# Control Implementation | Control ID | Related Risk IDs | Entry Requirement | Implementation Method | Control Owner Team | Control Implementor Team | | ------------ | -------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------- | --------------------------------------------------------------------------- | | CTRL-AST-001 | RISK-AM-001, RISK-BC-003, RISK-EX-001, RISK-IR-003 | Introduction/acquisition/deployment of new technology asset | \[On-premise] Follow operations pipeline with agent installation for CMDB registration | IT Operations Team | IT Operations Support Team | | CTRL-AST-001 | RISK-AM-001, RISK-BC-003, RISK-EX-001, RISK-IR-003 | Introduction/acquisition/deployment of new technology asset or change/modification of existing | \[On-premise/Cloud SaaS] Manual input/update to CMDB and Taxonomy | IT Operations Team | - | | CTRL-AST-001 | RISK-AM-001, RISK-BC-003, RISK-EX-001, RISK-IR-003 | Introduction/acquisition/deployment of new technology asset | \[Azure Cloud] Follow pipeline for asset registration in CMDB | IT Cloud Services Team | IT Cloud Services Team | | CTRL-AST-001 | RISK-AM-001, RISK-BC-003, RISK-EX-001, RISK-IR-003 | Introduction/acquisition/deployment of new technology asset | \[AWS Cloud] Follow pipeline for registration in AWS-native tools (e.g., Aurora DB, MongoDB, EC2) | Portfolio Management Team | Portfolio Management Team | | CTRL-AST-001 | RISK-AM-001, RISK-BC-003, RISK-EX-001, RISK-IR-003 | Introduction/acquisition/deployment of corporate end-user device (PC, Laptop, Mobile) | \[Corporate End User Devices] Follow EUS pipeline to register/update inventory and CMDB | IT End User Services Team | IT End User Services Team | | CTRL-BCD-002 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-IR-002 | Introduction of new resilience design or change | \[On-premise] Define/update RTO/RPO in ITOG, follow PDLC OAT drill protocol | IT Operations Team | - | | CTRL-BCD-002 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-IR-002 | Introduction of new resilience design or change | \[Cloud IaaS/PaaS] Define/update RTO/RPO in ITOG, follow PDLC OAT drill protocol | Portfolio Management Team | Portfolio Management Team | | CTRL-BCD-002 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-IR-002 | Acquisition of new Cloud SaaS service | \[Cloud SaaS] Confirm RTO/RPO from provider meets ITOG/business requirements | Portfolio Management Team | Portfolio Management Team | | CTRL-BCD-003 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change of system, server, network | \[On-premise] Follow storage pipeline for services with automated backup | IT Storage Team | IT Storage Team | | CTRL-BCD-003 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change of system, server, network | \[On-premise] Define backup mechanism in ITOG per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-BCD-003 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change of cloud-based resource | \[Cloud IaaS/PaaS] Define backup mechanism in ITOG per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-BCD-003 | RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Acquisition of new Cloud SaaS service | \[Cloud SaaS] Confirm provider backup meets ITOG standards | Portfolio Management Team | Portfolio Management Team | | CTRL-CAP-002 | RISK-BC-001, RISK-BC-003, RISK-BC-004, RISK-SA-001 | Introduction of new system/server/network/cloud resource | \[On-premise/Cloud SaaS] Follow standard build for monitoring agent installation | IT Operations Team | IT Operations Support Team | | CTRL-CAP-002 | RISK-BC-001, RISK-BC-003, RISK-BC-004, RISK-SA-001 | Change impacting performance | \[On-premise/Cloud SaaS] Review/update monitoring metrics | IT Operations Team | - | | CTRL-CAP-002 | RISK-BC-001, RISK-BC-003, RISK-BC-004, RISK-SA-001 | Introduction of new system/server/network/cloud resource | \[AWS Cloud] Follow pipeline for performance logging/monitoring | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-CAP-002 | RISK-BC-001, RISK-BC-003, RISK-BC-004, RISK-SA-001 | Introduction of new system/server/network/cloud resource | \[Azure Cloud] Follow pipeline for Azure Monitor | IT Cloud Services Team | IT Cloud Services Team | | CTRL-CAP-002 | RISK-BC-001, RISK-BC-003, RISK-BC-004, RISK-SA-001 | Introduction of new system/server/network/cloud resource | \[On-premise/Cloud SaaS] Define monitoring in ITOG/SOP | Portfolio Management Team | Portfolio Management Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/deployment of new system/server/network/cloud | \[On-premise/Cloud] Follow standard build for BigFix installation/compliance scanning | IT Operations Team | IT Infrastructure Team (for agent/build); IT Operations Team (for scanning) | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Change with OS/DB version upgrade | \[On-premise/Cloud] Review/update configs per new standards, conduct scanning | IT Operations Team | - | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/deployment