The Minimum Reasonable Security Practices draws on SecureTheVillage’s Basic IT Security Management Practices (STV Basic Practices).
The following summarizes the Minimum Reasonable Security Practices.
Information Security Management: The organization manages its information security by means of a formal documented Information Security Management Program. The Information Security Manager is an executive or reports to an executive. The program is designed to protect the confidentiality, integrity, and availability of information in accordance with commercially reasonable information security management standards appropriate for a company with its security-risk profile and the security-risk profiles of others whose information it manages.
Information Security Subject Matter Expertise: The organization utilizes appropriate information security subject matter expertise.
Security Management of Sensitive and Private Information: The organization formally identifies, documents, and controls access to sensitive and private information in accordance with laws, regulations, contractual obligations, and in accordance with its own fiduciary responsibilities.
SecureTheHuman: The organization has an active awareness training and education program to turn personnel into cyber guardians having the knowledge, skills, and commitment needed to meet the ongoing challenges of cyber crime, cyber privacy and information security.
Security Management of the IT Interface: All access to the organization’s network is protected in accordance with documented procedures, based upon the Center for Internet Security (CIS) Critical Security Controls (See Mapping of CIS Controls to STV Basic Practices).
Security Management of the IT Infrastructure: The organization formally manages the security of its IT infrastructure in accordance with documented standards based upon the Center for Internet Security (CIS) Critical Security Controls (See Mapping of CIS Controls to STV Basic Practices).
Third-Party Security Assurance: The organization follows a formal documented process to manage the risk associated with sharing information with third-parties. This includes following documented standards based upon the Center for Internet Security (CIS) Critical Security Controls (See Mapping of CIS Controls to STV Basic Practices) to ensure the security of third-parties having access to information or information systems, including solution providers, cloud service providers, backup/recovery systems, etc.
Information Resilience: The organization develops, maintains, and tests Incident Response Plans and Business Continuity Plans. This includes training staff to meet their incident response or business continuity responsibilities and maintaining relationships with law enforcement and other professionals likely to be crucial should an incident or disaster occur.
Information Security Governance: The organization meets at least quarterly with executive management to review the organization’s information security profile.