framework-mcp 1.3.6 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/agents/mcp-developer.md +41 -0
- package/.claude/agents/project-orchestrator.md +43 -0
- package/.claude/agents/version-consistency-reviewer.md +50 -0
- package/COPILOT_INTEGRATION.md +49 -62
- package/DEPLOYMENT_GUIDE.md +48 -49
- package/MCP_INTEGRATION_GUIDE.md +96 -129
- package/MIGRATION_GUIDE_v1.4.0.md +190 -0
- package/README.md +149 -173
- package/RELEASE_NOTES_v1.3.7.md +275 -0
- package/RELEASE_NOTES_v1.4.0.md +178 -0
- package/SAFEGUARDS_VERIFICATION_LOG.md +157 -0
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +747 -1191
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/index.d.ts +0 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -2
- package/dist/index.js.map +1 -1
- package/dist/interfaces/http/http-server.d.ts +0 -4
- package/dist/interfaces/http/http-server.d.ts.map +1 -1
- package/dist/interfaces/http/http-server.js +6 -113
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.d.ts +0 -5
- package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +4 -120
- package/dist/interfaces/mcp/mcp-server.js.map +1 -1
- package/dist/shared/types.d.ts +0 -37
- package/dist/shared/types.d.ts.map +1 -1
- package/examples/example-usage.md +43 -38
- package/examples/llm-analysis-patterns.md +553 -0
- package/package.json +2 -3
- package/scripts/validate-documentation.sh +4 -4
- package/src/core/safeguard-manager.ts +729 -1173
- package/src/index.ts +1 -2
- package/src/interfaces/http/http-server.ts +6 -139
- package/src/interfaces/mcp/mcp-server.ts +4 -145
- package/src/shared/types.ts +0 -40
- package/swagger.json +64 -313
- package/dist/core/capability-analyzer.d.ts +0 -29
- package/dist/core/capability-analyzer.d.ts.map +0 -1
- package/dist/core/capability-analyzer.js +0 -568
- package/dist/core/capability-analyzer.js.map +0 -1
- package/src/core/capability-analyzer.ts +0 -708
|
@@ -202,42 +202,40 @@ export class SafeguardManager {
|
|
|
202
202
|
assetType: ["end-user devices", "network devices", "IoT devices", "servers"],
|
|
203
203
|
securityFunction: ["Identify"],
|
|
204
204
|
governanceElements: [ // Orange - MUST be met
|
|
205
|
-
"
|
|
206
|
-
"
|
|
207
|
-
"
|
|
208
|
-
"
|
|
209
|
-
"enterprise asset management policy"
|
|
205
|
+
"Establish",
|
|
206
|
+
"Maintain",
|
|
207
|
+
"Enterprise Asset Management Policy / Process",
|
|
208
|
+
"Review and update the inventory of all enterprise assets bi-annually, or more frequently"
|
|
210
209
|
],
|
|
211
210
|
coreRequirements: [ // Green - The "what"
|
|
212
|
-
"accurate inventory"
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
"
|
|
216
|
-
"
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
"
|
|
220
|
-
"
|
|
221
|
-
"
|
|
222
|
-
"
|
|
223
|
-
"
|
|
224
|
-
"
|
|
225
|
-
"
|
|
226
|
-
"
|
|
227
|
-
"
|
|
228
|
-
"
|
|
229
|
-
"
|
|
230
|
-
"
|
|
231
|
-
"
|
|
232
|
-
"
|
|
233
|
-
"
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
"
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
"
|
|
240
|
-
"passive discovery tools"
|
|
211
|
+
"accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data"
|
|
212
|
+
],
|
|
213
|
+
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
214
|
+
"Network Address (IF STATIC)",
|
|
215
|
+
"Hardware Address",
|
|
216
|
+
"Machine Name",
|
|
217
|
+
