4 — Information Security Program
54 requirements in the Information Security Program section
4Information Security Program
4.AWritten Information Security Program
4.BProgram Design Objectives
4.B(1)Protect Security and Confidentiality
4.B(2)Protect Against Threats
4.B(3)Protect Against Unauthorized Access
4.B(4)Retention and Destruction Schedule
4.CLicensee Requirements
4.C(1)Designate Responsible Employees
4.C(2)Identify Foreseeable Threats
4.C(3)Assess Threat Likelihood and Damage
4.C(4)Assess Sufficiency of Safeguards
4.C(4)(a)Employee Training and Management
4.C(4)(b)Information Systems
4.C(4)(c)Detection, Prevention and Response
4.C(5)Implement and Assess Safeguards
4.DRisk-Based Requirements
4.D(1)Program Design Based on Risk
4.D(2)Security Measures
4.D(2)(a)Access Controls
4.D(2)(b)Asset Identification and Management
4.D(2)(c)Physical Access Restrictions
4.D(2)(d)Encryption of Nonpublic Information
4.D(2)(e)Secure Development Practices
4.D(2)(f)Information System Modifications
4.D(2)(g)Multi-Factor Authentication
4.D(2)(h)Testing and Monitoring
4.D(2)(i)Audit Trails
4.D(2)(j)Environmental Protection
4.D(2)(k)Secure Disposal Procedures
4.D(3)Enterprise Risk Management
4.D(4)Emerging Threats Awareness
4.D(5)Cybersecurity Awareness Training
4.EBoard of Directors Oversight
4.E(1)Executive Management Responsibility
4.E(2)Annual Written Report
4.E(2)(a)Program Status and Compliance
4.E(2)(b)Material Matters Reporting
4.E(3)Delegation Oversight
4.FThird-Party Service Provider Oversight
4.F(1)Due Diligence in Selection
4.F(2)Third-Party Security Measures
4.GProgram Monitoring and Adjustment
4.HIncident Response Plan
4.H(1)Written Incident Response Plan
4.H(2)Incident Response Plan Areas
4.H(2)(a)Internal Response Process
4.H(2)(b)Incident Response Goals
4.H(2)(c)Roles, Responsibilities and Authority
4.H(2)(d)Communications and Information Sharing
4.H(2)(e)Weakness Remediation Requirements
4.H(2)(f)Documentation and Reporting
4.H(2)(g)Plan Evaluation and Revision
4.IAnnual Compliance Certification