) Evaluate systems and applications in terms of design and architecture in conjunction with existing or available controls to ensure that current and anticipated threats are mitigated within acceptable risk tolerances.

2) Establish a governance-based authorization/acceptance of risk review process which includes executive sign-off.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
AS-2AR-2
AS-3CA-1
AS-4CA-2
AS-5CA-3
AS-6CA-9
AS-7PM-9
AS-8PM-10
AS-9PM-11
AS-10RA-1
AS-11RA-3
AS-12RA-5
AS-13SI-4
External Vendors and Third Party Providers (TP)TP-1AR-3Evaluation of third party providers and external vendors to ensure security requirements are met for information and information resources that will be transmitted, processed, stored, or managed by external entities. Includes contract review as well as the development of service level agreements and requirements.1) Evaluation of third party providers and external vendors to ensure security requirements are met for information and information resources that will be transmitted, processed, stored, or managed by external entities commensurate to overall Information Security strategies.

2) In addition to the development of SLA levels, contract should include information security platform items considered essential for doing business with the organization (i.e. background check of 3rd party employees working with organization data.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
TP-2CA-3
TP-3SA-9
TP-4AC-20
TP-5UL-2
Secure Application Development (AP)AP-1AR-7Ensuring that the code and processes that go into developing applications are as secure as possible. Includes not only the application's processes, but the processes used in the development of the application.1) Ensure coding and processes that go into developing applications are secure. For example: compliance with OWASP Application Security Verification Standard

2) If the application is being developed by a third party ensure secure coding practices are included in the contract. For example: compliance with OWASP Application Security Verification Standard

3) The organizationshould have a documented, secure application framework, and employees are generally aware of and follow the framework.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.

AP-2SA-3
AP-3SA-10
AP-4SA-11
AP-5DM-3
Beta Testing (BT)BT-1CA-8Validating that projects and systems are secure and vulnerabilities are identified prior to implementation in a production environment. May also be known as End User Acceptance Testing.1) Beta testing procedures exists and is uniform across the agency, and projects and systems are regularly tested before implementation in a production environment.

2) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

3) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
BT-2SI-2
BT-3DM-3
BT-4PM-14
Penetration Testing (PT)PT-1CA-8A simulated attack on a system, performed to evaluate the strengths and weaknesses of the system's security. The attack simulates internal and/or external users and attempts to overcome the system's defenses to obtain unauthorized access.1) Ensure Penetration Testing procedures are uniform across the organization and systems are regularly tested.

2) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

3) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PT-2SI-2
PT-3PM-14
PT-4CA-5
Vulnerability Testing (VT)VT-1RA-5Scanning a system for known vulnerabilities, quantifying the vulnerabilities' risk levels based on the system's exposure to them, and preparing risk plans for each vulnerability.1) Ensure our Vulnerabiltity Program procedures are uniform across the organization and systems are regularly tested.

2) Identified Vulnerabilities should be priortized by risk and remediated based the priority of the risk.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
VT-2SI-2
VT-3PM-14
VT-4CA-5
FunctionCategorySub-CategoryNIST Sub-CategoryObjectiveRoadmap Recommendations
Protect (PR)Enterprise Architecture, Roadmap & Emerging Technology (RM)RM-1PL-8An enterprise information security architecture that is aligned with Federal, State, Local and agency data security and privacy requirements. The integration of information security requirements and associated security controls into the information security architecture helps to ensure that security considerations are addressed early in the system development life cycle and are directly and explicitly related to mission/business processes. Using a roadmap and emerging technology evaluation process, the Information Security Program will stay abreast of the continued evolution of security solutions, processes, and technology to identify continuous, ongoing ways to deliver technology and information securely.1) Establish and maintain an information security architecture and roadmap to reach organizational expectation and due diligence levels.

2) Using a roadmap and emerging technology evaluation process, the Information Security Program can stay abreast of the continued evolution of security solutions, processes, and technology to identify continuous, ongoing ways to deliver technology and information securely.