"Enterprise asset owner",
|
|
218
|
+
"Department for each asset",
|
|
219
|
+
"Asset has been approved to connect to the network",
|
|
220
|
+
"End-User Devices",
|
|
221
|
+
"Mobile",
|
|
222
|
+
"Portable",
|
|
223
|
+
"Network Devices",
|
|
224
|
+
"IOT Devices",
|
|
225
|
+
"Servers",
|
|
226
|
+
"Connected to Infrastructure",
|
|
227
|
+
"Physically",
|
|
228
|
+
"Virtually",
|
|
229
|
+
"Remotely",
|
|
230
|
+
"Those within cloud environments",
|
|
231
|
+
"Regularly Connected Devices - NOT Under Control of Enterprise",
|
|
232
|
+
"Detailed",
|
|
233
|
+
"Accurate",
|
|
234
|
+
"Up-to-date",
|
|
235
|
+
"Potential to store or process data"
|
|
236
|
+
],
|
|
237
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
238
|
+
"For mobile end-user devices, MDM type tools can support this process, where appropriate"
|
|
241
239
|
],
|
|
242
240
|
relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"],
|
|
243
241
|
keywords: ["asset", "inventory", "device", "network", "mobile", "IoT", "server", "detailed", "accurate", "up-to-date"]
|
|
@@ -245,81 +243,72 @@ export class SafeguardManager {
|
|
|
245
243
|
"5.1": {
|
|
246
244
|
id: "5.1",
|
|
247
245
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
248
|
-
description: "Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
246
|
+
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
249
247
|
implementationGroup: "IG1",
|
|
250
248
|
assetType: ["users"],
|
|
251
249
|
securityFunction: ["Identify"],
|
|
252
250
|
governanceElements: [ // Orange - MUST be met
|
|
253
|
-
"
|
|
254
|
-
"
|
|
255
|
-
"
|
|
256
|
-
"recurring schedule minimum quarterly"
|
|
257
|
-
"account management policy"
|
|
251
|
+
"Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
252
|
+
"The inventory must include both user and administrator accounts",
|
|
253
|
+
"At a minimum, should contain the person's name, username, start/stop dates, and department",
|
|
254
|
+
"Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
|
|
258
255
|
],
|
|
259
256
|
coreRequirements: [ // Green - The "what"
|
|
260
|
-
"
|
|
261
|
-
"user accounts",
|
|
262
|
-
"administrator accounts",
|
|
263
|
-
"managed in the enterprise"
|
|
257
|
+
"Inventory of Accounts"
|
|
264
258
|
],
|
|
265
259
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
266
|
-
"
|
|
267
|
-
"
|
|
268
|
-
"
|
|
269
|
-
"
|
|
270
|
-
"
|
|
271
|
-
"
|
|
272
|
-
"
|
|
273
|
-
"
|
|
260
|
+
"Establish",
|
|
261
|
+
"Maintain",
|
|
262
|
+
"Validate that all active accounts are authorized",
|
|
263
|
+
"Recurring schedule",
|
|
264
|
+
"Must Include",
|
|
265
|
+
"At a minimum",
|
|
266
|
+
"Minimum Quarterly",
|
|
267
|
+
"More Frequently",
|
|
268
|
+
"User Accounts",
|
|
269
|
+
"Administrator Accounts",
|
|
270
|
+
"Name",
|
|
271
|
+
"Username",
|
|
272
|
+
"Start Stop Dates",
|
|
273
|
+
"Department"
|
|
274
274
|
],
|
|
275
275
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
276
|
-
"
|
|
277
|
-
"
|
|
278
|
-
"automated account provisioning",
|
|
279
|
-
"account lifecycle management",
|
|
280
|
-
"role-based access control system"
|
|
276
|
+
"Account and Access Control Management",
|
|
277
|
+
"Identity and Access Management Tool"
|
|
281
278
|
],
|
|
282
|
-
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2"],
|
|
283
|
-
keywords: ["
|
|
279
|
