← Frameworks / FISC Security Guidelines / Control Mappings

FISC Security Guidelines on Computer Systems for Financial Institutions

Japan's de facto mandatory security standard for financial institutions, published by the Center for Financial Industry Information Systems (FISC). Covers technical standards (system design, access control, cryptography, network security), operational standards (IT governance, incident response, outsourcing, SDLC), and facility standards (data center physical security, environmental controls, disaster recovery). Referenced by the FSA and Bank of Japan for supervisory examinations.

Controls: 195
Total Mappings: 302
Publisher: Center for Financial Industry Information Systems (FISC) Version: 11th Edition (2024)
FISC Security Guidelines → SP 800-53 SP 800-53 → FISC Security Guidelines Coverage Analysis
AC (18) AT (5) AU (12) CA (6) CM (12) CP (10) IA (8) IR (9) MA (7) MP (8) PE (22) PL (6) PM (9) PS (9) RA (6) SA (13) SC (24) SI (11)

AC Access Control

Control Name FISC Security Guidelines References
AC-01 Access Control Policies and Procedures
FISC.T2
AC-02 Account Management
FISC.T2
AC-03 Access Enforcement
FISC.T11FISC.T2FISC.T5
AC-04 Information Flow Enforcement
FISC.T13FISC.T2FISC.T3FISC.T5FISC.T8
AC-05 Separation Of Duties
FISC.T2
AC-06 Least Privilege
FISC.T2
AC-07 Unsuccessful Login Attempts
FISC.T2
AC-08 System Use Notification
FISC.T2
AC-10 Concurrent Session Control
FISC.T2
AC-11 Session Lock
FISC.T2
AC-12 Session Termination
FISC.T2
AC-13 Supervision And Review -- Access Control
FISC.T2
AC-16 Automated Labeling
FISC.O9FISC.T5
AC-17 Remote Access
FISC.T10FISC.T3FISC.T8
AC-18 Wireless Access Restrictions
FISC.T10FISC.T3
AC-19 Access Control For Portable And Mobile Devices
FISC.T10
AC-20 Use Of External Information Systems
FISC.O6FISC.T13FISC.T9
AC-24 Access Control Decisions
FISC.T2

AT Awareness and Training

Control Name FISC Security Guidelines References
AT-01 Security Awareness And Training Policy And Procedures
FISC.O8
AT-02 Security Awareness
FISC.O8
AT-03 Security Training
FISC.O8
AT-04 Security Training Records
FISC.O8
AT-06 Training Feedback
FISC.O8

AU Audit and Accountability

Control Name FISC Security Guidelines References
AU-01 Audit And Accountability Policy And Procedures
FISC.O11FISC.O7
AU-02 Auditable Events
FISC.O11FISC.O2FISC.O7FISC.T11
AU-03 Content Of Audit Records
FISC.O11FISC.O2
AU-04 Audit Storage Capacity
FISC.O11FISC.O13
AU-05 Response To Audit Processing Failures
FISC.O11
AU-06 Audit Monitoring, Analysis, And Reporting
FISC.O11FISC.O2
AU-07 Audit Reduction And Report Generation
FISC.O11
AU-08 Time Stamps
FISC.O11
AU-09 Protection Of Audit Information
FISC.O11
AU-10 Non-Repudiation
FISC.O11FISC.T11FISC.T12
AU-11 Audit Record Retention
FISC.O11FISC.O7
AU-12 Audit Record Generation
FISC.O2

CA Security Assessment and Authorization

Control Name FISC Security Guidelines References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
FISC.O7
CA-02 Security Assessments
FISC.O7
CA-03 Information System Connections
FISC.O6FISC.T13FISC.T3FISC.T9
CA-05 Plan Of Action And Milestones
FISC.O7
CA-07 Continuous Monitoring
FISC.O2FISC.O7
CA-09 Internal System Connections
FISC.T13FISC.T3FISC.T9

CM Configuration Management

Control Name FISC Security Guidelines References
CM-01 Configuration Management Policy And Procedures
FISC.O3
CM-02 Baseline Configuration
FISC.O13FISC.O3FISC.T14FISC.T7
CM-03 Configuration Change Control
FISC.O12FISC.O3
CM-04 Monitoring Configuration Changes
FISC.O3
CM-05 Access Restrictions For Change
FISC.O3
CM-06 Configuration Settings
FISC.O3FISC.T14FISC.T7
CM-07 Least Functionality
FISC.T14FISC.T7
CM-08 Information System Component Inventory
FISC.O13FISC.O9FISC.T7
CM-09 Configuration Management Plan
FISC.O3
CM-12 Information Location
FISC.O9FISC.T5
CM-13 Data Action Mapping
FISC.O9FISC.T5
CM-14 Signed Components
FISC.O3FISC.T6

