Risk Assessment
Menu ▼
🏠
Home
📋
Risk Assessment
📊
Risk Profile
📑
Control Inventory
Rate each risk with Probability and Impact. Use the sliders to capture your current view; add context later if needed.
Organization
Company Name
Primary Contact
Contact Email
Date
1. Technical Risks
1. Malware (viruses, worms, Trojans, spyware, ransomware)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
2. Denial-of-Service (DoS) & Distributed Denial-of-Service (DDoS) Attacks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
3. Zero-Day Exploits
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
4. Cross-Site Scripting (XSS)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
5. Session Hijacking
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
6. API Abuse & Exploits
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
7. Drive-by Downloads
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
8. Advanced Persistent Threats (APTs)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
9. Unauthorized Access to Sensitive Data
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
10. Insider Threats (Malicious & Accidental)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
11. Exposure of Personally Identifiable Information (PII)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
12. Shadow IT Risks (Unapproved Apps/Services)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
13. Weak encryption & poor key management
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
14. Database Misconfigurations
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
15. Artificial Intelligence (AI)-Driven Attacks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
16. Deepfake & Voice Impersonation Scams
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
17. Quantum Computing Risks (Breaking Cryptography)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
18. Synthetic Identity Fraud
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
19. Exploitation of Authentication Systems
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
20. Weak or Reused Passwords
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
21. Insufficient Multi-Factor Authentication (MFA)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
22. Overprivileged Accounts
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
23. Expired or Orphaned Accounts
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
24. Social Engineering Exploits on IAM Systems
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
25. Insecure API Keys & Tokens
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
26. Poor Identity Federation Security
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
27. Unsecured Wi-Fi Networks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
28. Open Ports & Services
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
29. Inadequate Firewall Configurations
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
30. Rogue Devices & Unauthorized Access Points
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
31. Lack of Network Segmentation
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
32. Use of Default Credentials in Network Devices
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
33. Unpatched Routers & Switches
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
34. Outdated or Unpatched Software
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
35. BYOD (Bring Your Own Device) Security Risks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
36. Lack of Endpoint Detection & Response (EDR)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
37. Infected Removable Media (USBs, External Drives)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
38. Unprotected IoT Devices
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
39. Jailbroken or Rooted Mobile Devices
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
40. Stolen or Lost Devices with Sensitive Data
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
41. Misconfigured Cloud Storage (e.g., S3 Buckets)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
42. Insecure API Calls
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
43. Unsecured SaaS Applications
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
44. Poor or Lack of Identity Management
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
45. Lack of Security Information and Event Monitoring (SIEM)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
46. Vendor Lock-in & Security Dependence
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
47. Shared Responsibility Model Misunderstanding
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
48. Unauthorized Physical Access to Data Centers or Offices
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
49. Unattended Devices (Laptops, USBs, Printed Docs)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
50. Dumpster Diving (Sensitive Information Disposal Issues)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
51. Lack of Surveillance & Intrusion Detection
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
52. Theft or Tampering with Hardware
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
53. Hardware Implants & Keyloggers
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
54. Shoulder Surfing & Unauthorized Screen Viewing
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
55. Unsecure API Integrations with Third-Party Services
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
56. Software Supply Chain Risks and Attacks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
57. Lack of Vendor Risk Management
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
58. Outsourcing Security Weaknesses
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
59. Poor DevOp Practices Including Lack of Proper Source Code Controls
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
2. Compliance & Legal Risks
60. Non-Compliance with Regulations (GDPR, HIPAA, PCI-DSS, etc.)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
61. Failure to Meet Industry Security Standards (ISO 27001, NIST, CIS, etc.)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
62. Legal Repercussions from Data Breaches
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
63. Lack of Cyber Insurance or Coverage Gaps
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
64. Failure to Retain or Delete Data as Required by Law
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