+
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
|
|
280
|
+
keywords: ["establish", "maintain", "inventory", "accounts", "user", "administrator", "name", "username", "dates", "department", "quarterly", "validate", "authorized", "recurring"]
|
|
284
281
|
},
|
|
285
282
|
"6.3": {
|
|
286
283
|
id: "6.3",
|
|
287
284
|
title: "Require MFA for Externally-Exposed Applications",
|
|
288
|
-
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA",
|
|
285
|
+
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
289
286
|
implementationGroup: "IG1",
|
|
290
287
|
assetType: ["users"],
|
|
291
288
|
securityFunction: ["Protect"],
|
|
292
289
|
governanceElements: [ // Orange - MUST be met
|
|
293
|
-
"
|
|
294
|
-
"
|
|
295
|
-
"
|
|
290
|
+
"Require",
|
|
291
|
+
"Account and Access Control Management",
|
|
292
|
+
"Multi-Factor Authentication Tool"
|
|
296
293
|
],
|
|
297
294
|
coreRequirements: [ // Green - The "what"
|
|
298
|
-
"
|
|
299
|
-
"
|
|
300
|
-
"enterprise applications",
|
|
301
|
-
"third-party applications",
|
|
302
|
-
"enforce MFA where supported"
|
|
295
|
+
"all externally-exposed enterprise or third-party applications to enforce MFA",
|
|
296
|
+
"where supported"
|
|
303
297
|
],
|
|
304
298
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
305
|
-
"
|
|
306
|
-
"
|
|
307
|
-
"
|
|
308
|
-
"something you are (biometric)",
|
|
309
|
-
"external access points",
|
|
310
|
-
"application inventory",
|
|
311
|
-
"exposure assessment"
|
|
299
|
+
"ALL Externally Exposed Applications",
|
|
300
|
+
"Enforce",
|
|
301
|
+
"Where supported"
|
|
312
302
|
],
|
|
313
303
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
314
|
-
"directory service
|
|
315
|
-
"
|
|
316
|
-
"
|
|
317
|
-
"
|
|
318
|
-
"
|
|
319
|
-
"conditional access policies"
|
|
304
|
+
"Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard",
|
|
305
|
+
"Directory service",
|
|
306
|
+
"SSO Provider",
|
|
307
|
+
"Account and Access Control Management",
|
|
308
|
+
"Multi-Factor Authentication Tool"
|
|
320
309
|
],
|
|
321
|
-
relatedSafeguards: ["2.1", "4.1"
|
|
322
|
-
keywords: ["
|
|
310
|
+
relatedSafeguards: ["2.1", "4.1"],
|
|
311
|
+
keywords: ["require", "externally-exposed", "enterprise", "third-party", "applications", "enforce", "MFA", "supported", "directory", "service", "SSO", "provider"]
|
|
323
312
|
},
|
|
324
313
|
"7.1": {
|
|
325
314
|
id: "7.1",
|
|
@@ -371,27 +360,17 @@ export class SafeguardManager {
|
|
|
371
360
|
assetType: ["devices"],
|
|
372
361
|
securityFunction: ["Respond"],
|
|
373
362
|
governanceElements: [ // Orange - MUST be met
|
|
374
|
-
"
|
|
375
|
-
"weekly basis requirement",
|
|
376
|
-
"unauthorized asset handling policy"
|
|
363
|
+
"Ensure that a process exists to address unauthorized assets on a weekly basis"
|
|
377
364
|
],
|
|
378
365
|
coreRequirements: [ // Green - The "what"
|
|
379
|
-
"
|
|
380
|
-
"process to handle unauthorized devices",
|
|
381
|
-
"weekly execution"
|
|
366
|
+
"Address Unauthorized Assets"
|
|
382
367
|
],
|
|
383
368
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
384
|
-
"
|
|
385
|
-
"
|
|
386
|
-
"response timeline",
|
|
387
|
-
"documentation requirements"
|
|
369
|
+
"On a weekly basis",
|
|
370
|
+
"Ensure"
|
|
388
371
|
],
|
|
389
372
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