CP Contingency Planning

Control Name FISC Security Guidelines References
CP-01 Contingency Planning Policy And Procedures
FISC.O5
CP-02 Contingency Plan
FISC.O5
CP-03 Contingency Training
FISC.O5
CP-04 Contingency Plan Testing And Exercises
FISC.O5
CP-05 Contingency Plan Update
FISC.O5
CP-06 Alternate Storage Site
FISC.F5FISC.O5
CP-07 Alternate Processing Site
FISC.F5FISC.O5
CP-08 Telecommunications Services
FISC.F5FISC.O5
CP-09 Information System Backup
FISC.O5
CP-10 Information System Recovery And Reconstitution
FISC.O5

IA Identification and Authentication

Control Name FISC Security Guidelines References
IA-01 Identification And Authentication Policy And Procedures
FISC.T2
IA-02 User Identification And Authentication
FISC.T10FISC.T11FISC.T2
IA-04 Identifier Management
FISC.T2
IA-05 Authenticator Management
FISC.T10FISC.T2
IA-06 Authenticator Feedback
FISC.T2
IA-07 Cryptographic Module Authentication
FISC.T4
IA-08 Identification and Authentication (Non-Organizational Users)
FISC.T2
IA-12 Identity Proofing
FISC.T2

IR Incident Response

Control Name FISC Security Guidelines References
IR-01 Incident Response Policy And Procedures
FISC.O4
IR-02 Incident Response Training
FISC.O4
IR-03 Incident Response Testing And Exercises
FISC.O4
IR-04 Incident Handling
FISC.O4
IR-05 Incident Monitoring
FISC.O4
IR-06 Incident Reporting
FISC.O4
IR-07 Incident Response Assistance
FISC.O4
IR-08 Incident Response Plan
FISC.O4
IR-09 Information Spillage Response
FISC.O4

MA Maintenance

Control Name FISC Security Guidelines References
MA-01 System Maintenance Policy And Procedures
FISC.F3
MA-02 Controlled Maintenance
FISC.F3FISC.O13
MA-03 Maintenance Tools
FISC.F3
MA-04 Remote Maintenance
FISC.F3
MA-05 Maintenance Personnel
FISC.F3
MA-06 Timely Maintenance
FISC.F3
MA-07 Field Maintenance
FISC.F3

MP Media Protection

Control Name FISC Security Guidelines References
MP-01 Media Protection Policy And Procedures
FISC.F4FISC.O9FISC.T5
MP-02 Media Access
FISC.F4FISC.T5
MP-03 Media Labeling
FISC.F4FISC.O9
MP-04 Media Storage
FISC.F4
MP-05 Media Transport
FISC.F4
MP-06 Media Sanitization And Disposal
FISC.F4FISC.O9
MP-07 Media Use
FISC.F4
MP-08 Media Downgrading
FISC.F4FISC.O9

PE Physical and Environmental Protection

Control Name FISC Security Guidelines References
PE-01 Physical And Environmental Protection Policy And Procedures
FISC.F1
PE-02 Physical Access Authorizations
FISC.F1
PE-03 Physical Access Control
FISC.F1
PE-04 Access Control For Transmission Medium
FISC.F1
PE-05 Access Control For Display Medium
FISC.F1
PE-06 Monitoring Physical Access
FISC.F1
PE-07 Visitor Control
FISC.F1
PE-08 Access Records
FISC.F1
PE-09 Power Equipment And Power Cabling
FISC.F2
PE-10 Emergency Shutoff
FISC.F2
PE-11 Emergency Power
FISC.F2
PE-12 Emergency Lighting
FISC.F2
PE-13 Fire Protection
FISC.F2
PE-14 Temperature And Humidity Controls
FISC.F2
PE-15 Water Damage Protection
FISC.F2
PE-16 Delivery And Removal
FISC.F3
PE-17 Alternate Work Site
FISC.F5
PE-18 Location Of Information System Components
FISC.F1
PE-19 Information Leakage
FISC.F1
PE-21 Electromagnetic Pulse Protection
FISC.F2
PE-22 Component Marking
FISC.F1
PE-23 Facility Location
FISC.F5

PL Planning

Control Name FISC Security Guidelines References
PL-01 Security Planning Policy And Procedures
FISC.O1FISC.T1
PL-02 System Security Plan
FISC.T1
PL-06 Security-Related Activity Planning
FISC.T1
PL-09 Central Management
FISC.O1FISC.T1
PL-10 Baseline Selection
FISC.T1
PL-11 Baseline Tailoring
FISC.T1

PM Program Management

Control Name FISC Security Guidelines References
PM-01 Information Security Program Plan
FISC.O1
PM-02 Information Security Program Leadership Role
FISC.O1
PM-03 Information Security and Privacy Resources
FISC.O1
PM-04 Plan of Action and Milestones Process
FISC.O1
PM-05 System Inventory
FISC.O1
PM-06 Measures of Performance
FISC.O7
PM-09 Risk Management Strategy
FISC.O1
PM-14 Testing, Training, and Monitoring
FISC.O7
PM-28 Risk Framing
FISC.O1