65. Improper or Lack of Data Classification Controls Leading to Exposure or Loss of Sensitive Data
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
3. Human & Behavioral Risks
66. Lack of Security Awareness Training
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
67. Shadow IT Usage (Employees Using Unapproved Apps)
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
68. Over-Reliance on IT Without Understanding Risks
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
69. Insufficient Incident Response Readiness
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
70. Poor Crisis Communication & Response
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
71. Unreported Security Incidents
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
72. Lack of Document and Change Management
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
73. Lack of Formalized Security Policies and/or Poor Policy Communication to Employees and Contractors
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
74. Improperly Defined Security Roles and Responsibilities / Lack of Executive Support and Sponsorship
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
75. Insufficient Knowledge and Awareness of Emerging and Current Cyber Threats by Security Operations Staff
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
76. Lack of Affiliation with Professional Cyber Security Associations and Local Authorities by Security Operations Staff
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
77. Lack of Security Based Documentation / Work Instructions Accessible by Staff Performing Security Related Functions
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
78. Insufficient Hiring Practices, Ineffective Performance Evaluations Leading to Poorly Qualified Information Security Operations Staff Including High Turnover Rates
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
79. Lack of Formalized Disciplinary Action Plans for Employees Who Fail to Comply with Corporate Security Policies
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
80. Lack of Formalized Offboarding Plan for Terminated Employees Creating Potential Data Loss Risk
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
81. Failure to Protect Confidential Corporate Information During Introduction of New Security Technologies
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
82. Failure to Mitigate Risks Associated with Remote Access/Connectivity
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
83. Inadequate Access Controls to Corporate Information
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
84. Improper Management of Administrative Privileges
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
85. No Standardized Method for Introduction of New Software Applications and Platforms
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
86. Network Architectures That Are Not Secure by Design
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
4. Business Continuity & Disaster Recovery Risks
87. Lack of a Proper Incident Response Plan
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
88. Insufficient Backup & Recovery Strategy
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
89. Failure to Test Disaster Recovery Procedures
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
90. Single Point of Failure in Infrastructure
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
91. Ransomware-Induced Downtime
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
92. Inadequate Cybersecurity Budget & Investment
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
93. Role based access control compromise
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
94. Failure to Integrate Security Protocols, Standards and Best Practices into All IT Related Tasks and Projects
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
95. Insufficient or Lack of Asset Management Platforms, Tools and Documentation
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
96. Lack of Controls & Policies For Data Access and Secure Sharing of Information
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
97. Data Center Environmental Issues and Lack of Secure Workspace Practices and Policies
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
98. Poor Capacity Planning and Management
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
99. No External Validation / Audit to Independently Verify Effectiveness of Information Security Practices
Mediating Controls
Probability (1–5)
3
Impact (1–16)
3
Select a control...
ISC-0001 - Antivirus / Endpoint Detection and Response Protection
ISC-0002 - Managed Detection and Response (MDR) partnership
ISC-0003 - Perimeter / edge protection devices
ISC-0004 - Webhost commitment to contract terms and conditions
ISC-0005 - Platform / application commitment to contract terms and conditions
ISC-0006 - Encryption of data in use, in transit and at rest
ISC-0007 - Mandatory monthly end user security training with documented disciplinary actions for late or incomplete training. New hire security orientation and Corporate Intranet based security guidelines.
ISC-0008 - DNS Filtering (risky website mitigation)
ISC-0009 - RBAC (Role Based Access Control)
ISC-0010 - USB drive blocking
ISC-0011 - Rogue device management
ISC-0012 - Mobile Device Management (MDM) system
ISC-0013 - Consolidated dashboard control of network edge devices
ISC-0014 - Network Access Control (NAC)
ISC-0015 - IT Operations team segregated use of regular vs elevated privilege accounts
ISC-0016 - IT Services Technology Disposal Policy
ISC-0017 - Application of security updates for internal core infrastructure
ISC-0018 - Secured Directory Services
ISC-0019 - Multifactor authentication (MFA) requirement for data access
ISC-0020 - Secure data transmissions utilizing SSL/TLS certifications
ISC-0021 - Periodic audit of privileged access accounts
ISC-0022 - Azure Privileged Identity Management (PIM)
ISC-0023 - Tabletop exercises (to be developed)
ISC-0024 - Integrated Federated Identity services
ISC-0025 - OS and application level security patches and updates
ISC-0026 - External vulnerability scans
ISC-0027 - Periodic review of firewall rules and policies
ISC-0028 - Application of security updates for firewall devices
ISC-0029 - Secure firewall rules, policies, traffic logs
ISC-0030 - Virtual Local Area Networks (VLANS)
ISC-0031 - Complex password policy requirements
