| Trustmark Definition Name | Version |
|---|---|
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents, manages, and ensures the integrity of changes to the tools used in development.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that identifies the standards and tools used in the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to: (a) Perform an automated vulnerability analysis using organization-defined tools; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to organization-defined personnel or roles. .
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to provide an incident response plan.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics [Selection (one or more): organization-defined frequency; organization-defined program review milestones; upon delivery. .
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires that developers perform threat modeling and a vulnerability analysis for the information system at organization-defined breadth/depth that: (a) Uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels; (b) Employs organization-defined tools and methods; and (c) Produces evidence that meets organization-defined acceptance criteria. .
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.
|
1.0 |
|
Specifies that a health care related organization must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
|
1.0 |
|
Specifies that a health care related organization must create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
|
1.0 |
|
Specifies that a health care related organization must have policies to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
|
1.0 |
|
Specifies that a health care related organization must implement procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the movement of hardware and electronic media that contain electronic protected health information within a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the movement of hardware and electronic media that contain electronic protected health information within a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the receipt of hardware and electronic media that contain electronic protected health information into a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the receipt of hardware and electronic media that contain electronic protected health information into a facility.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the removal of hardware and electronic media that contain electronic protected health information out of a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the removal of hardware and electronic media that contain electronic protected health information out of a facility.
|
1.0 |