390
|
-
"remove asset from network"
|
|
391
|
-
"deny asset from connecting remotely",
|
|
392
|
-
"quarantine asset",
|
|
393
|
-
"automated response systems",
|
|
394
|
-
"network access control"
|
|
373
|
+
"The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
|
|
395
374
|
],
|
|
396
375
|
relatedSafeguards: ["1.1", "1.3"],
|
|
397
376
|
keywords: ["unauthorized", "assets", "weekly", "remove", "deny", "quarantine", "process"]
|
|
@@ -399,79 +378,51 @@ export class SafeguardManager {
|
|
|
399
378
|
"1.3": {
|
|
400
379
|
id: "1.3",
|
|
401
380
|
title: "Utilize an Active Discovery Tool",
|
|
402
|
-
description: "
|
|
381
|
+
description: "Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.",
|
|
403
382
|
implementationGroup: "IG2",
|
|
404
383
|
assetType: ["network"],
|
|
405
|
-
securityFunction: ["
|
|
384
|
+
securityFunction: ["Detect"],
|
|
406
385
|
governanceElements: [ // Orange - MUST be met
|
|
407
|
-
"
|
|
408
|
-
"
|
|
409
|
-
"network discovery policy",
|
|
410
|
-
"discovery tool management"
|
|
386
|
+
"Utilize an active discovery tool to identify assets connected to the enterprise's network",
|
|
387
|
+
"Configure the active discovery tool to execute daily, or more frequently"
|
|
411
388
|
],
|
|
412
389
|
coreRequirements: [ // Green - The "what"
|
|
413
|
-
"
|
|
414
|
-
"identify assets connected to network",
|
|
415
|
-
"enterprise network coverage",
|
|
416
|
-
"asset discovery capability"
|
|
390
|
+
"Active discovery tool"
|
|
417
391
|
],
|
|
418
392
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
419
|
-
"
|
|
420
|
-
"
|
|
421
|
-
"
|
|
422
|
-
"
|
|
423
|
-
"service discovery",
|
|
424
|
-
"port scanning",
|
|
425
|
-
"protocol analysis",
|
|
426
|
-
"network topology discovery"
|
|
393
|
+
"Utilize",
|
|
394
|
+
"Configure",
|
|
395
|
+
"Execute daily",
|
|
396
|
+
"Execute daily, or more frequently"
|
|
427
397
|
],
|
|
428
398
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
429
|
-
"network discovery scanners",
|
|
430
|
-
"SNMP-based discovery",
|
|
431
|
-
"ping sweeps",
|
|
432
|
-
"ARP table analysis",
|
|
433
|
-
"network monitoring tools",
|
|
434
|
-
"automated discovery systems"
|
|
435
399
|
],
|
|
436
400
|
relatedSafeguards: ["1.1", "1.2", "1.4", "1.5"],
|
|
437
401
|
keywords: ["active", "discovery", "tool", "identify", "assets", "network", "scanning", "mapping"]
|
|
438
402
|
},
|
|
439
403
|
"1.4": {
|
|
440
404
|
id: "1.4",
|
|
441
|
-
title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Asset Inventory",
|
|
442
|
-
description: "Use DHCP logging
|
|
405
|
+
title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory",
|
|
406
|
+
description: "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.",
|
|
443
407
|
implementationGroup: "IG2",
|
|
444
408
|
assetType: ["network"],
|
|
445
409
|
securityFunction: ["Identify"],
|
|
446
410
|
governanceElements: [ // Orange - MUST be met
|
|
447
|
-
"
|
|
448
|
-
"update asset inventory
|
|
449
|
-
"DHCP log management policy",
|
|
450
|
-
"inventory integration process"
|
|
411
|
+
"Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory",
|
|
412
|
+
"Review and use logs to update the enterprise's asset inventory weekly, or more frequently"
|
|
451
413
|
],
|
|
452
414
|
coreRequirements: [ // Green - The "what"
|
|
453
|