3) Re-evaluate and modify roadmap on a regular basis.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
RM-2PM-6
RM-3PM-7
RM-4SA-1
RM-5SA-2
RM-6 SC-22
RM-7SI-1
RM-8SI-12
RM-9SA-10
RM-10SA-3
Secure System Services, Acquisition and Development (AD)AD-1AR-7Ensure that the development and implementation of new systems meets the requirements necessary to assure the security of information and resources.1) Ensure that the acquisition or development and implementation of new secure system services meets the requirements necessary to assure the security of information and resources as outlined in the Enterprise Security Architecture Plan.

2) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

3) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
AD-2SA-3
AD-3SA-4
AD-4SA-8
AD-5SA-11
AD-6SA-5
Security Awareness and Training (ST)ST-1AT-1Define, prepare, deliver, and facilitate an ongoing awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on security related information, threats, and technology risks.1) Establish a Security Awareness Policy.

2) Define, prepare, deliver, and facilitate an ongoing Security Awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on security related information, threats, and technology risks based on roles performed in the organization (i.e. privileged users (admins, DBA's), executive users, programmers, contractors and end users).

3) Role based training can consist of information as determined appropriate to perform job function from online training, instructor lead training or simple PowerPoint presentation.

4) Ensure that every employee, contractor, intern and affiliate is aware of the organization's approach and policies to protecting the assets and information within your organization.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
ST-2AT-2
ST-3AT-3
ST-4AT-4
Privacy Awareness and Training (PT)PT-1AR-5Define, prepare, deliver, and facilitate an ongoing awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on privacy requirements and information related to the protection of privacy risks and protections.1) Define, prepare, deliver, and facilitate an ongoing Privacy Awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on security related information, threats, and technology risks based on roles performed in the organization (i.e. privileged users (admins, DBA's), executive users, programmers, contractors and end users).

2) Role based training can consist of information as determined appropriate to perform job function from online training, instructor lead training or simple PowerPoint presentation.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
Cryptography (CR)CR-1SC-12Establish the rules and administrative guidelines governing the use of cryptography and key management in order to ensure that data is not disclosed or made inaccessible due to an inability to decrypt.1) Encryption of mobile laptops, removeable media, data bases and files which may contain sensitive information as defined by the organizational Data Classification Policy commensurate to the protection of information from unauthorized access.

2) Implement HTTPS encryption with Strict Transport Security (HSTS) using TLS 1.2 or higher on all public facing websites and applications on locally managed services and with 3rd parties via contract language updates.

3) Implement encryption in transit between Internet gateways to application and data base servers.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
CR-2SC-13
Secure Configuration Management (SM)SM-1CM-1Ensure that baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) are established and maintained throughout the respective system development life cycles. Establishes and enforces security configuration settings for information technology products employed in information systems. Ensures all systems are operating under configurations that have been agreed upon according to organizational risk management.1) Ensure that baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) are established and maintained throughout the respective system development life cycles.

2) Ensures all systems are operating under configurations that have been agreed upon per organizational risk management and changes have been documented in the change management process.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
SM-2CM-2
SM-3CM-3
SM-4CM-5
SM-5CM-5
SM-6CM-6
SM-7CM-7
SM-8CM-8
SM-9CM-9
SM-10CM-10
SM-11CM-11
SM-12SA-10
Change Management (CM)CM-1CA-6Establishes a set of rules and administrative guidelines to manage changes in a rational and predictable manner. In addition, it provides for the necessary documentation of any changes made so as to reduce any possible negative impact to the Users of IR systems. Changes include, but are not limited to implementation of new functionality, interruption of service, repair of existing functionality, and the removal of existing functionality.1) Establish a Change Management Policy and processes.

2) Include monitoring and auditing for compliance within the organization commensurate to the organization Enterprise Security Architecture.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
CM-2CM-1
CM-3CM-2
CM-4CM-3
CM-5CM-4
CM-6SA-10
CM-7CM-5
Contingency Planning (CP)CP-1CP-1Plans for emergency response, backup operations, and post-incident occurrence recovery for information systems are established, maintained and effectively implemented to ensure the availability of critical information resources and continuity of operations in emergency situations. Backing up data and applications is a business requirement. It enables the recovery of data and applications in the event of loss or damage (natural disasters, system disk and other systems failures, intentional or unintentional human acts, data entry errors, or systems operator errors).1) Ensure plans for emergency response, backup operations, and post-incident occurrence recovery for information systems are established, maintained and effectively implemented to ensure the availability of critical information resources and continuity of operations in emergency situations.

