Control requirements

Additional IBM Cloud for Financial Services specifications

Customer consent must be obtained prior to releasing any data outside its intended use.

Organization must have resources in place that are accountable for data management (Data Quality and Control).

The organization shall ensure their resources do not conduct customer business using non-customer institution accounts unless approved by the customer (e.g. personal email, social media, and blogs).

Rules of behavior must include data handling requirements according to customer’s security classification, including but not limited to:

• Clear desk policy to safeguard sensitive information
• Customer data may not be stored on laptops or mobile devices
• When users stop work and move away from the immediate vicinity of the system, screen locks must be used to conceal information previously visible on the display with a publicly viewable image
• Credentials must not be shared and must be rotated and stored in accordance with authentication and encryption policies
• Collaboration spaces must be secured and data only shared with authorized individuals granted permissions to access the data

Rules of behavior must include user responsibilities and expected behavior with regard to asset/device use and handling practices, including but not limited to:

• Encryption usage
• Safeguarding office, desk, drawer keys for storing work resources (e.g., laptops, mobile devices, documents, data)
• Customer information must not be photographed, recorded, or taped.
• Text and instant messaging may only be used for valid business purposes
• Printing customer data only for authorized purposes
• Information security management must approve the use of any removable storage media used to store, process, or transmit customer data

Rules of behavior must include customer required restrictions on sending external emails, including but not limited to:

• Only sending external emails for authorized business purposes
• Never sending or forwarding customer-related content to personal email addresses
• All email exchanges with the customer must be encrypted via customer-approved solutions

NIST supplemental guidance

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.