or change with version upgrade | \[On-premise/Cloud] Follow standard build for AD GPO policy | IT Operations Team | IT Infrastructure Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/deployment or change with version upgrade | \[On-premise/Cloud] Follow hardening guidelines | Portfolio Management Team | Portfolio Management Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Acquisition of new Cloud SaaS | \[Cloud SaaS] Obtain provider assessment report on hardening | Portfolio Management Team | Portfolio Management Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for AD GPO | IT End User Services Team | IT End User Services Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/replacement of MacOS PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for JAMF | IT End User Services Team | IT End User Services Team | | CTRL-CFG-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/replacement of Mobile/Tablet | \[Corporate End User Devices] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new API service/technology | \[On-premise] Follow security pipeline for Impreva WAF onboarding | IT Security Team | IT Platform & Network Security Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction/change of API integration | \[Messaging On-premise/Cloud] Follow integration pipeline for CAP.EMM Solace (auth/encryption) | IT Integration Team | IT Integration Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction/change of API integration | \[Restful API On-premise/Cloud] Follow integration pipeline for APIM (protection/auth/encryption) | IT Integration Team | IT Integration Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction/change of website/mobile with API | \[On-premise/Cloud] Follow security pipeline for Akamai WAF onboarding | IT Security Team | IT Platform & Network Security Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new API service/technology | \[AWS Cloud] Follow security pipeline for AWS WAF onboarding | IT Security Team | IT Platform & Network Security Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new API service/technology | \[Azure Cloud] Follow pipeline for API management/Databricks | IT Security Team | IT Platform & Network Security Team | | CTRL-CLD-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new API service/technology | Follow best practices for API keys | Portfolio Management Team | Portfolio Management Team | | CTRL-CLD-005 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new Cloud IaaS/PaaS/SaaS or tenant change | Obtain provider assessment report on tenant segregation | Portfolio Management Team | Portfolio Management Team | | CTRL-CLD-006 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new Cloud/SaaS or network change | Obtain provider assessment report on secure protocols/encryption | Portfolio Management Team | Portfolio Management Team | | CTRL-CLD-007 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction of new Cloud/SaaS or new sensitive data feed | Obtain provider assessment report on encrypted storage/access | Portfolio Management Team | Portfolio Management Team | | CTRL-CRY-001 | RISK-AC-004, RISK-AM-002, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction of new system/Cloud/SaaS/API or change | Implement data-in-transit encryption (e.g., HTTPS, SSL) | IT Data Protection Team | IT Data Protection Team | | CTRL-CRY-003 | RISK-AC-004, RISK-AM-002, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction of new system/Cloud/SaaS/DB/end-user device | Implement data-at-rest encryption (e.g., TDE, AES256) | Portfolio Management Team | Portfolio Management Team | | CTRL-CRY-004 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change involving crypto keys | \[On-premise] Follow key pipeline for secure store (e.g., vault) | IT Data Protection Team | IT Data Protection Team | | CTRL-CRY-004 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change involving crypto keys | \[Cloud Container] Implement Vault as golden source, sync with native tools | IT Cloud Platform Team | - | | CTRL-CRY-004 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change involving crypto keys | \[Azure Cloud] Follow pipeline for Azure Key Vault onboarding | IT Cloud Services Team | IT Cloud Services Team | | CTRL-CRY-004 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change involving crypto keys | \[AWS Cloud] Follow pipeline for Amazon KMS onboarding | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-CRY-004 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction/change involving crypto keys | \[AWS Cloud] Follow pipeline for Amazon EKS Secret Manager | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-DCH-003 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of new server | \[On-premise] Follow standard build for AD GPO | IT Infrastructure Team | - | | CTRL-DCH-003 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of new server or endpoint device | \[On-premise/Cloud] Follow standard