npm - bmad-plus - Versions diffs - 0.4.3 → 0.5.0 - Mend

bmad-plus 0.4.3 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md ADDED Viewed

@@ -0,0 +1,177 @@
+# CCPA/CPRA Consumer Rights — Fulfillment Workflows
+## General Request Handling Principles
+**Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
+**Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
+- For non-sensitive requests: match 2 data points the business already holds
+- For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
+- For requests submitted through an authorized agent: require written permission + verification of agent identity
+**Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
+**Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
+---
+## Right to Know (§1798.110 / §1798.115)
+**What must be disclosed:**
+- Specific pieces of PI collected about the consumer
+- Categories of PI collected
+- Categories of sources from which PI was collected
+- Business or commercial purpose for collecting, selling, or sharing PI
+- Categories of third parties to whom PI was disclosed
+- Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
+**Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
+**Exceptions where disclosure can be refused:**
+- Would require disclosing third-party trade secrets
+- Would conflict with federal/state law
+- PI collected for single one-time transaction and not retained
+- PI solely for internal operations consistent with context of collection
+- Solely used to complete the transaction for which collected
+**Workflow:**
+1. Receive and log request with timestamp
+2. Verify consumer identity (2-point match for standard requests)
+3. Search PI systems using identifying data
+4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
+5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
+6. Deliver response in portable, readily usable format within 45 days
+7. Provide notice if extension is needed (within original 45-day window)
+---
+## Right to Delete (§1798.105)
+**Business must:**
+- Delete the consumer's PI from its records
+- Direct service providers and contractors to delete the PI
+**Exceptions (business may retain PI if necessary to):**
+1. Complete a transaction or perform a contract
+2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
+3. Fix errors that impair intended functionality
+4. Exercise free speech or ensure another consumer's right to free speech
+5. Comply with a legal obligation (CCPA §1798.145(a))
+6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
+7. Research, journalism, or statistical purposes in the public interest
+**Workflow:**
+1. Receive and log deletion request
+2. Verify consumer identity
+3. Check if any exceptions apply; document reasoning if invoking an exception
+4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
+5. Confirm deletion to consumer (or explain exception invoked) within 45 days
+6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
+---
+## Right to Correct (§1798.106) — CPRA Addition
+**What the business must do:**
+- Take commercially reasonable steps to correct inaccurate PI
+- Instruct service providers and contractors to correct the PI
+- Consumer must provide documentation if business contests the claimed inaccuracy
+**Business may decline if:**
+- Correction would require revealing another individual's PI
+- Business disagrees the PI is inaccurate and documents its decision
+**Workflow:**
+1. Receive correction request with claimed correction details
+2. Verify consumer identity
+3. Evaluate accuracy of the claimed correction (may request supporting documentation)
+4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
+5. Notify consumer of outcome within 45 days
+---
+## Right to Opt-Out of Sale / Sharing (§1798.120)