-
"DHCP
|
|
454
|
-
"
|
|
455
|
-
"network device tracking",
|
|
456
|
-
"IP address assignment logging"
|
|
415
|
+
"DHCP Logging on all DHCP servers",
|
|
416
|
+
"IPAM"
|
|
457
417
|
],
|
|
458
418
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
459
|
-
"
|
|
460
|
-
"
|
|
461
|
-
"
|
|
462
|
-
"
|
|
463
|
-
"
|
|
464
|
-
"DHCP server logs",
|
|
465
|
-
"network join events",
|
|
466
|
-
"device identification data"
|
|
419
|
+
"Use",
|
|
420
|
+
"Review and Use Logs",
|
|
421
|
+
"Update asset inventory",
|
|
422
|
+
"Weekly",
|
|
423
|
+
"More Frequently"
|
|
467
424
|
],
|
|
468
425
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
469
|
-
"DHCP server log analysis",
|
|
470
|
-
"automated parsing tools",
|
|
471
|
-
"inventory integration scripts",
|
|
472
|
-
"SIEM integration",
|
|
473
|
-
"log aggregation systems",
|
|
474
|
-
"real-time monitoring"
|
|
475
426
|
],
|
|
476
427
|
relatedSafeguards: ["1.1", "1.2", "1.3", "1.5"],
|
|
477
428
|
keywords: ["DHCP", "logging", "update", "asset", "inventory", "IP", "address", "network", "tracking"]
|
|
@@ -479,39 +430,25 @@ export class SafeguardManager {
|
|
|
479
430
|
"1.5": {
|
|
480
431
|
id: "1.5",
|
|
481
432
|
title: "Use a Passive Asset Discovery Tool",
|
|
482
|
-
description: "Use a passive discovery tool to identify assets connected to the enterprise's network",
|
|
433
|
+
description: "Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.",
|
|
483
434
|
implementationGroup: "IG3",
|
|
484
435
|
assetType: ["network"],
|
|
485
|
-
securityFunction: ["
|
|
436
|
+
securityFunction: ["Detect"],
|
|
486
437
|
governanceElements: [ // Orange - MUST be met
|
|
487
|
-
"
|
|
488
|
-
"
|
|
489
|
-
"passive monitoring policy",
|
|
490
|
-
"discovery tool governance"
|
|
438
|
+
"Use a passive discovery tool to identify assets connected to the enterprise's network",
|
|
439
|
+
"Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently"
|
|
491
440
|
],
|
|
492
441
|
coreRequirements: [ // Green - The "what"
|
|
493
|
-
"
|
|
494
|
-
"identify assets connected to network",
|
|
495
|
-
"non-intrusive asset identification",
|
|
496
|
-
"network traffic analysis"
|
|
442
|
+
"Passive Discovery Tool"
|
|
497
443
|
],
|
|
498
444
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
499
|
-
"
|
|
500
|
-
"
|
|
501
|
-
"
|
|
502
|
-
"
|
|
503
|
-
"
|
|
504
|
-
|
|
505
|
-
|
|
506
|
-
"service identification"
|
|
507
|
-
],
|
|
508
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
509
|
-
"network tap monitoring",
|
|
510
|
-
"span port analysis",
|
|
511
|
-
"flow analysis tools",
|
|
512
|
-
"packet capture systems",
|
|
513
|
-
"network behavior analysis",
|
|
514
|
-
"passive scanning tools"
|
|
445
|
+
"Use",
|
|
446
|
+
"Review and Use scans",
|
|
447
|
+
"Update asset inventory",
|
|
448
|
+
"Weekly",
|
|
449
|
+
"More Frequently"
|
|
450
|
+
],
|
|
451
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
515
452
|
],
|
|
516
453
|
relatedSafeguards: ["1.1", "1.2", "1.3", "1.4"],
|
|
517
454
|
keywords: ["passive", "discovery", "tool", "identify", "assets", "network", "traffic", "monitoring", "non-intrusive"]
|
|
@@ -524,36 +461,32 @@ export class SafeguardManager {
|
|
|
524
461
|
assetType: ["applications"],
|
|
525
462
|
securityFunction: ["Identify"],
|
|
526
463
|