ISC-0032 - Periodic review of remote access user accounts
ISC-0033 - Multifactor authentication (MFA) requirement for remote access connectivity
ISC-0034 - Zero Trust Architecture (ZTA)
ISC-0035 - Segmentation between corporate and guest networks
ISC-0036 - Cloud Provider Security Validation (including annual confirmation)
ISC-0037 - Conditional Access Policies
ISC-0038 - Prox card controlled access to all data centers
ISC-0039 - Video surveillance of data centers
ISC-0040 - Systematic enforcement of screensaver activation
ISC-0041 - Video surveillance system - office areas
ISC-0042 - Privacy screens for frequent travelers
ISC-0043 - Advanced email security tools for detection and analysis of malware and phishing
ISC-0044 - Annual security audit by parent company
ISC-0045 - Annual security audits by external firms
ISC-0046 - Business Continuity and Disaster Recovery Plan
ISC-0047 - Cyber insurance (maintained by parent company)
ISC-0048 - Email retention policies
ISC-0049 - Email archive policies
ISC-0050 - Annual security training requirements for SecOps team
ISC-0051 - Use of 3rd party companies for agnostic security vendor referrals
ISC-0052 - Continuous simulated phishing tests (all employees) with structured disciplanary policy for test failures
ISC-0053 - Disaster Recovery as a Service (DRaaS)
ISC-0054 - Disaster Recovery (DR) Runbooks (to be developed)
ISC-0055 - Incident response (IR) call tree
ISC-0056 - Employee education on Incident Reporting (new hire orientation, Corporate Intranet and ongoing training)
ISC-0057 - Corporate AI use policy with systematic enforcements
ISC-0058 - Incident Response Playbooks
ISC-0059 - Required organizational security roles and responsibilities identified and managed
ISC-0060 - Immutable Backup System
ISC-0061 - Device / asset monitoring and management
ISC-0062 - Prox card controlled access to all general work areas/suites
ISC-0063 - Core network design with no single point of failure
ISC-0064 - Annual and multi-year cybersecurity strategy
ISC-0065 - Annual approved budget that includes components of planned cybersecurity strategy
ISC-0066 - Relationships with FBI, Secret Service, local police and telecommunication providers
ISC-0067 - Professional security membership affiliations with groups such as ISACA, Infragard, ISSA and LKITP
ISC-0068 - Threat intelligence briefings such as Infragard/FBI posts, CISA updates, security conferences, other security feeds
ISC-0069 - Suppliers and Application Owners and Criticality Register (Form 0706)
ISC-0070 - Midrex Teammate Handbook, Midrex legal advisories
ISC-0071 - Terminated employee offboarding process
ISC-0072 - Guidelines and systematic enforcement of data sharing restrictions
ISC-0073 - Use of named accounts (no shared or anonymous account access)
ISC-0074 - Secure file sharing channels and systems
ISC-0075 - Secure vault systems for storage of private keys, secrets and passwords
ISC-0076 - Single Sign On (SSO) technologies
ISC-0077 - Formalized onboarding process for all new Midrex user accounts including contractors
ISC-0078 - Historical documentation of past incident investigations
ISC-0079 - Compliance control settings
ISC-0080 - Data loss prevention (DLP) technologies
ISC-0081 - Midrex IT Standards and Security Document
ISC-0082 - Maintain appropriate licenses for security products
ISC-0083 - External data sharing requirements (manager approval, allowed sharing list)
ISC-0084 - Internal ISO audits
ISC-0085 - Data Classification and Labelling
ISC-0086 - Security Incident and Event Management (SIEM) system
ISC-0087 - Native cloud platform event logging
ISC-0088 - Dashboard for tracking security metrics of employee awareness program
ISC-0089 - Non Disclosure Agreements (NDA's)
ISC-0090 - Intrusion detection and alarm system
ISC-0091 - Digital signage platform for distribution of important security information to employees
ISC-0092 - Employee safety and emgergency action plan (EAP)
ISC-0093 - Monitoring of environmental variables inside data center
ISC-0094 - Visual reminders of security requirements
ISC-0095 - Midrex Legal Dept guidance for platform/application contracts and agreements
ISC-0096 - Principles of Zero Trust and Least Privilege incorporated into all security projects and tasks
ISC-0097 - Secure printing of confidential documents
ISC-0098 - Data Centers protected by universal power supply (UPS) systems, dedicated HVAC systems, active environmental monitoring and routinized maintenance
ISC-0099 - Searchable Knowledge Base of Security Related Work Instructions
ISC-0100 - Annual and Mid-Year Performance Evaluations of Security Operations Staff with Direct Correlations to Personal and Departmental Security Goals plus Corporate Security Milestones. Incentivized by structured salary increases and bonus payouts.
ISC-0101 - Security vendors / contractors are properly certified and/or qualified
ISC-0102 - Mobile device management separates personal from business data
ISC-0103 - Wireless security protocols are properly managed and maintained
ISC-0104 - DevOps team follows best security practices for code development and change management
ISC-0105 - Critical systems - automatic capacity monitoring/notifications
ISC-0106 - Edge security appliances - redundancy/failover configuration
ISC-0107 - Annual penetration testing with remediations
ISC-0108 - Standardized computer build checklists
ISC-0109 - Remote monitoring of critical infrastructure and servers
ISC-0110 - Standardized clock syncs
ISC-0111 - Network / architectural /security diagrams
ISC-0112 - Midrex new talent acquisition process is followed for all new DSS teammates and contractors, including standardized background verifications, onboard trainings and security policy acknowledgements
ISC-0113 - IT Operations team use of elevated privilege accounts when accessing remote connectivity tools
ISC-0114 - Documented change management control process (Procedure 7.5)
ISC-0115 - Site to site VPN tunnels utilize proper security protocols
ISC-0116 - Infrastructure contractors are properly qualified and maintain required security protocols
ISC-0117 - No local administrative access by end users / local administrative accounts disabled
ISC-0118 - Defined security procedures are followed when introducing new applications or platforms (MAS)
Add Control
Add Risk
Add Risk Category
Clear
Export
Save
Submit & Email
Export Options
×
Choose an export format:
📊
Export CSV
Spreadsheet format
📄
Export JSON
Data format
🖨️
Print / Save as PDF
Printable document