+**Scope:** Applies to:
+- **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
+- **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
+**Mechanics:**
+- "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
+- Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
+- Once opted out, the business must wait **12 months** before asking the consumer to re-consent
+**Impact on advertising:**
+- Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
+- Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
+**Workflow:**
+1. Consumer submits opt-out via link, form, or GPC signal
+2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
+3. Update consent/preference management platform within 15 business days
+4. Propagate opt-out to service providers and contractors engaged in sale/sharing
+5. Do not contact consumer for 12 months to ask them to reconsider
+---
+## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
+**Sensitive Personal Information (SPI) categories:**
+- Social Security numbers, driver's license, passport, other government IDs
+- Financial account credentials (login + security code)
+- Precise geolocation (within 1/4 mile)
+- Racial/ethnic origin, religious/philosophical beliefs, union membership
+- Contents of consumer mail, email, or text messages (unless business is the intended recipient)
+- Genetic data
+- Biometric data for uniquely identifying a person
+- Health/medical information
+- Sexual orientation or sex life
+**Permitted uses without limitation right:**
+Business may use SPI without offering limitation if the purpose is:
+- Performing services or providing goods reasonably expected by a consumer
+- Safety, security, and integrity of services
+- Short-term, transient use (e.g., contextual ad based on current session)
+- Services on behalf of the business (service provider context)
+- Verifying or maintaining quality of services
+- Activities for which SPI was provided
+**Workflow:**
+1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
+2. Consumer exercises right — no identity verification required beyond confirming consumer identity
+3. Process within **15 business days**
+4. Restrict use of SPI to only the permitted purposes listed above
+5. Propagate limitation to service providers and contractors
+---
+## Right to Non-Discrimination (§1798.125)
+Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
+- Deny goods or services
+- Charge a different price (except where directly related to value of data)
+- Provide a different level or quality of goods/services
+- Suggest any of the above will occur
+**Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
+- The financial incentive is reasonably related to the value of the consumer's PI
+- Consumer provides opt-in consent with a clear description of material terms
+- Consumer can withdraw at any time
+---
+## Authorized Agent Requests
+Consumers may designate an authorized agent to submit requests on their behalf. Business must:
+- Require written permission from the consumer (signed authorization)
+- Verify the agent's identity
+- May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
+---
+## Record-Keeping
+**CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
+- Consumer requests and responses for 24 months
+- Disclosures for 24 months
+- Training records for CCPA/CPRA compliance

package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md ADDED Viewed

@@ -0,0 +1,162 @@
+# CIS Controls v8 — Framework Mapping Reference
+## CIS Controls v8 ↔ NIST CSF 2.0 (Detailed)
+| CIS Control | Safeguard | NIST CSF 2.0 Function | NIST CSF Category | NIST CSF Subcategory |
+|------------|-----------|----------------------|-------------------|----------------------|