build for BigFix/compliance scanning | IT Operations Team | IT Infrastructure Team (for agent/build); IT Operations Team (for scanning) | | CTRL-DCH-003 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of new server or endpoint device | Configure barriers to restrict removable media | Portfolio Management Team | Portfolio Management Team | | CTRL-DCH-003 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for AD GPO | IT End User Services Team | IT End User Services Team | | CTRL-DCH-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/replacement of Mobile/Tablet | \[Corporate End User Devices] Follow EUS pipeline for JAMF | IT End User Services Team | IT End User Services Team | | CTRL-DCH-003 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/replacement of MacOS PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-DCH-007 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction of new network/environment or data flow | \[On-premise/Cloud] Implement encryption for transfers | Portfolio Management Team | Portfolio Management Team | | CTRL-DCH-007 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction of new network/environment or data flow (Internal+ data) | \[Azure Cloud] Implement encryption for transfers | IT Cloud Services Team | IT Cloud Services Team | | CTRL-DCH-008 | RISK-AC-001, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-GV-001 | Introduction of new system/server/network/cloud | \[On-premise/Cloud] Define retention/purging in ITOG per policy | Portfolio Management Team | Portfolio Management Team | | CTRL-DCH-008 | RISK-AC-001, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-GV-001 | Introduction of new system/server/network/cloud or decommissioning | \[Azure Cloud] Define retention/purging in ITOG per policy | Portfolio Management Team | Portfolio Management Team | | CTRL-DCH-010 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-GV-004, RISK-GV-005 | Introduction of network with cross-border transfer | Consult Privacy & Compliance Team on transfers | Privacy & Compliance Team | Portfolio Management Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/VM cloud | \[On-premise/Cloud] Follow standard build for TrendMicro agent | IT Security Team | IT Infrastructure Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/VM cloud | \[On-premise/Cloud] Follow security pipeline for non-standard anti-malware | IT Security Team | IT Platform & Network Security Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/VM cloud | \[On-premise/Cloud] Install Carbon Black EDR on Internet-facing | IT Security Team | IT Platform & Network Security Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new container cloud | \[AWS Cloud Container] Follow pipeline for Aqua Enforcer | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Acquisition of new Cloud SaaS | \[Cloud SaaS] Obtain provider assessment on anti-malware | Portfolio Management Team | Portfolio Management Team | | CTRL-END-001 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for Trend Micro | IT End User Services Team | IT End User Services Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/cloud | \[On-premise/Cloud] Follow standard build for Carbon Black EDR on Internet-facing | IT Security Team | IT Infrastructure Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/cloud | \[On-premise/Cloud] Follow security pipeline for non-standard anti-malware | IT Security Team | IT Platform & Network Security Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/cloud | \[Azure Cloud] Follow pipeline for threat protection (e.g., Azure Defender) | IT Cloud Services Team | IT Cloud Services Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for Carbon Black | IT End User Services Team | IT End User Services Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Mobile/Tablet | \[Corporate End User Devices] Follow EUS pipeline for JAMF | IT End User Services Team | IT End User Services Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of MacOS PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-END-002 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Desktop/Kiosk | \[Corporate End User Devices] Implement physical security measures | Portfolio Management Team | Portfolio Management Team | | CTRL-END-003 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/cloud | \[On-premise] Follow standard build for AD GPO | IT Infrastructure Team | - | | CTRL-END-003 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction of new system/server/cloud or endpoint | \[On-premise/Cloud] Follow standard build for BigFix/compliance scanning | IT Operations Team | IT Infrastructure Team (for agent/build); IT Operations Team (for scanning) | | CTRL-END-003 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for AD GPO | IT End User Services Team | IT End User Services Team | | CTRL-END-003 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of MacOS PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for