PS Personnel Security

Control Name FISC Security Guidelines References
PS-01 Personnel Security Policy And Procedures
FISC.O8
PS-02 Position Categorization
FISC.O8
PS-03 Personnel Screening
FISC.O8
PS-04 Personnel Termination
FISC.O8
PS-05 Personnel Transfer
FISC.O8
PS-06 Access Agreements
FISC.O8
PS-07 Third-Party Personnel Security
FISC.O6FISC.O8
PS-08 Personnel Sanctions
FISC.O8
PS-09 Position Descriptions
FISC.O8

RA Risk Assessment

Control Name FISC Security Guidelines References
RA-01 Risk Assessment Policy And Procedures
FISC.O1
RA-02 Security Categorization
FISC.O9
RA-03 Risk Assessment
FISC.O1
RA-05 Vulnerability Scanning
FISC.O12
RA-07 Risk Response
FISC.O1FISC.O12
RA-09 Criticality Analysis
FISC.O1

SA System and Services Acquisition

Control Name FISC Security Guidelines References
SA-02 Allocation Of Resources
FISC.T1
SA-03 Life Cycle Support
FISC.O10FISC.T1FISC.T6
SA-04 Acquisitions
FISC.O10FISC.O6FISC.T6FISC.T9
SA-08 Security Engineering Principles
FISC.O10FISC.O13FISC.T1FISC.T6
SA-09 External Information System Services
FISC.O6FISC.T9
SA-10 Developer Configuration Management
FISC.O10FISC.O3FISC.T6
SA-11 Developer Security Testing
FISC.O10FISC.T6
SA-15 Development Process, Standards, and Tools
FISC.O10FISC.T6
SA-16 Developer-Provided Training
FISC.O10FISC.T6
SA-17 Developer Security and Privacy Architecture and Design
FISC.O10FISC.T1FISC.T6
SA-20 Customized Development of Critical Components
FISC.O10FISC.T6
SA-21 Developer Screening
FISC.O10FISC.O6
SA-23 Specialization
FISC.O6

SC System and Communications Protection

Control Name FISC Security Guidelines References
SC-02 Application Partitioning
FISC.T14FISC.T3
SC-03 Security Function Isolation
FISC.T14FISC.T3
SC-04 Information Remnance
FISC.T5
SC-05 Denial Of Service Protection
FISC.T3
SC-06 Resource Priority
FISC.O13
SC-07 Boundary Protection
FISC.T10FISC.T11FISC.T13FISC.T3FISC.T8FISC.T9
SC-08 Transmission Integrity
FISC.T10FISC.T11FISC.T12FISC.T4FISC.T8
SC-12 Cryptographic Key Establishment And Management
FISC.T11FISC.T12FISC.T4
SC-13 Use Of Cryptography
FISC.T11FISC.T12FISC.T4FISC.T8
SC-16 Transmission Of Security Parameters
FISC.T12
SC-17 Public Key Infrastructure Certificates
FISC.T4
SC-18 Mobile Code
FISC.T8
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
FISC.T3
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
FISC.T3
SC-22 Architecture And Provisioning For Name / Address Resolution Service
FISC.T3
SC-23 Session Authenticity
FISC.T12FISC.T8
SC-24 Fail in Known State
FISC.O5
SC-28 Protection of Information at Rest
FISC.T4FISC.T5
SC-34 Non-modifiable Executable Programs
FISC.T7
SC-39 Process Isolation
FISC.T14
SC-40 Wireless Link Protection
FISC.T10FISC.T4
SC-46 Cross Domain Policy Enforcement
FISC.T13FISC.T3
SC-47 Alternate Communications Paths
FISC.T13FISC.T3
SC-48 Sensor Relocation
FISC.O2

SI System and Information Integrity

Control Name FISC Security Guidelines References
SI-02 Flaw Remediation
FISC.O12FISC.T7
SI-03 Malicious Code Protection
FISC.T14FISC.T7
SI-04 Information System Monitoring Tools And Techniques
FISC.O2FISC.O4
SI-05 Security Alerts And Advisories
FISC.O12FISC.O2
SI-07 Software And Information Integrity
FISC.T12FISC.T14FISC.T7
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
FISC.T12FISC.T5FISC.T6FISC.T8
SI-11 Error Handling
FISC.T8
SI-12 Information Output Handling And Retention
FISC.O9FISC.T5
SI-13 Predictable Failure Prevention
FISC.O13FISC.O2
SI-16 Memory Protection
FISC.T7
SI-17 Fail-safe Procedures
FISC.O5