+| 1.1 | Enterprise Asset Inventory | Identify | Asset Management (ID.AM) | ID.AM-01, ID.AM-02 |
+| 1.2 | Address Unauthorized Assets | Respond | Incident Management (RS.MA) | RS.MA-01 |
+| 2.1 | Software Inventory | Identify | Asset Management (ID.AM) | ID.AM-02, ID.AM-08 |
+| 2.2 | Supported Software | Govern | Policy (GV.PO) | GV.PO-01 |
+| 3.1 | Data Management Process | Govern | Policy (GV.PO) | GV.PO-01, GV.PO-02 |
+| 3.3 | Data Access Control Lists | Protect | Data Security (PR.DS) | PR.DS-01, PR.DS-05 |
+| 3.6 | Encrypt End-User Devices | Protect | Data Security (PR.DS) | PR.DS-01 |
+| 3.10 | Encrypt Data in Transit | Protect | Data Security (PR.DS) | PR.DS-02 |
+| 3.11 | Encrypt Data at Rest | Protect | Data Security (PR.DS) | PR.DS-01 |
+| 3.13 | Data Loss Prevention | Protect | Data Security (PR.DS) | PR.DS-05 |
+| 4.1 | Secure Configuration Process | Protect | Configuration Management (PR.IP) | PR.IP-01, PR.IP-03 |
+| 4.4 | Firewall on Servers | Protect | Network Security (PR.IR) | PR.IR-01 |
+| 5.4 | Separate Admin Accounts | Protect | Identity Management (PR.AA) | PR.AA-05 |
+| 6.3 | MFA External Applications | Protect | Identity Management (PR.AA) | PR.AA-03 |
+| 6.4 | MFA Remote Access | Protect | Identity Management (PR.AA) | PR.AA-03 |
+| 6.5 | MFA Admin Access | Protect | Identity Management (PR.AA) | PR.AA-05 |
+| 7.3 | OS Patch Management | Protect | Configuration Management (PR.IP) | PR.IP-12 |
+| 7.5 | Internal Vulnerability Scans | Identify | Risk Assessment (ID.RA) | ID.RA-01 |
+| 7.7 | Remediate Vulnerabilities | Protect | Configuration Management (PR.IP) | PR.IP-12 |
+| 8.2 | Collect Audit Logs | Detect | Adverse Event Analysis (DE.AE) | DE.AE-02, DE.AE-03 |
+| 8.9 | Centralize Audit Logs | Detect | Adverse Event Analysis (DE.AE) | DE.AE-03 |
+| 8.11 | Log Reviews | Detect | Continuous Monitoring (DE.CM) | DE.CM-09 |
+| 9.3 | Email Anti-Spoofing | Protect | Platform Security (PR.PS) | PR.PS-05 |
+| 9.5 | DMARC | Protect | Platform Security (PR.PS) | PR.PS-05 |
+| 10.1 | Anti-Malware | Protect | Platform Security (PR.PS) | PR.PS-05 |
+| 10.7 | Behavior-Based AV | Detect | Continuous Monitoring (DE.CM) | DE.CM-09 |
+| 11.2 | Automated Backups | Recover | Incident Recovery Plan (RC.RP) | RC.RP-05 |
+| 11.4 | Isolated Backup Copy | Recover | Incident Recovery Plan (RC.RP) | RC.RP-05 |
+| 12.2 | Secure Network Architecture | Protect | Network Security (PR.IR) | PR.IR-01, PR.IR-02 |
+| 13.1 | Security Event Alerting | Detect | Adverse Event Analysis (DE.AE) | DE.AE-06 |
+| 13.3 | Network Intrusion Detection | Detect | Continuous Monitoring (DE.CM) | DE.CM-01, DE.CM-06 |
+| 14.1 | Security Awareness Program | Protect | Awareness and Training (PR.AT) | PR.AT-01, PR.AT-02 |
+| 15.4 | Vendor Security Requirements | Identify | Supply Chain Risk (ID.SC) | ID.SC-02, ID.SC-04 |
+| 16.1 | Secure Dev Process | Protect | Application Security (PR.PS) | PR.PS-04 |
+| 17.4 | Incident Response Process | Respond | Incident Management (RS.MA) | RS.MA-01, RS.MA-02 |
+| 17.7 | IR Exercises | Respond | Incident Management (RS.MA) | RS.MA-05 |
+| 18.2 | External Pen Test | Identify | Risk Assessment (ID.RA) | ID.RA-05, ID.RA-06 |
+---
+## CIS Controls v8 ↔ ISO 27001:2022 Annex A (Detailed)
+| CIS Control | CIS Safeguards | ISO 27001:2022 Controls |
+|------------|----------------|-------------------------|
+| **1 (Asset Inventory)** | 1.1, 1.2, 1.3 | 5.9 (Inventory of information and other associated assets), 8.8 (Management of technical vulnerabilities) |
+| **2 (Software Inventory)** | 2.1, 2.2, 2.3 | 5.9 (Inventory), 8.8 (Technical vulnerabilities) |
+| **3 (Data Protection)** | 3.1–3.14 | 5.12 (Classification), 5.13 (Labelling), 5.33 (Protection of records), 8.10 (Info deletion), 8.11 (Data masking), 8.24 (Use of cryptography) |