2) Backing up data and applications is a business requirement. Utilize table top exercises to test for gaps in plan and adjust accordingly.

3) Implement a regular testing component to ensure the processes and plans work at anticipated.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
CP-2CP-2
CP-3CP-3
CP-4CP-4
CP-5CP-6
CP-6CP-7
CP-7CP-8
CP-8CP-9
CP-9CP-10
CP-10IR-8
CP-11PE-17
Media (MD)MD-1MP-1The protection of digital and non-digital information system media, the assurance that access to information on information system media is limited to authorized users, and requirements that information system media is sanitized or destroyed before disposal or release for reuse. The requirement that safeguards are in place to restrict access to Information system media which includes both digital media (e.g., systems, diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives and other portable mass storage devices, compact disks, and digital video disks) and non-digital media (e.g., paper, microfilm). This standard applies to mobile computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices) as well as data center systems and servers.1) Ensure that access to information on information system media is limited to authorized users, and requirements that information system media is sanitized or destroyed before disposal or release for reuse.

2) The requirement that safeguards are in place to restrict access to Information system media which includes both digital media (e.g., systems, diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives and other portable mass storage devices, compact disks, and digital video disks) and non-digital media (e.g., paper, microfilm).

3) Include end security protection which can monitor USB devices and alert for unauthorized devices plugged into the USB which might be used to extract information.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
MD-2MP-2
MD-3MP-3
MD-4MP-4
MD-5MP-5
MD-6MP-6
MD-7MP-7
MD-8PM-5
Physical and Environmental Protection (PP)PP-1MA-2Assure that physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals. Protect the physical locations and support infrastructure for information systems to ensure that supporting utilities are provided for to limit unplanned disruptions. Protect information systems against environmental hazards and provide appropriate environmental controls in facilities containing information systems.1) Ensure physical access to information systems, equipment, and the respective operating environments as well as paper copies of sensitive information is limited to authorized individuals using guards or receptionist and card reader access doors to areas where sensitive information may be accessible.

2) Keeping infrastructure closets such as switches locked is essential.

3) Protect information systems against environmental hazards and provide appropriate environmental controls in facilities containing information systems.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PP-2PE-1
PP-3PE-2
PP-4PE-3
PP-5PE-4
PP-6PE-5
PP-7PE-6
PP-8PE-9
PP-9PE-10
PP-10PE-11
PP-11PE-12
PP-12PE-13
PP-13PE-14
PP-14PE-15
PP-15PE-16
Personnel Security (PS)PS-1PS-1Ensuring that individuals responsible for agency information are identified and their responsibilities are clearly defined. Any individuals occupying positions of responsibility within the agency (including third-party service providers) are trustworthy and meet established security criteria for those positions. Ensuring that information resources are protected during and after personnel actions such as terminations and transfers. Employing formal sanctions for personnel failing to comply with security policies and procedures.1) Individuals occupying positions of responsibility (including third-party service providers) should be trustworthy and meet established security criteria for those positions including background checks.

2) Job description and responsibility should be clearly defined.

3) Establish on-boarding processes which utilize the principle of least privilege promoting minimal user profiles to perform their assigned jobs.

4) Establish processes for handling internal job transfers to verify access to proper resources are applied.

5) Establish off-boarding processes to remove access to all resources and properly removing UserID's.

6) Establish violation disciplinary action policies to formalize sanctions for personnel filing to comply with documented security policies and established procedures.

7) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

8)The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PS-2PS-2
PS-3PS-3
PS-4PS-4
PS-5PS-5
PS-6PS-6
PS-7PS-7
PS-8PS-8
PS-9MA-5
Third-Party Personnel Security (TS)TS-1AC-20Requires all third party providers to comply with all security policies and standards. Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Establishes personnel security requirements including roles and responsibilities with limits on access requirements defined in accordance to least privileged and data minimization methodologies. Monitors providers for compliance.1) Require all third-party providers to comply with all security policies and standards.

2) Establishes personnel security requirements including roles and responsibilities with limits on access requirements defined in accordance to least privileged and data minimization methodologies.

3) Monitor all providers for compliance.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
TS-2PS-1
TS-3PS-2
TS-4PS-3
TS-5PS-4
TS-6PS-7
TS-7MA-5
System Configuration Hardening & Patch Management (PM)PM-1CM-3Ensure that systems are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and service disruptions by configuring operation systems and software with appropriate parameters. Includes the removal of default accounts/passwords, disablement of unnecessary protocols/ports/services, and the ongoing distribution and installation of service packs/patches.1) Establish a patch management program to patch workstations and servers in a timely manner.

2) Configure Operations Systems and software with the appropriate parameters to prevent unauthorized access or use and to minimize service disruptions.

3 )Include the removal of or changed default accounts and passwords. Disable unnecessary services, ports and protocols.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PM-2MA-1
PM-3MA-2
Access Control (AC)AC-1AC-2Processes used to ensure access to applications, servers, databases, and network devices in the environment is limited to authorized personnel. Access is to be limited to authorized users, processes acting on behalf of authorized users, or authorized devices. Authorized users are further limited to the types of transactions and functions that they are permitted to exercise. Session limits, lockout features for failed login attempts, account expirations and disabling unused accounts are controls that provide access control.1) Establish processes to ensure access to applications, servers, databases and network devices in the environment is limited to authorized personnel based on least privileges through documented on-boarding procedures.

2) Establish session limits, lockout features for failed login attempts, auto screen locking features.

3) Establish account expirations and disable unused accounts in a timely manner.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
AC-2AC-3
AC-3AC-4
AC-4AC-5
AC-5 AC-6
AC-6AC-7
AC-7AC-8
AC-8AC-11
AC-9AC-12
AC-10AC-14
AC-11AC-17
AC-12AC-18
AC-13AC-19
AC-14AC-20
AC-15AC-21
AC-16AC-22
AC-17IP-2
AC-18CM-5
AC-19MP-2
AC-20AC-1
Account Management (AM)AM-1AC-1Account Management establishes the standards for the creation, monitoring, control, and removal of accounts. A request process for accounts that includes authorization, approval for access by data owners, and acknowledgement of the user of their responsibilities are controls that assure proper account management. Periodic reviews of access entitlements as well as prompt removal of access during role change or employment termination are also controls that are part of account management.1) Establish Account Management Policies, standards and processes for the creation, monitoring, control, and removal of accounts.

2) The request process for accounts that includes authorization, approval for access by data owners, and acknowledgement of the user of their responsibilities are controls that assure proper account management.

3) Also include periodic review of access entitlements and prompt removal of access during role change or employee termination.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
AM-2AC-2
AM-3IA-1
AM-4IA-2
AM-5IA-4
AM-6IA-5
AM-7IA-7
AM-8IA-8
Security Systems Management (SS)SS-1SI-1The design, implementation, configuration, administration, maintenance, monitoring, and ongoing support of security systems used to enforce security policy and provide security services. Systems include firewalls, Intrusion Prevention Systems (IPS), Internet Proxy Servers, Security Information and Event Management (SIEM) systems, and other control enforcement or monitoring systems.1) The design, implementation, configuration, administration, maintenance, monitoring, and ongoing support of security systems should be used to enforce security policy and provide security services. Security systems include firewalls, Intrusion Prevention Systems (IPS), Internet Proxy Servers, Security Information and Event Management (SIEM) systems, and other control enforcement or monitoring systems.

2) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

3) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
SS-2SA-4
SS-3SA-10
SS-4CM-2
SS-5CM-3
SS-6CM-6
SS-7CM-7
SS-8CA-7
SS-9PL-8
Network Access and Perimeter Controls (PC)PC-1AC-1Network equipment such as servers, workstations, routers, switches and printers should be installed in a manner that prevents unauthorized access while limiting services to only authorized users. A perimeter should be established to delineate internal systems and prevent unauthorized external parties from tampering, attempting access or connecting without approved remote access methods.1) Establish Identity Access Management (IAM) for On-boarding and Off-boarding processes.

2) Establish Identity Access Management (IAM) for Remote access (i.e. VPN, Citrix).

3) Establish Identity Access Management (IAM) for Wireless Access.

4) Establish Identity Access Management (IAM) for Firewall rule sets.

5) Establish Identity Access Management (IAM) for Network switch configuration (best practice).

6) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

7) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PC-2AC-2
PC-3AC-3
PC-4AC-17
PC-5AC-20
PC-6SC-7
PC-7SC-10
Internet Content Filtering (IC)IC-1AC-3The enforcement of controls used to block access to Internet websites based upon categories of content, application types and granular application functions, time of day or amount of utilization, or the dynamically updated reputation of the destination. Bandwidth Preservation – The Local Area Network (LAN) and Wide Area Network (WAN) resources within the Agency locations are limited and heavily utilized for conducting business. The Bandwidth Preservation aspect of Internet Content Filtering is designed to remove unnecessary bandwidth usage from the network by blocking access to sites that are not business related and consume excessive bandwidth. Inappropriate Content – The Internet contains content that is inappropriate in nature and unacceptable for access in the workplace. The Inappropriate Content service within the Internet Content Filtering function is intended to support the Management and Human Resources policies to provide a non-threatening or offensive workplace environment. Additionally, the Inappropriate Content service provides management and monitoring tools for the enforcement of waste and abuse of state resources. Malware and Cyber-Threat Prevention- Internet content is often used to propagate malware and cyber-threats. Even the most popular Internet sites have become infected and used to spread malicious code. The Malware and Cyber-Threat Prevention aspect of Internet Content Filtering is designed to prevent the infection and spread of malware through Internet content.1) Establish Information Security Policies to provide a non-threatening or an offensive workplace environment.

2) Utilize the Internet Content Filtering function to support the Information Security policies to provide a non-threatening or offensive workplace environment.

3) Utilize the Internet Content Filtering function to prevent the infection and spread of malware throughout our infrastructure and end points devices.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
IC-2SC-22
IC-3SC-7
IC-4CM-7
IC-5SC-39
IC-6AC-17
IC-7SC-20
IC-8SC-21
IC-9CP-8
IC-10AC-18
Data Loss Prevention (DL)DL-1AU-11Solution designed to detect and prevent potential data breach incidents where sensitive may be disclosed to unauthorized personnel by malicious intent or inadvertent mistake. Detection of data at risk can be performed while in use at the endpoint, while in motion during transmission across the network, and while at rest on data storage devices.1) Data Loss Prevention (DLP) should be implemented to monitor and detect sensitive information at risk while in use at the endpoint, while in motion during transmission across the network, and while at rest on data storage devices.

2) Implementation of DLP will help in detection against unauthorized access or exposure internally and externally during an exfiltration attempt.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4)The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
DL-2SC-7
DL-3SC-8
DL-4SC-12
DL-5SC-13
DL-6IR-5
DL-7SI-4
DL-8SI-6
DL-9PS-3
DL-10AC-5
Spam Filtering (SF)SF-1SI-8As digital messaging (e-mail, cellular messaging, etc.) has become an integral part of the business process, its abuse has also grown. This abuse often is manifested as “SPAM” or “junk” messaging which has the potential to, beyond its annoying nature, slow-down and/or clog the infrastructure required to process electronic messages. In addition, “SPAM” is often used as a transmission vehicle in the migration of malicious code infections. To limit the effects of “SPAM”, messages will be examined for content and filtered as required.1) “SPAM” or “junk” messaging which has the potential to, beyond its annoying nature, slow-down and/or clog the infrastructure required to process electronic messages. “SPAM” is often used as a transmission vehicle in the migration of malicious code infections. To minimize the effects of “SPAM”, messages should be examined for content and filtered as required.

2) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

3) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
Identification & Authentication (IA)IA-1AC-1The verification of the claimed identity of users, processes, or devices as a prerequisite to permitting access. Verification can be performed by accepting a password, a Personal Identification Number (PIN), smart card, biometric, token, exchange of cryptographic keys, etc. Passwords are the most common authentication factor used in the identification process for users. Password standards establish the rules for the creation, length and complexity requirements, distribution, retention and periodic change as well as suspension or expiration of authenticators.1) Establish an Account Management or Identity and Access Management (IAM) Policy for verification of the claimed identity of users, processes, or devices as a prerequisite to permitting access.

2) Establish a Password Policy for verification accepting a password, or a Personal Identification Number (PIN), smart card, biometric, token, exchange of cryptographic keys, etc.

3) Consider implementing multi-factor authentication (MFA) to reduce the threat of compromised account information. 4) Passwords are the most common authentication factor used in the identification process for users.

5) Password standards establish the rules for the creation, length and complexity requirements, distribution, retention and periodic change as well as suspension or expiration of authenticators.

6) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

7) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
IA-2AC-2
IA-3IA-1
IA-4IA-2
IA-5IA-3
IA-6IA-4
IA-7IA-5
IA-8IA-6
IA-9IA-7
IA-10IA-8
Portable & Remote Computing (RC)RC-1AC-17Computing is no longer limited to traditional workstations. Mobile computing has introduced tablets, smartphones, handhelds and other computing devices designed to be portable and facilitate productivity for remote users. Traditional controls still apply in many areas, but additional considerations must be made for portable devices and the specific configuration and enforcement of controls will likely require special consideration.1) Establish a Portable or Mobile Computing Policy to address this rapidly changing environment. Portable or Mobile computing has introduced tablets, smartphones, handhelds and other computing devices designed to be portable and facilitate productivity for remote users.

2) Traditional controls still apply in many areas, but additional considerations must be made for portable devices and the specific configuration and enforcement of controls will likely require special consideration.

3) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

4) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
RC-2AC-18
RC-3CP-8
RC-4SC-7
RC-5SC-20
RC-6SC-21
RC-7SC-22
RC-8SC-39
RC-9SC-18
System Communications Protection (CO)CO-1PM-15The control, monitoring, management and protection of communications and transmissions between information systems. Includes network architecture considerations, inventory of confidential and restricted data transmissions, permitted inbound and outbound Internet communications, permitted inbound and outbound extranet and intranet communications, as well as communications between agencies. Establishes the requirements for protections such as link encryption, secure file transmission protocols, retention of files on source and destination systems, integrity validation, and restrictions for access at all levels (i.e. user/process, system, and network).1) Application Architecture should include how the application communicates with end users, servers, databases and transmissions between information systems.

2) The control, monitoring, management and protection of communications and transmissions between information systems should include network architecture considerations, inventory of confidential and restricted data transmissions, permitted inbound and outbound Internet communications, permitted inbound and outbound extranet and intranet communications, as well as communications between approved external entities.

3) Establish the requirements for protections such as link encryption, secure file transmission protocols, retention of files on source and destination systems, integrity validation, and restrictions for access at all levels (i.e. user/process, system, and network).

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.

6) Implement HTTPS encryption with Strict Transport Security (HSTS) using TLS 1.2 or higher on all public facing websites and applications on locally managed services and with 3rd parties via contract language updates.
CO-2SC-1
CO-3SC-2
CO-4SC-4
CO-5SC-5
CO-6SC-8
CO-7SC-21
CO-8SC-10
CO-9SC-12
CO-10SC-13
CO-11SC-15
CO-12SC-17
CO-13SC-18
CO-14SC-19
CO-15SC-20
CO-16SC-22
CO-17SC-23
CO-18SC-39
CO-19SI-5
System Currency (SC)SC-1SA-3Ensures that the necessary knowledge, skills, hardware, software, and supporting infrastructure are available at a reasonable cost to support information systems operations. Includes the monitoring and planning of future system developments that enable the organization to leverage modern technology and reduce technical debt.1) Establish a documented information systems currency policies and modernization roadmap exist and are developed with appropriate stakeholder input.

