| Trustmark Definition Name | Version |
|---|---|
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires that developers perform threat modeling and a vulnerability analysis for the information system at organization-defined breadth/depth that: (a) Uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels; (b) Employs organization-defined tools and methods; and (c) Produces evidence that meets organization-defined acceptance criteria. .
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.
|
1.0 |
|
Specifies that a health care related organization must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
|
1.0 |
|
Specifies that a health care related organization must create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
|
1.0 |
|
Specifies that a health care related organization must have policies to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
|
1.0 |
|
Specifies that a health care related organization must implement procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the movement of hardware and electronic media that contain electronic protected health information within a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the movement of hardware and electronic media that contain electronic protected health information within a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the receipt of hardware and electronic media that contain electronic protected health information into a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the receipt of hardware and electronic media that contain electronic protected health information into a facility.
|
1.0 |
|
Specifies that a health care related organization must document policies that govern the removal of hardware and electronic media that contain electronic protected health information out of a facility.
|
1.0 |
|
Specifies that a health care related organization must implement procedures that govern the removal of hardware and electronic media that contain electronic protected health information out of a facility.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an information system authenticates organization-defined specific devices and/or types of devices before establishing local, remote, or network connections using using bidirectional authentication that is cryptographically based.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization ensures that device identification and authentication based on attestation is handled by an organization-defined configuration management process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with organization-defined lease information duration requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization audits dynamic address allocation lease information when assigned to a device.
|
1.0 |
|
Addresses the requirement for organizations to issue certificates only to devices under the issuing organization's control.
|
1.0 |
|
Organizations must document their digital identity risk acceptance statement including specific details regarding assurance levels implemented and assessed, as well as documenting any compensating controls needed to pass assessments.
|
1.0 |
|
Organizations must perform a digital identity risk assessment during which it should identify all of its operating assurance levels across identity, authentication, and federation.
|
1.0 |
|
This Trustmark Definition defines conformance and assessment criteria for compliance with minimum security requirements for access enforcement as related to overall access control requirements.
|
1.0 |
|
Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to apply patches directly for all of its cloud-based and Software-as-a-Service (SaaS) product and service offerings without requiring customer action.
|
1.0 |