+| **4 (Secure Config)** | 4.1–4.12 | 8.8 (Vulnerability management), 8.9 (Configuration management), 8.22 (Network segregation) |
+| **5 (Account Management)** | 5.1–5.6 | 5.15 (Access control), 5.16 (Identity management), 5.18 (Access rights) |
+| **6 (Access Control)** | 6.1–6.8 | 5.15 (Access control), 5.17 (Authentication info), 6.7 (Remote working), 8.2 (Privileged access rights), 8.3 (Info access restriction), 8.5 (Secure authentication) |
+| **7 (Vulnerability Mgmt)** | 7.1–7.7 | 8.8 (Management of technical vulnerabilities) |
+| **8 (Audit Logs)** | 8.1–8.12 | 8.15 (Logging), 8.16 (Monitoring activities), 8.17 (Clock synchronization) |
+| **9 (Email/Web)** | 9.1–9.7 | 8.22 (Network segregation), 8.23 (Web filtering) |
+| **10 (Malware)** | 10.1–10.7 | 8.7 (Protection against malware) |
+| **11 (Data Recovery)** | 11.1–11.5 | 8.13 (Information backup), 8.14 (Redundancy) |
+| **12 (Network Infra)** | 12.1–12.8 | 8.20 (Networks security), 8.21 (Security of network services), 8.22 (Network segregation) |
+| **13 (Network Monitoring)** | 13.1–13.11 | 8.15 (Logging), 8.16 (Monitoring), 8.20 (Network security) |
+| **14 (Security Training)** | 14.1–14.9 | 6.3 (Information security awareness/education/training), 6.8 (Information security event reporting) |
+| **15 (Service Providers)** | 15.1–15.7 | 5.19 (Information security in supplier relationships), 5.20 (Addressing security in agreements), 5.21 (Managing security in ICT supply chain) |
+| **16 (App Security)** | 16.1–16.14 | 8.25 (Secure development lifecycle), 8.26 (Application security requirements), 8.27 (Secure system architecture and engineering), 8.28 (Secure coding), 8.29 (Security testing in development/acceptance) |
+| **17 (IR Management)** | 17.1–17.9 | 5.24 (IR planning and preparation), 5.25 (Assessment/decision on events), 5.26 (Response to incidents) |
+| **18 (Pen Testing)** | 18.1–18.5 | 8.8 (Technical vulnerability management), 5.36 (Compliance with policies/standards) |
+---
+## CIS Controls v8 ↔ CMMC 2.0 (NIST SP 800-171)
+| CIS Control | CMMC Domain | NIST 800-171 Requirements |
+|------------|-------------|--------------------------|
+| 1 (Asset Inventory) | Asset Management / System Inventory | Not explicitly in 800-171 but implied by CM.3.068 |
+| 2 (Software Inventory) | Configuration Management (CM) | 3.4.1 (Baseline configurations), 3.4.2 (Configuration settings) |
+| 3 (Data Protection) | Media Protection (MP) | 3.8.1–3.8.9 |
+| 4 (Secure Config) | Configuration Management (CM) | 3.4.1, 3.4.2, 3.4.6, 3.4.7 |
+| 5 (Account Management) | Identification & Authentication (IA) | 3.5.1, 3.5.2, 3.5.3 |
+| 6 (Access Control) | Access Control (AC) | 3.1.1–3.1.22 |
+| 7 (Vulnerability Mgmt) | Risk Assessment (RA) | 3.11.1, 3.11.2, 3.11.3 |
+| 8 (Audit Logs) | Audit & Accountability (AU) | 3.3.1–3.3.9 |
+| 9 (Email/Web) | System & Communications Protection (SC) | 3.13.6, 3.13.7 |
+| 10 (Malware Defenses) | System & Information Integrity (SI) | 3.14.2, 3.14.4, 3.14.5 |
+| 11 (Data Recovery) | Recovery not explicitly in 800-171 | 3.8.9 (Backup CUI on mobile devices) |
+| 12 (Network Infra) | System & Communications Protection (SC) | 3.13.1, 3.13.2, 3.13.5 |
+| 13 (Network Monitoring) | System & Information Integrity (SI) | 3.14.6, 3.14.7 |
+| 14 (Security Training) | Awareness & Training (AT) | 3.2.1, 3.2.2, 3.2.3 |
+| 15 (Service Providers) | Supply Chain Risk not explicitly in 800-171 | Implied by CM and SI |
+| 16 (App Security) | System & Communications Protection (SC) | 3.13.10, 3.13.16 |
+| 17 (Incident Response) | Incident Response (IR) | 3.6.1, 3.6.2, 3.6.3 |
+| 18 (Pen Testing) | Not explicitly in CMMC L2, required at L3 | NIST SP 800-172: 2.11.3 |
+---
+## CIS Controls v8 ↔ SOC 2 Trust Services Criteria