2) Ensure standards exist for maintaining the organizationally defined level of currency.

3)Exceptions to currency should be documented and a roadmap or plan for modernize outdated components is documented and adhered to.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
SC-2CA-6
SC-3MA-6
SC-4PL-1
SC-5PL-2
SC-6SA-22
FunctionCategorySub-CategoryNIST Sub-CategoryObjectiveRoadmap Recommendations
Detect (DE)Vulnerability Assessment (VA)VA-1RA-5Assessment and monitoring of vulnerability detection and remediation including patch management processes, configuration management, system, database and application security vulnerabilities. Test and evaluate security controls and security defenses to ensure that required security posture levels are met. Perform and/or facilitate ongoing and periodic penetration testing of security defenses. Evaluate results of various penetration tests to provide risk based prioritization of mitigation.1) Establish a documented vulnerability assessment management program.

2) The vulnerability assessment management program should include regular assessments and monitoring of vulnerability detection and remediation including patch management processes, configuration management, system, database and application security vulnerabilities.

3) Test and evaluate security controls and security defenses to ensure that required security posture levels are met.

4) Establish a tracking process to measure the effectiveness of the program.

5) Perform and/or facilitate ongoing and periodic penetration testing of security defenses.

6) Evaluate results of various penetration tests to provide risk based prioritization of mitigation.

7) Re-test to validate the mitigation worked as anticipated.

8) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

9) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
VA-2SI-5
VA-3SI-2
Malware Protection (MP)MP-1SI-3The prevention, detection and cleanup of Malicious Code (including virus, worm, Trojan, Spyware and other similar variants). Protection is accomplished at varying layers including at the host, at the network, or at the gateway perimeter. Protection mechanisms must be updated periodically and frequently to address evolving threats and monitored to provide manual intervention where required.1) Establish a Malicious Code Policy to reflect the management intent to prevent, detect, protect and cleanup malicious code in your environment.

2) Protection is accomplished at varying layers including at the host, at the network, and/or at the gateway perimeter.

3) Protection mechanisms must be updated periodically and frequently to address evolving threats and monitored to provide manual intervention where required.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
Security Monitoring and Event Analysis (MA)MA-1SI-4Analysis of security events and alerts as detected by the array of security enforcement devices and log collection facilities implemented throughout the Enterprise environment. System level events include server operating system security and system logs. Application level events include web application logs, application access logs, and other application associated log events. Security monitoring and analysis includes alert configuration and generation, event correlation as well as defining and distributing periodic reports and event statistical analysis. Also includes analysis of events from the Internet content filtering system, SPAM prevention system, email encryption system, and other security control devices to ensure appropriate protections of information and information resources. Security Monitoring and Event Analysis can include advanced functionality used to detect fraud within program areas and ensure client identity protection by collecting and analyzing data access correlated with system events information. The limits of this function are limited only by the data sources that are compiled and the resources devoted to the data analysis.1) Establish a Security Monitoring and Event Analysis (SIEMS) program to include advanced functionality used to detect fraud within program areas and ensure client identity protection by collecting and analyzing data access correlated with system events information. This function is limited only by the data sources and the resources devoted to the data analysis.

2) Analyze security events and alerts as detected by the array of security enforcement devices and log collection facilities implemented throughout the Enterprise environment. System level events include server operating system security and system logs.

3) Include web application logs, application access logs, and other application associated log events where feasible restrained only by limited resources.

4) Also, include analysis of events from the Internet content filtering system, SPAM prevention system, email encryption system, and other security control devices to ensure appropriate protections of information and information resources where feasible.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
MA-2SI-5
MA-3SI-7
MA-4PM-14
MA-5SI-11
MA-6CA-7
MA-7SC-5
MA-8SC-7
Audit Logging (AL)AL-1AU-1Ensures that the necessary knowledge, skills, hardware, software, and supporting infrastructure are available at a reasonable cost to support information systems operations. Includes the monitoring and planning of future system developments that enable the organization to leverage modern technology and reduce technical debt.1) Establish documented logging policies and standards which are enforced throughout the organization.

