UO Minimum Information Security Controls

UO.14 Conduct a Risk Assessment

Conducting risk assessments includes the following specific tasks:


Track risk to system and data by:


UO.25 Encryption: Data-at-Rest

Data-at-rest (stored) shall be encrypted to ensure confidentiality.

Sensitive files, records, tables or entire databases should be encrypted with the decryptions keys properly managed and changed periodically. In some cases, encryption may not be needed if ISO deemed that appropriate compensating controls have been implemented, or the risk of breach of confidentiality or integrity is substantially low.

Note 1: certain combinations of Medium Risk data elements may constitute on aggregate High Risk data.
Note 2: for cloud-based services, the goal is to employ the “trust no one or TNO” principle which requires decryption keys to be accessible only by approved UO personnel, thereby preventing cloud-service vendor personnel or subcontractors from accessing UO data.

UO.52 Organizational cybersecurity policy is established and communicated

UO.53 Cyber threat intelligence is received from information sharing forums and sources

Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.

UO.54 Risk management processes are established, managed, and agreed to by organizational stakeholders

UO.55 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

UO.56 Separation of system and user functionality

Separate user functionality, including user interface services, from system management.