+| CIS Control | SOC 2 Criterion | TSC Category |
+|------------|----------------|-------------|
+| 1 (Asset Inventory) | CC6.1 | Common Criteria |
+| 2 (Software Inventory) | CC6.1, CC6.2 | Common Criteria |
+| 3 (Data Protection) | CC6.1, CC6.5, C1.1, C1.2 | Common Criteria / Confidentiality |
+| 4 (Secure Config) | CC6.1, CC7.1 | Common Criteria |
+| 5 (Account Management) | CC6.2, CC6.3 | Common Criteria |
+| 6 (Access Control) | CC6.1, CC6.2, CC6.3 | Common Criteria |
+| 7 (Vulnerability Mgmt) | CC7.1 | Common Criteria |
+| 8 (Audit Logs) | CC4.1, CC7.2, CC7.3 | Common Criteria |
+| 9 (Email/Web) | CC6.1, CC6.6 | Common Criteria |
+| 10 (Malware) | CC6.1, CC6.8 | Common Criteria |
+| 11 (Data Recovery) | A1.2, A1.3 | Availability |
+| 12 (Network Infra) | CC6.1, CC6.6 | Common Criteria |
+| 13 (Network Monitoring) | CC7.2, CC7.3 | Common Criteria |
+| 14 (Security Training) | CC1.4, CC2.2 | Common Criteria |
+| 15 (Service Providers) | CC9.2 | Common Criteria |
+| 16 (App Security) | CC8.1 | Common Criteria |
+| 17 (Incident Response) | CC7.3, CC7.4, CC7.5 | Common Criteria |
+| 18 (Pen Testing) | CC4.1, CC4.2 | Common Criteria |
+---
+## CIS Controls v8 ↔ PCI DSS v4.0
+| PCI DSS Requirement | CIS Controls |
+|--------------------|-------------|
+| Req 1: Install network controls | 12, 13 |
+| Req 2: Secure system/network components | 4 |
+| Req 3: Protect stored cardholder data | 3 |
+| Req 4: Protect cardholder data in transit | 3.10 |
+| Req 5: Protect against malicious software | 10 |
+| Req 6: Develop/maintain secure systems | 16 |
+| Req 7: Restrict access by business need | 6 |
+| Req 8: Identify users and authenticate access | 5, 6 |
+| Req 9: Restrict physical access | (Physical — not covered by CIS Controls) |
+| Req 10: Log and monitor all access | 8 |
+| Req 11: Test system/network security | 7, 18 |
+| Req 12: Support information security | 1, 2, 14, 15, 17 |
+---
+## CIS Controls v7.1 vs v8 Changes
+Key changes to understand if transitioning from v7.1 to v8:
+| Aspect | CIS Controls v7.1 | CIS Controls v8 |
+|--------|------------------|-----------------|
+| Number of controls | 20 | 18 |
+| Sub-controls | 171 | 153 safeguards |
+| Organization | Technology type | Asset type |
+| Cloud coverage | Limited | Explicit throughout |
+| Mobile coverage | Limited | Integrated |
+| Implementation Groups | Yes (IG1/2/3) | Yes (enhanced) |
+**Controls merged/reorganized:**
+- v7 Controls 4 (Controlled Use of Admin Privileges) + 16 (Account Monitoring) → v8 Control 5 (Account Management)
+- v7 Controls 12 (Boundary Defense) + 13 (Data Protection) → v8 Controls 3 (Data Protection) + 12 (Network Infrastructure)
+- v7 Controls 7 (Email/Web Browsers) + 8 (Malware Defenses) → v8 Controls 9 + 10
+**New in v8:**
+- Explicit cloud asset coverage in all applicable controls
+- Service Provider Management as standalone Control 15
+- Clearer Implementation Group assignments per safeguard

package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md ADDED Viewed

@@ -0,0 +1,235 @@
+# CIS Controls v8 — Implementation Guidance
+## Getting Started: The Prioritization Principle
+The CIS Controls are deliberately ordered by impact. Research consistently shows that implementing Controls 1–6 (the foundational six) eliminates the vast majority of cyber risk:
+- **Controls 1–2** (Inventory): You can't protect what you don't know you have
+- **Controls 3–6** (Protective): Prevent the most common attack paths
+- **Control 7** (Vulnerability Management): Continuously reduce attack surface
+- **Controls 8–18** (Detect, Respond, Recover): Build operational security capability
+Start with IG1 completely before moving to IG2. IG1 is the minimum acceptable baseline for any organization.