2) Ensure logs are stored for the appropriate retention periods and periodically checked for accuracy and adherence to defined policies.

3) Verify there are sufficient controls in place to provide auditable evidence for system transactions and that key records are available for a sufficient amount of time.

4) Establish and document responsibility for notifying and escalating incidents to appropriate personnel and coordinating activities to ensure timely isolation and containment, impact analysis, and any resulting remediation / resolution requirements.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
AL-2AU-2
AL-3AU-3
AL-4AU-4
AL-5AU-5
AL-6AU-6
AL-7AU-7
AL-8AU-8
AL-9AL-9
AL-10AU-11
AL-11AU-12
FunctionCategorySub-CategoryNIST Sub-CategoryObjectiveRoadmap Recommendations
Respond (RS)Cyber Security Incident Response (SI)SI-1IR-1Establishes an operational incident handling capability for information systems that includes adequate preparation, detection, analysis, containment, recovery, and response activities. The Incident Response program is used to track, document, and report incidents to appropriate officials and/or authorities.1) Establish an Incident Response policy and program with the handling capability for information systems that includes adequate preparation, detection, analysis, containment, recovery, and response activities.

2) The Incident Response program is used to track, document, and report incidents to appropriate officials and/or authorities.

3) Consider including Texas Department of Information Resources’ (DIR) Incident Response Team Redbook.

4) The Incident Response program should also include the ability to implement changes in protection processes to take advantage of lessons learned from your experiences.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
SI-2IR-2
SI-3IR-3
SI-4IR-4
SI-5IR-5
SI-6IR-6
SI-7IR-7
SI-8IR-8
SI-9CP-1
SI-10CP-2
SI-11CP-9
SI-12CP-10
Privacy Incident Response (PI)PI-1SE-1Management of events, issues, inquiries, and incidents when detected or reported to include all phases from investigation through resolution. Responsible for notifying and escalating incidents to appropriate personnel and coordinating activities to ensure timely isolation and containment, impact analysis, and any resulting remediation / resolution requirements. Incidents include but may not be limited to privacy breach, loss, theft, unauthorized access, malware infections, and occurrences of negligence, human error, or malicious acts.1) Privacy Incident Response includes the management of events, issues, inquiries, and incidents when detected or reported to include all phases from investigation through resolution.

2) Incidents include but may not be limited to privacy breach, loss, theft, unauthorized access, malware infections, and occurrences of negligence, human error, or malicious acts.

3) Establish and document responsibility for notifying and escalating incidents to appropriate personnel and coordinating activities to ensure timely isolation and containment, impact analysis, and any resulting remediation / resolution requirements.

4) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

5) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
PI-2SE-2
PI-3IP-4
FunctionCategorySub-CategoryNIST Sub-CategoryObjectiveRoadmap Recommendations
Recover (RC)Disaster Recovery Procedures (DR)DR-1CP-2Managing the recovery of data and applications in the event of loss or damage (natural disasters, system disk and other systems failures, intentional or unintentional human acts, data entry errors, or systems operator errors).1) Establish a Backup and Disaster Recover policy and program to maximize your efforts to protect your resources during a disaster utilizing the identification and prioritization of all the organization's information assets so that they are prioritized per criticality to the business.

2) Managing the recovery of data and applications in the event of loss or damage (natural disasters, system disk and other systems failures, intentional or unintentional human acts, data entry errors, or systems operator errors).

3) Regularly perform tabletop and disaster recovery exercises to determine the gaps in your documented process and provide assurances that your resources can be restored in a timely manner as they are prioritized per criticality to the business.

4) Perform regular backup restoration testing to validate backups and restoration process.

5) The organization should have a documented, detailed approach to meeting the objective, and regularly measures its compliance.

6) The organization should evaluate risk and integrate improvements beyond the requirements of applicable regulations on a regular basis.
DR-2CP-9
DR-3CP-10
DR-4IR-4
DR-5IR-8