JAMF | IT End User Services Team | IT End User Services Team | | CTRL-END-003 | RISK-AC-004, RISK-AM-002, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-EX-002 | Introduction/replacement of Mobile/Tablet | \[Corporate End User Services] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-IAC-001 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of new system/server/network/cloud (with new user access) | Follow security pipeline for WIAM onboarding | IT IAM Team | IT IAM Support Team | | CTRL-IAC-001 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of new system/server/network/cloud (with new user access) | Integrate with AD domain, create WIAM groups | IT IAM Team | IT Infrastructure Team (for AD) | | CTRL-IAC-001 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction or change introducing new user access | Define account management procedure/R\&R per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-IAC-002 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002, RISK-GV-004, RISK-GV-005 | Introduction of new system/server/network/cloud (with external access) | Follow security pipeline for WIAM onboarding | IT IAM Team | IT IAM Support Team | | CTRL-IAC-002 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002, RISK-GV-004, RISK-GV-005 | Introduction of new system/server/network/cloud (with external access) | Enforce domain account creation, integrate AD/WIAM groups | IT IAM Team | IT Infrastructure Team (for AD) | | CTRL-IAC-002 | RISK-AC-001, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002, RISK-GV-004, RISK-GV-005 | Introduction or change enabling external access | Implement authentication for external users | Portfolio Management Team | Portfolio Management Team | | CTRL-IAC-003 | RISK-AC-001, RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of system with remote access or migration to cloud | Follow security pipeline for WIAM with MFA (Passkey) | IT IAM Team | IT IAM Support Team | | CTRL-IAC-003 | RISK-AC-001, RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of system with remote access or migration to cloud | Implement third-party software token MFA | Portfolio Management Team | Portfolio Management Team | | CTRL-IAC-003 | RISK-AC-001, RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002 | Introduction of system with remote access or migration to cloud | \[AWS Cloud] Follow pipeline for hardware token (YuBiKey) for root | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-IAC-004 | RISK-AC-004 | Introduction of new system/server/network/cloud | Follow security pipeline for WIAM onboarding | IT IAM Team | IT IAM Support Team | | CTRL-IAC-004 | RISK-AC-004 | Introduction of new system/server/network/cloud | Define account management procedure/R\&R per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-IAC-005 | RISK-AC-004, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction or change updating permission design | Follow security pipeline for WIAM onboarding | IT IAM Team | IT IAM Support Team | | CTRL-IAC-005 | RISK-AC-004, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction or change updating permission design | Define account management procedure/R\&R per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-IAC-005 | RISK-AC-004, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004 | Introduction or change updating permission design | \[Azure Cloud] Follow pipeline for RBAC via ACL | IT Cloud Services Team | IT Cloud Services Team | | CTRL-IAC-007 | RISK-AC-001, RISK-AC-002, RISK-AC-003, RISK-AC-004, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002, RISK-IR-001 | Introduction of new system/server/network/cloud | Follow standard build for CyberArk PAM onboarding (local admin) | IT Operations Team | IT Infrastructure Team | | CTRL-IAC-007 | RISK-AC-001, RISK-AC-002, RISK-AC-003, RISK-AC-004, RISK-BC-001, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-002, RISK-IR-001 | Introduction of new system/server/network/cloud | Onboard privileged accounts from ITOG to CyberArk PAM | IT Operations Team | IT Operations Support Team | | CTRL-IAC-008 | RISK-AC-001, RISK-AC-004 | Introduction of new system/server/network/cloud | Follow security pipeline for WIAM onboarding | IT IAM Team | IT IAM Support Team | | CTRL-IAC-008 | RISK-AC-001, RISK-AC-004 | Introduction of new system/server/network/cloud | \[On-premise] Follow standard build for AD GPO password policy | IT IAM Team | IT Infrastructure Team | | CTRL-IAC-008 | RISK-AC-001, RISK-AC-004 | Introduction of new system/server/network/cloud | Implement password requirements per standards | Portfolio Management Team | Portfolio Management Team | | CTRL-MON-001 | RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-001, RISK-EX-002, RISK-IR-001, RISK-IR-002 | Introduction of new system/server/network/cloud | Follow SIEM pipeline for Splunk agent/log onboarding | IT Cyber Defense Team | IT Cyber Defense Team | | CTRL-MON-001 | RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-001, RISK-EX-002, RISK-IR-001, RISK-IR-002 | Introduction of new system/server/network/cloud | Define log type/mechanism for SOC review via SIEM | IT Cyber Defense Team | IT Cyber Defense Team | | CTRL-MON-001 | RISK-AC-003, RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-EX-001, RISK-EX-002, RISK-IR-001, RISK-IR-002 | Introduction of new system/server/network/cloud | Align with SOC on log type/mechanism/process | IT Security Operations Team | IT Security Operations Team | | CTRL-NET-001 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (on-premise/cloud) | \[On-premise] Follow security pipeline for firewall onboarding | IT Security Team | IT Platform & Network Security Team | | CTRL-NET-001 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (on-premise/cloud) | \[AWS Cloud] Follow security pipeline for virtual firewall | IT Security Team | IT Platform & Network Security Team | | CTRL-NET-002 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (on-premise/cloud) | \[On-premise/Cloud] Follow DDoS pipeline for Akamai Prolexic | IT Security Team | IT Platform & Network Security Team | | CTRL-NET-002 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (on-premise/cloud) | \[AWS Cloud] Follow pipeline for AWS Shield | Portfolio Management Team | Portfolio Management Team | | CTRL-NET-003 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (on-premise) | \[On-premise] Follow network process for ACL | IT Network Team | IT Network Team | | CTRL-NET-003 | RISK-BC-003, RISK-EX-001 | Introduction/change of network (cloud) | \[AWS Cloud] Follow pipeline for network ACL config | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-NET-004 | RISK-AC-004, RISK-BC-003 | Introduction/change of network (on-premise) | \[On-premise] Follow network process for segmentation | IT Network Team | IT Network Team | | CTRL-NET-004 | RISK-AC-004, RISK-BC-003 | Introduction/change of network (cloud) | \[AWS Cloud] Follow pipeline for VPC | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-NET-004 | RISK-AC-004, RISK-BC-003 | Introduction/change of network (cloud) | \[Azure Cloud] Follow pipeline for VNet | IT Cloud Services Team | IT Cloud Services Team | | CTRL-NET-005 | RISK-AC-004, RISK-BC-003 | Introduction/change of network (on-premise/cloud) | Follow security pipeline for CheckPoint IPS | IT Security Team | IT Platform & Network Security Team | | CTRL-NET-006 | RISK-AC-001, RISK-AC-004, RISK-BC-003 | Introduction/replacement of end-user device | \[Corporate End User Devices] Follow EUS pipeline for Ivanti Pulse Secure | IT End User Services Team | IT End User Services Team | | CTRL-NET-006 | RISK-AC-001, RISK-AC-004, RISK-BC-003 | Introduction of new system/server/network/cloud | \[AWS Cloud] Follow pipeline for remote access via ECP.RAC | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-NET-006 | RISK-AC-001, RISK-AC-004, RISK-BC-003 | Introduction of new system/server/network/cloud | \[AWS Cloud] Follow pipeline for bastion/jump host | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-NET-006 | RISK-AC-001, RISK-AC-004, RISK-BC-003 | Introduction of new system/server/network/cloud | \[Azure Cloud] Follow pipeline for jump host/portal | IT Cloud Services Team | IT Cloud Services Team | | CTRL-NET-007 | RISK-AC-004, RISK-BC-003 | Introduction/change of wireless network | Follow network process for WiFi per standards | IT Network Team | IT Network Team | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction/replacement of Windows PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for ForcePoint DLP | IT End User Services Team | IT End User Services Team | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction of cloud resources/service | \[Corporate End User Devices] Follow EUS pipeline for NetSkope CASB | IT End User Services Team | IT End User Services Team | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction/change of endpoint with sensitive data | Implement DLP rules for data storage/processing | IT Data Protection Team | IT Security Design Team (new rules); IT Data Protection Team (existing) | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction/change of cloud resource/data flow | \[Cloud] Implement data exchange/masking per guidelines | Portfolio Management Team | Portfolio Management Team | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction/replacement of Mobile/Tablet | \[Corporate End User Devices] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-NET-008 | RISK-BC-002, RISK-BC-003 | Introduction/replacement of MacOS PC/Laptop | \[Corporate End User Devices] Follow EUS pipeline for Ivanti Pulse Secure | IT End User Services Team | IT End User Services Team | | CTRL-NET-009 | RISK-BC-002, RISK-GV-006 | Introduction/change of network (on-premise/cloud) | Follow security pipeline for firewall content filtering | IT Security Team | IT Platform & Network Security Team | | CTRL-PES-001 | RISK-AC-001, RISK-AC-004, RISK-AM-001, RISK-BC-001, RISK-BC-002, RISK-BC-004 | Introduction of new hardware asset | \[On-premise] Follow operations pipeline to deploy to ITOB | IT Operations Team | - | | CTRL-PES-001 | RISK-AC-001, RISK-AC-004, RISK-AM-001, RISK-BC-001, RISK-BC-002, RISK-BC-004 | Introduction of new Cloud IaaS/PaaS/SaaS | \[Cloud] Obtain provider assessment on physical access | Portfolio Management Team | Portfolio Management Team | | CTRL-PES-002 | RISK-AM-001, RISK-BC-001 | Introduction of new Cloud IaaS/PaaS/SaaS | \[Cloud] Obtain provider assessment on environmental security | Portfolio Management Team | Portfolio Management Team | | CTRL-RSK-002 | RISK-BC-002, RISK-BC-003, RISK-BC-004, RISK-GV-002, RISK-GV-004, RISK-GV-005 | Introduction of system/service with Personal Data | Consult Privacy & Compliance Team on PIA | Privacy & Compliance Team | Portfolio Management Team | | CTRL-SEA-001 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-002, RISK-IR-001 | Introduction/change of system/network/cloud architecture | Follow PDLC pipeline for TSG/ADB endorsement | Portfolio Management Team | Portfolio Management Team | | CTRL-TDA-001 | RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change involving development/codebase | Refer to Secure Coding Self-Service for scan | IT Security Design Team | IT Application Security Team | | CTRL-TDA-001 | RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change involving development/codebase | Perform peer code review (compensating; owner approval needed) | Portfolio Management Team | Portfolio Management Team | | CTRL-TDA-001 | RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of URL/API endpoint | Conduct DAST scan | IT Vulnerability Management Team | IT Vulnerability Management Team | | CTRL-TDA-001 | RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change involving development/codebase | \[AWS Cloud] Follow pipeline for IaC security scanning | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-TDA-002 | RISK-AC-004, RISK-BC-002, RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change impacting environment separation | Implement network segmentation for dev/test/prod | IT Network Team | IT Network Team | | CTRL-TDA-004 | RISK-AC-004, RISK-BC-002, RISK-BC-003 | Introduction involving prod data in dev/test | Follow pipeline for requesting prod data usage with owner approval | Portfolio Management Team | Portfolio Management Team | | CTRL-VPM-001 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of system/server/network/cloud | Onboard to security pipeline for pre-prod vulnerability scan | IT Vulnerability Management Team | IT Vulnerability Management Team | | CTRL-VPM-002 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of system/server/network/cloud | \[On-premise] Follow standard build for BigFix agent | IT Infrastructure Team | IT Infrastructure Team | | CTRL-VPM-002 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of system/server/network/cloud | \[AWS Cloud] Define patching mechanism (e.g., self-patching, AMI) | IT Cloud Platform Team | IT Cloud Platform Team | | CTRL-VPM-002 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of Windows end-user device | \[Corporate End User Devices] Follow provisioning for SCCM agent | IT End User Services Team | IT End User Services Team | | CTRL-VPM-002 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of Mobile/Tablet | \[Corporate End User Devices] Follow provisioning for Jamf agent | IT End User Services Team | IT End User Services Team | | CTRL-VPM-002 | RISK-BC-003, RISK-EX-001, RISK-EX-002 | Introduction/change of MacOS end-user device | \[Corporate End User Devices] Follow EUS pipeline for MS Intune | IT End User Services Team | IT End User Services Team | | CTRL-VPM-003 | RISK-EX-001 | Introduction/change of system/server/network/cloud | Onboard to security pipeline for vulnerability scanning | IT Vulnerability Management Team | IT Vulnerability Management Team | | CTRL-VPM-003 | RISK-EX-001 | Acquisition of new Cloud SaaS | \[Cloud SaaS] Obtain provider assessment on scanning/management | Portfolio Management Team | Portfolio Management Team | | CTRL-VPM-004 | RISK-EX-001 | Introduction/change of Internet-facing component | Engage security team for pen testing per criteria | IT Vulnerability Management Team | IT Vulnerability Management Team | | CTRL-VPM-004 | RISK-EX-001 | Acquisition of new Cloud SaaS | \[Cloud SaaS] Obtain provider assessment on pen testing | Portfolio Management Team | Portfolio Management Team | | CTRL-WEB-001 | RISK-AC-004, RISK-BC-001, RISK-BC-003 | Introduction of Internet-facing system/cloud | \[On-premise] Follow security pipeline for Impreva WAF | IT Security Team | IT Platform & Network Security Team | | CTRL-WEB-001 | RISK-AC-004, RISK-BC-001, RISK-BC-003 | Introduction of Internet-facing system/cloud | \[AWS Cloud] Follow security pipeline for AWS WAF | IT Security Team | IT Platform & Network Security Team |