+---
+## Implementation Group 1 (IG1) — Essential Cyber Hygiene
+**Target audience:** Organizations with limited IT resources, small teams, commercially available products
+**Goal:** Defend against opportunistic, non-targeted attacks (the majority of incidents affecting small organizations)
+### IG1 Quick-Start Checklist (56 Safeguards)
+**Week 1-2: Know Your Assets**
+- [ ] Create hardware asset inventory (all computers, servers, printers, network devices) — Safeguard 1.1
+- [ ] Create software inventory (all installed applications) — Safeguard 2.1
+- [ ] Document all user accounts — Safeguard 5.1
+- [ ] Document all data types and where they are stored — Safeguard 3.2
+**Week 3-4: Secure Configuration**
+- [ ] Enable host-based firewall on all workstations and servers — Safeguards 4.4, 4.5
+- [ ] Set screen lock timeout to 15 minutes — Safeguard 4.3
+- [ ] Change all default passwords on network devices, routers, and systems — Safeguard 4.7
+- [ ] Enable full-disk encryption on all laptops — Safeguard 3.6
+**Month 2: Account and Access Controls**
+- [ ] Enforce strong password policy (14+ characters) — Safeguard 5.2
+- [ ] Separate admin accounts from day-to-day user accounts — Safeguard 5.4
+- [ ] Disable accounts unused for 90+ days — Safeguard 5.3
+- [ ] Define and document access request/revoke process — Safeguards 6.1, 6.2
+**Month 2: Patch Management**
+- [ ] Enable automatic OS updates on all endpoints — Safeguard 7.3
+- [ ] Enable automatic application updates (browsers, Office, etc.) — Safeguard 7.4
+- [ ] Define a remediation SLA (e.g., critical patches within 15 days) — Safeguard 7.2
+**Month 3: Backups, Training, Incident Response**
+- [ ] Implement automated, tested backups (3-2-1 rule) — Safeguard 11.2, 11.4
+- [ ] Conduct security awareness training for all employees — Safeguard 14.1, 14.2
+- [ ] Document a basic incident response procedure — Safeguard 17.4
+- [ ] Enable and retain basic audit logs (auth events, admin actions) — Safeguards 8.1, 8.2
+---
+## Implementation Group 2 (IG2) — Intermediate Controls
+**Target audience:** Organizations with dedicated IT staff, sensitive data, moderate risk tolerance
+**Goal:** Defend against more sophisticated, targeted attacks; comply with common regulatory frameworks
+### Key IG2 Additions Beyond IG1
+**MFA Everywhere (Control 6)**
+- Deploy MFA on all externally accessible systems (VPN, webmail, SaaS, remote access) — Safeguard 6.3
+- Require MFA for administrative access — Safeguard 6.5
+- Phishing-resistant MFA (FIDO2/hardware keys) for privileged users
+**Application Allowlisting (Control 2)**
+- Implement application allowlisting via Microsoft AppLocker, WDAC, or Carbon Black
+- Allowlist approved scripts (PowerShell Constrained Language Mode) — Safeguard 2.7
+- Block unauthorized DLLs and libraries — Safeguard 2.6
+**Vulnerability Scanning (Control 7)**
+- Deploy authenticated vulnerability scanner (Nessus, Qualys, Tenable, Rapid7)
+- Weekly authenticated scans of all internal assets — Safeguard 7.5
+- Monthly scans of external attack surface — Safeguard 7.6
+- Track and remediate findings per SLA — Safeguard 7.7
+**SIEM and Log Centralization (Control 8)**
+- Deploy SIEM or log aggregation platform — Safeguard 8.9
