The document outlines various information security controls across different domains including human resources, governance and risk management, identity and access management, infrastructure and virtualization security, interoperability and portability, mobile security, security incident management, threat and vulnerability management, application and interface security, business continuity management, change control and configuration management, data security and information lifecycle management, datacenter security, encryption and key management, audit assurance and compliance, and supply chain management. It provides a high level overview of key considerations for each domain without going into technical detail.

1. Human Resources
(12)
Asset Returns
Background Screening
Employment Agreements
Employment Termination
Industry Knowledge / Benchmarking
Mobile Device Management
Non-Disclosure Agreements
Roles / Responsibilities
Technology Acceptable Use
Training / Awareness
User Responsibility
Workspace
Governance and Risk Management
(3)
Risk Assessments
Risk Management Framework
Risk Mitigation / Acceptance
Identity & Access Management
(13)
Audit Tools Access
Credential Lifecycle / Provision Management
Diagnostic / Configuration Ports Access
Policies and Procedures
Segregation of Duties
Source Code Access Restriction
Third Party Access
Trusted Sources
User Access Authorization
User Access Reviews
User Access Revocation
User ID Credentials
Utility Programs Access
Infrastructure & Virtualization
Security
(12)
Audit Logging / Intrusion Detection
Change Detection
Clock Synchronization
Information System Documentation
Management - Vulnerability Management
Network Security
OS Hardening and Base Conrols
Production / Non-Production
Environments
Segmentation
VM Security - vMotion Data Protection
VMM Security - Hypervisor Hardening
Wireless Security
Interoperability & Portability
(5)
APIs
Data Request
Policy & Legal
Standardized Network Protocols
Virtualization
Mobile Security
(20)
Anti-Malware
Application Stores
Approved Applications
Approved Software for BYOD
Awareness and Training
Cloud Based Services
Compatibility
Device Eligibility
Device Inventory
Device Management
Encryption
Jailbreaking and Rooting
Legal
Lockout Screen
Operating Systems
Passwords
Policy
Remote Wipe
Security Patches
Users
Security Incident Management, E-
Discovery & Cloud Forensics
(5)
Contact / Authority Maintenance
Incident Management
Incident Reporting
Incident Response Legal Preparation
Incident Response Metrics
Threat and Vulnerability Management
(3)
Anti-Virus / Malicious Software
Vulnerability / Patch Management
Mobile Code
Application & Interface Security
(4)
Application Security
Customer Access Requirements
Data Integrity
Data Security / Integrity
Business Continuity Management &
Operational Resilience
(12)
Business Continuity Planning
Business Continuity Testing
Datacenter Utilities / Environmental Conditions
Documentation
Environmental Risks
Equipment Location
Equipment Maintenance
Equipment Power Failures
Impact Analysis
Management Program
Policy
Retention Policy
Change Control & Configuration
Management
(5)
New Development / Acquisition
Outsourced Development
Quality Testing
Unauthorized Software Installations
Production Changes
Data Security & Information Lifecycle
Management
(8)
Classification
Data Inventory / Flows
eCommerce Transactions
Handling / Labeling / Security Policy
Information Leakage
Non-Production Data
Ownership / Stewardship
Secure Disposal
Datacenter Security
(9)
Asset Management
Controlled Access Points
Equipment Identification
Off-Site Authorization
Off-Site Equipment
Policy
Secure Area Authorization
Unauthorized Persons Entry
User Access
Encryption & Key Management
(4)
Entitlement
Key Generation
Sensitive Data Protection
Storage and Access
Cloud Control Matrix 3.0
Audit Assurance and Compliance
(3)
Audit Planning
Independent Audits
Information System Regulatory Mapping
Supply Chain Management,
Transparency and Accountability
(9)
Data Quality and Integrity
Incident Reporting
Network / Infrastructure Services
Provider Internal Assessments
Supply Chain Agreements
Supply Chain Governance Reviews
Supply Chain Metrics
Third Party Assessment
Third Party Audits
Allen Zhang
HMSA
2014 V1