Human Resources(12)Asset ReturnsBackground ScreeningEmployment AgreementsEmployment TerminationIndustry Knowledge / BenchmarkingMobile Device ManagementNon-Disclosure AgreementsRoles / ResponsibilitiesTechnology Acceptable UseTraining / AwarenessUser ResponsibilityWorkspace

Governance and Risk Management(3)Risk AssessmentsRisk Management FrameworkRisk Mitigation / Acceptance

Identity & Access Management(13) Audit Tools AccessCredential Lifecycle / Provision ManagementDiagnostic / Configuration Ports AccessPolicies and ProceduresSegregation of DutiesSource Code Access RestrictionThird Party AccessTrusted SourcesUser Access AuthorizationUser Access ReviewsUser Access RevocationUser ID CredentialsUtility Programs Access

Infrastructure & Virtualization Security(12)Audit Logging / Intrusion DetectionChange DetectionClock SynchronizationInformation System DocumentationManagement - Vulnerability ManagementNetwork SecurityOS Hardening and Base ConrolsProduction / Non-Production EnvironmentsSegmentationVM Security - vMotion Data ProtectionVMM Security - Hypervisor HardeningWireless Security

Interoperability & Portability(5)APIsData RequestPolicy & LegalStandardized Network ProtocolsVirtualizationMobile Security(20)Anti-MalwareApplication StoresApproved ApplicationsApproved Software for BYODAwareness and TrainingCloud Based ServicesCompatibilityDevice EligibilityDevice InventoryDevice ManagementEncryptionJailbreaking and RootingLegalLockout ScreenOperating SystemsPasswordsPolicyRemote WipeSecurity PatchesUsersSecurity Incident Management, E-Discovery & Cloud Forensics(5)Contact / Authority MaintenanceIncident ManagementIncident ReportingIncident Response Legal PreparationIncident Response Metrics

Threat and Vulnerability Management(3)Anti-Virus / Malicious SoftwareVulnerability / Patch ManagementMobile Code

Application & Interface Security(4)Application SecurityCustomer Access RequirementsData IntegrityData Security / Integrity

Business Continuity Management & Operational Resilience(12)Business Continuity PlanningBusiness Continuity TestingDatacenter Utilities / Environmental ConditionsDocumentationEnvironmental RisksEquipment LocationEquipment MaintenanceEquipment Power FailuresImpact AnalysisManagement ProgramPolicyRetention Policy

Change Control & Configuration Management(5)New Development / AcquisitionOutsourced DevelopmentQuality TestingUnauthorized Software InstallationsProduction Changes

Data Security & Information Lifecycle Management (8)ClassificationData Inventory / FlowseCommerce TransactionsHandling / Labeling / Security PolicyInformation LeakageNon-Production DataOwnership / StewardshipSecure Disposal

Datacenter Security(9)Asset ManagementControlled Access PointsEquipment IdentificationOff-Site AuthorizationOff-Site EquipmentPolicySecure Area AuthorizationUnauthorized Persons EntryUser Access

Encryption & Key Management(4)EntitlementKey GenerationSensitive Data ProtectionStorage and Access

Cloud Control Matrix 3.0

Audit Assurance and Compliance(3)Audit PlanningIndependent AuditsInformation System Regulatory Mapping

Supply Chain Management, Transparency and Accountability(9)Data Quality and IntegrityIncident ReportingNetwork / Infrastructure ServicesProvider Internal AssessmentsSupply Chain AgreementsSupply Chain Governance ReviewsSupply Chain MetricsThird Party Assessment Third Party Audits

Allen ZhangHMSA

2014 V1