+- Collect: Windows event logs (4624, 4625, 4648, 4720, 4728), Linux auth.log, firewall deny logs, DNS, VPN — Safeguard 8.5
+- Retain logs for minimum 12 months — Safeguard 8.10
+- Enable NTP synchronization across all assets — Safeguard 8.4
+**Email Security (Control 9)**
+- Implement DMARC policy (start with p=none monitoring, move to p=quarantine/reject) — Safeguard 9.5
+- Deploy email filtering with sandboxing — Safeguard 9.7
+- Block dangerous attachment types (.exe, .js, .vbs, .bat, .macro-enabled Office) — Safeguard 9.6
+**EDR/Next-Gen AV (Control 10)**
+- Replace signature-only AV with EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) — Safeguard 10.7
+- Enable behavioral analysis and memory protection — Safeguard 10.5
+**Network Architecture (Control 12)**
+- Segment network by function (servers, workstations, IoT, guest Wi-Fi) — Safeguard 12.2
+- Implement DMZ for externally accessible services — Safeguard 12.2
+- Deploy Next-Gen Firewall with deep packet inspection — Safeguard 12.2
+**Vendor Risk Management (Control 15)**
+- Classify all service providers by data access and criticality — Safeguard 15.3
+- Include security requirements in all vendor contracts — Safeguard 15.4
+- Conduct annual vendor risk assessments for critical suppliers — Safeguard 15.5
+---
+## Implementation Group 3 (IG3) — Advanced Controls
+**Target audience:** Large enterprises with security teams, sensitive regulated data, high-value targets
+**Goal:** Defend against sophisticated, persistent adversaries; maintain continuous security operations
+### Key IG3 Capabilities
+**Penetration Testing (Control 18)**
+- External pen test: Annual minimum; quarterly for high-risk targets — Safeguard 18.2
+- Internal pen test: Semi-annual — Safeguard 18.5
+- Red team exercises with full adversary simulation — beyond base CIS scope
+- Purple team exercises — combine red team and SOC for knowledge transfer
+**Advanced Network Defense (Control 13)**
+- Deploy Network Detection and Response (NDR/NTA) solution — Safeguard 13.3
+- Implement SOAR for automated incident response playbooks
+- HIPS on all servers — Safeguard 13.7
+- Tune SIEM alert thresholds to reduce false positives — Safeguard 13.11
+- Threat hunting program: proactive analysis for unknown threats
+**Application Security (Control 16)**
+- SAST integrated into CI/CD pipeline (pre-commit, PR gate) — Safeguard 16.12
+- DAST for deployed applications (OWASP ZAP, Burp Suite) — Safeguard 16.12
+- SCA for third-party components (Snyk, Black Duck) — related to 16.5
+- Threat modeling for new features and applications — Safeguard 16.14
+- Bug bounty program or responsible disclosure policy — related to 16.4
+**Data Protection (Control 3)**
+- Deploy DLP across email, endpoints, and cloud — Safeguard 3.13
+- Segment data stores by sensitivity — Safeguard 3.12
+- Log all access to sensitive data — Safeguard 3.14
+---
+## Common Implementation Pitfalls
+### Pitfall 1: Skipping IG1 to implement IG2/IG3 Controls
+**Problem:** Organizations try to deploy SIEM before they know what assets they have
+**Solution:** Complete IG1 systematically before advancing. Asset inventory (Controls 1-2) is the foundation for everything else.
