Identify a Chief Information Security Officer (CISO) internally or retain the services of a third party. If a third party is used a senior member of the organization must provide oversite and be named.
Conduct an annual internal and external penetration test.
Bi-annual vulnerability assessment of the companies technologies.
Transactional Audit logs are retained of cyber events, responses, and must be retained for at least 5 years.
Evaluating and testing security of internal and externally developed business applications.
Qualified cybersecurity personnel must be utilized and sufficiently trained in the cybersecurity tools used.
Multi-Factor Authentication must be used by anyone accessing the internal network externally.
Provide regular cybersecurity training, and monitor network to detect unauthorized access.
Encryption of Nonpublic Information is required both in transit and at rest.
Written policies and procedures to address a cybersecurity event, and ensure a timely remediation and recovery.