AIA/NAS 9924-2013 pdf download CYBER SECURITY BASELINE
2. TIER 1
Suppliers that operate without a dedicated Information Technology professional on staff nor do they have a dedicated Information Technology Security professional.
1 ) A password policy should minimally include the following parameters:
a. Minimum and maximum lengths;
b. Maximum failed logon attempts;
c. Complexity (mixed case, numbers, and special characters);
d. Re-use;
e. Reset;
f. How is password stored (clear text, encrypted, irreversibly encrypted); and
g. Change interval.
2) 2-Factor authentication should be in use for all interfaces to all systems that are storing customer information and may minimally include 2 out of the 3 mechanisms:
a. Something the user knows (e.g., password, PIN).
b. Something the user has (e.g., ATM card, smart card).
c. Something the user is (e.g., biometric characteristic, such as a fingerprint).
3) All equipment should be adequately secured from theft and vandalism to include physical security controls in place for laptops and other mobile devices.
4) Anti-virus software across all platforms & computing resources (including privately owned and company owned computers) that employees use to access the organizations network (to include all contractor devices and employees home machines which may access the corporate network) should be implemented throughout the organization. Operational processes should minimally include:
a. Automatic updating of the anti-virus software, engine, and virus definition files;
b. Complete virus scans performed on the hard drive(s) at least once a week;
c. DAT/signature files on computing resources updated at least every 7 days; and
d. Virus scan engine upgrades scheduled at least once a month.
If manual anti-virus distribution mechanism is used, updates should be installed within 24 hours of notification.
5) A mitigation plan and process should be existent for security breaches or data compromises.
3. TIER 2
Suppliers with a dedicated Information Technology professional on staff, but have no dedicated Information Technology Security professional. These statements supplement those for Tier 1 .
6) A representative responsible for information security and implementation of the appropriate controls to logically protect customer information/data should be a role(s) within the organization(s).
7) Formal documented procedures for physical security over the information / site should be implemented.
8) Information security training requirements for Systems Administrators should be implemented.
9) Information Protection Awareness training provided no less than annually to each non-employee, employee,contract employee, business partner, etc. who have access to customer information should be implemented and maintained for accountability.
1 0) A process to manage the termination of individuals who have access to customer information should be in existence.
1 1 ) The organization should have written plans and procedures for reporting and responding to computer security breaches for:
a. Company Management/stakeholders;
b. Employees;
c. Customers;
d. Partners;
e. Suppliers; and
f. Regulators.