+### Pitfall 2: Treating CIS Controls as a checklist, not a program
+**Problem:** Point-in-time compliance; controls drift over time
+**Solution:** Build operational processes: scheduled scans, monthly reporting, quarterly reviews, annual assessments
+### Pitfall 3: Ignoring cloud assets
+**Problem:** Cloud VMs, SaaS apps, cloud storage not included in inventory or scans
+**Solution:** CIS Controls v8 explicitly addresses cloud assets — include in all inventories; use CSPM tools (Wiz, Prisma, Defender for Cloud)
+### Pitfall 4: MFA deployment gaps
+**Problem:** MFA enabled on some systems but not others; SMS OTP used for privileged access
+**Solution:** Comprehensive MFA inventory; phishing-resistant MFA for privileged and external access
+### Pitfall 5: Log collection without review
+**Problem:** SIEM deployed but alerts are not actioned; logs retained but never searched
+**Solution:** Define alert response procedures; staff SOC or use MDR service; weekly log review as minimum
+### Pitfall 6: Patch management without vulnerability scanning
+**Problem:** Patching OS only; missing application and firmware vulnerabilities
+**Solution:** Authenticated vulnerability scanning to identify all missing patches, misconfigurations, and CVEs
+---
+## Metrics and KPIs for CIS Controls
+### IG1 KPIs
+| Metric | Target | Frequency |
+|--------|--------|-----------|
+| % assets in inventory | ≥ 95% | Monthly |
+| % endpoints with current AV | 100% | Weekly |
+| % endpoints with disk encryption | 100% | Monthly |
+| Critical patches applied within SLA | ≥ 95% | Monthly |
+| % accounts with strong passwords | 100% | Quarterly |
+| Backup test success rate | 100% | Quarterly |
+### IG2 KPIs
+| Metric | Target | Frequency |
+|--------|--------|-----------|
+| % external systems with MFA | 100% | Monthly |
+| Mean Time to Patch (MTTP) — Critical | ≤ 15 days | Monthly |
+| Mean Time to Patch (MTTP) — High | ≤ 30 days | Monthly |
+| SIEM alert response rate | ≥ 90% actioned | Weekly |
+| Phishing click rate (simulation) | ≤ 5% | Quarterly |
+| Vendor assessments completed | 100% of critical | Annual |
+### IG3 KPIs
+| Metric | Target | Frequency |
+|--------|--------|-----------|
+| Pen test critical findings remediated | 100% within 30 days | After test |
+| Mean Time to Detect (MTTD) | ≤ 24 hours | Monthly |
+| Mean Time to Respond (MTTR) | ≤ 4 hours for P1 | Monthly |
+| SAST scan coverage | 100% of repos | Per commit |
+| DLP policy violation rate | Trending down | Monthly |
+---
+## CIS CSAT Tool
+The **CIS Controls Self-Assessment Tool (CSAT)** is a free web-based platform from CIS:
+- URL: https://csat.cisecurity.org/
+- Maps to all 153 safeguards
+- Generates maturity scores and prioritized gap reports
+- Supports team collaboration and tracking
+- Produces executive summary reports
+**CIS SecureSuite Membership** provides access to additional resources:
+- CIS Benchmarks (configuration hardening guides for 100+ technologies)
+- CIS-CAT Pro (automated configuration assessment tool)
+- CIS RAM (Risk Assessment Method)
+- Priority and quick-start guides by sector
+---
+## Industry-Specific Guidance
+### Healthcare (HIPAA alignment)
+- Priority: Controls 3 (PHI data protection), 6 (access control), 8 (audit logging), 17 (incident response)
+- IG2 minimum for any covered entity or business associate
+- Map CIS Controls to HIPAA Security Rule safeguards
+### Finance (PCI DSS / GLBA alignment)
+- Priority: Controls 3, 6, 8, 12, 16 for cardholder data environments
+- IG2 minimum; IG3 for large financial institutions
+- CIS Controls v8 maps closely to PCI DSS v4.0 requirements
+### Government (FISMA / CMMC alignment)
+- Priority: Full IG2 implementation for CMMC Level 2; IG3 elements for CMMC Level 3
+- CIS Controls map to NIST SP 800-171 requirements used in CMMC
+- Essential Eight (Australian cyber) aligns with CIS Controls 1-10
+### Education (FERPA alignment)
+- Priority: Controls 1-7 for student data protection
+- IG1 minimum for K-12; IG2 for higher education with research data