governanceElements: [ // Orange - MUST be met
|
|
527
|
-
"
|
|
528
|
-
"
|
|
529
|
-
"
|
|
530
|
-
"licensed software tracking",
|
|
531
|
-
"enterprise asset coverage"
|
|
464
|
+
"Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
|
|
465
|
+
"The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date",
|
|
466
|
+
"Review and update the software inventory bi-annually, or more frequently"
|
|
532
467
|
],
|
|
533
468
|
coreRequirements: [ // Green - The "what"
|
|
534
|
-
"
|
|
535
|
-
"
|
|
536
|
-
"installed on enterprise assets",
|
|
537
|
-
"software asset management",
|
|
538
|
-
"comprehensive coverage"
|
|
469
|
+
"Detailed inventory of all licensed software",
|
|
470
|
+
"Installed on enterprise Assets"
|
|
539
471
|
],
|
|
540
472
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
541
|
-
"
|
|
542
|
-
"
|
|
543
|
-
"
|
|
544
|
-
"
|
|
545
|
-
"
|
|
546
|
-
"
|
|
547
|
-
"
|
|
548
|
-
"
|
|
549
|
-
"
|
|
473
|
+
"Establish",
|
|
474
|
+
"Maintain",
|
|
475
|
+
"Must Document",
|
|
476
|
+
"Title",
|
|
477
|
+
"Publisher",
|
|
478
|
+
"Initial Install / Use Date",
|
|
479
|
+
"Business Purpose",
|
|
480
|
+
"URL",
|
|
481
|
+
"App Store(s)",
|
|
482
|
+
"App Version(s)",
|
|
483
|
+
"Deployment mechanism",
|
|
484
|
+
"Decomm. Date",
|
|
485
|
+
"Where appropriate",
|
|
486
|
+
"bi-annually",
|
|
487
|
+
"More Frequently"
|
|
550
488
|
],
|
|
551
489
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
552
|
-
"software asset management tools",
|
|
553
|
-
"automated discovery agents",
|
|
554
|
-
"network-based scanning",
|
|
555
|
-
"endpoint detection tools",
|
|
556
|
-
"software metering solutions"
|
|
557
490
|
],
|
|
558
491
|
relatedSafeguards: ["1.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"],
|
|
559
492
|
keywords: ["software", "inventory", "licensed", "detailed", "enterprise", "assets", "applications"]
|
|
@@ -566,32 +499,24 @@ export class SafeguardManager {
|
|
|
566
499
|
assetType: ["applications"],
|
|
567
500
|
securityFunction: ["Identify"],
|
|
568
501
|
governanceElements: [ // Orange - MUST be met
|
|
569
|
-
"
|
|
570
|
-
"authorization designation process",
|
|
571
|
-
"supported software verification",
|
|
572
|
-
"software lifecycle management"
|
|
502
|
+
"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
|
|
573
503
|
],
|
|
574
504
|
coreRequirements: [ // Green - The "what"
|
|
575
|
-
"
|
|
576
|
-
"
|
|
577
|
-
"software inventory integration",
|
|
578
|
-
"support status verification"
|
|
505
|
+
"Currently supported software",
|
|
506
|
+
"Authorized in the software inventory"
|
|
579
507
|
],
|
|
580
508
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
581
|
-
"
|
|
582
|
-
"
|
|
583
|
-
"
|
|
584
|
-
"
|
|
585
|
-
"
|
|
586
|
-
"
|
|
587
|
-
"
|
|
509
|
+
"Ensure",
|
|
510
|
+
"Determine if Authorized Software Is Currently Supported",
|
|
511
|
+
"If Unsupported",
|
|
512
|
+
"Determine Necessity for Business",
|
|
513
|
+
"Document Exception detailing mitigating controls",
|
|
514
|
+
"Document Residual risk acceptance",
|
|
515
|
+
"Review the software list",
|
|
516
|
+
"Monthly",
|
|
517
|
+
"More frequently"
|
|
588
518
|
],
|
|
589
519
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
590
|
-
"vendor support databases",
|
|
591
|
-
"automated support checking",
|
|
592
|
-
"software lifecycle tracking",
|
|
593
|
-
"end-of-life notifications",
|
|
594
|
-
"authorization workflow tools"
|
|
595
520
|
],
|
|
596
521
|
relatedSafeguards: ["2.1", "2.3", "2.4", "2.5", "2.6", "2.7"],
|
|
597
522
|
keywords: ["supported", "software", "authorized", "designated", "inventory", "lifecycle", "end-of-life"]
|
|
@@ -599,36 +524,25 @@ export class SafeguardManager {
|
|
|
599
524
|
"2.3": {
|
|
600
525
|
id: "2.3",
|
|
601
526
|
title: "Address Unauthorized Software",
|
|
602
|
-
description: "Ensure that unauthorized software is either removed from use on enterprise assets or
|
|
527
|
+
description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
|
|
603
528
|
implementationGroup: "IG1",
|
|
604
529
|
assetType: ["applications"],
|
|
605
530
|
securityFunction: ["Respond"],
|
|
606
531
|
governanceElements: [ // Orange - MUST be met
|
|
607
|
-
"
|
|
608
|
-
"
|
|
609
|
-
"unauthorized software handling policy"
|
|
532
|
+
"Ensure",
|
|
533
|
+
"Review monthly, or more frequently"
|
|
610
534
|
],
|
|
611
535
|
coreRequirements: [ // Green - The "what"
|
|
612
|
-
"unauthorized software
|
|
613
|
-
"removed from use",
|
|
614
|
-
"approved for use",
|
|
615
|
-
"enterprise assets coverage"
|
|
536
|
+
"unauthorized software is either removed from use on enterprise assets or receives a documented exception"
|
|
616
537
|
],
|
|
617
538
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
618
|
-
"
|
|
619
|
-
"
|
|
620
|
-
"
|
|
621
|
-
"
|
|
622
|
-
"
|
|
623
|
-
"exception processes",
|
|
624
|
-
"documentation requirements"
|
|
539
|
+
"Address Unauthorized Software",
|
|
540
|
+
"Remove from use",
|
|
541
|
+
"Document Exception",
|
|
542
|
+
"Monthly",
|
|
543
|
+
"More Frequently"
|
|
625
544
|
],
|
|
626
545
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
627
|
-
"automated removal tools",
|
|
628
|
-
"application control systems",
|
|
629
|
-
"software whitelisting",
|
|
630
|
-
"policy enforcement tools",
|
|
631
|
-
"approval workflow systems"
|
|
632
546
|
],
|
|
633
547
|
relatedSafeguards: ["2.1", "2.2", "2.4", "2.5", "2.6", "2.7"],
|
|
634
548
|
keywords: ["unauthorized", "software", "removed", "approved", "enterprise", "assets", "address"]
|
|
@@ -636,37 +550,25 @@ export class SafeguardManager {
|
|
|
636
550
|
"2.4": {
|
|
637
551
|
id: "2.4",
|
|
638
552
|
title: "Utilize Automated Software Inventory Tools",
|
|
639
|
-
description: "Utilize
|
|
553
|
+
description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
|
|
640
554
|
implementationGroup: "IG2",
|
|
641
555
|
assetType: ["applications"],
|
|
642
|
-
securityFunction: ["
|
|
556
|
+
securityFunction: ["Detect"],
|
|
643
557
|
governanceElements: [ // Orange - MUST be met
|
|
644
|
-
"
|
|
645
|
-
"
|
|
646
|
-
"throughout enterprise coverage",
|
|
647
|
-
"automated inventory management"
|
|
558
|
+
"Utilize",
|
|
559
|
+
"when possible"
|
|
648
560
|
],
|
|
649
561
|
coreRequirements: [ // Green - The "what"
|
|
650
|
-
"
|
|
651
|
-
"
|
|
652
|
-
"comprehensive coverage",
|
|
653
|
-
"automated discovery capability"
|
|
562
|
+
"software inventory tools",
|
|
563
|
+
"automate the discovery and documentation of installed software"
|
|
654
564
|
],
|
|
655
565
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
656
|
-
"
|
|
657
|
-
"
|
|
658
|
-
"
|
|
659
|
-
"
|
|
660
|
-
"centralized reporting",
|
|
661
|
-
"integration capabilities",
|
|
662
|
-
"deployment strategies"
|
|
566
|
+
"Automate Discovery",
|
|
567
|
+
"Automate Documentation",
|
|
568
|
+
"Installed Software",
|
|
569
|
+
"When possible"
|
|
663
570
|
],
|
|
664
571
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
665
|
-
"endpoint agents",
|
|
666
|
-
"network scanners",
|
|
667
|
-
"SCCM integration",
|
|
668
|
-
"vulnerability scanners",
|
|
669
|
-
"asset management platforms"
|
|
670
572
|
],
|
|
671
573
|
relatedSafeguards: ["2.1", "2.2", "2.3", "2.5", "2.6", "2.7"],
|
|
672
574
|
keywords: ["automated", "software", "inventory", "tools", "enterprise", "deployment", "discovery"]
|
|
@@ -674,36 +576,30 @@ export class SafeguardManager {
|
|
|
674
576
|
"2.5": {
|
|
675
577
|
id: "2.5",
|
|
676
578
|
title: "Allowlist Authorized Software",
|
|
677
|
-
description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute",
|
|
579
|
+
description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
|
|
678
580
|
implementationGroup: "IG2",
|
|
679
581
|
assetType: ["applications"],
|
|
680
582
|
securityFunction: ["Protect"],
|
|
681
583
|
governanceElements: [ // Orange - MUST be met
|
|
682
|
-
"
|
|
683
|
-
"
|
|
684
|
-
"
|
|
584
|
+
"Use",
|
|
585
|
+
"Ensure",
|
|
586
|
+
"Reassess bi-annually, or more frequently"
|
|
685
587
|
],
|
|
686
588
|
coreRequirements: [ // Green - The "what"
|
|
687
589
|
"technical controls",
|
|
688
|
-
"
|
|
689
|
-
"only authorized software execution",
|
|
690
|
-
"execution prevention"
|
|
590
|
+
"only authorized software can execute or be accessed"
|
|
691
591
|
],
|
|
692
592
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
693
|
-
"
|
|
694
|
-
"
|
|
695
|
-
"
|
|
696
|
-
"
|
|
697
|
-
"
|
|
698
|
-
"
|
|
699
|
-
"
|
|
593
|
+
"Allowlist Authorized Software",
|
|
594
|
+
"Technical Controls",
|
|
595
|
+
"Execute",
|
|
596
|
+
"Accessed",
|
|
597
|
+
"Reassess",
|
|
598
|
+
"Bi-Annually",
|
|
599
|
+
"More Frequently"
|
|
700
600
|
],
|
|
701
601
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
702
|
-
"
|
|
703
|
-
"Windows AppLocker",
|
|
704
|
-
"endpoint protection platforms",
|
|
705
|
-
"code signing enforcement",
|
|
706
|
-
"execution prevention tools"
|
|
602
|
+
"Application Allowlisting"
|
|
707
603
|
],
|
|
708
604
|
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.6", "2.7"],
|
|
709
605
|
keywords: ["allowlist", "authorized", "software", "technical", "controls", "application", "execution"]
|
|
@@ -711,36 +607,34 @@ export class SafeguardManager {
|
|
|
711
607
|
"2.6": {
|
|
712
608
|
id: "2.6",
|
|
713
609
|
title: "Allowlist Authorized Libraries",
|
|
714
|
-
description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so files
|
|
610
|
+
description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
|
|
715
611
|
implementationGroup: "IG2",
|
|
716
612
|
assetType: ["applications"],
|
|
717
613
|
securityFunction: ["Protect"],
|
|
718
614
|
governanceElements: [ // Orange - MUST be met
|
|
719
|
-
"
|
|
720
|
-
"
|
|
721
|
-
"system process
|
|
615
|
+
"Use",
|
|
616
|
+
"Ensure",
|
|
617
|
+
"Block unauthorized libraries from loading into a system process",
|
|
618
|
+
"Reassess bi-annually, or more frequently"
|
|
722
619
|
],
|
|
723
620
|
coreRequirements: [ // Green - The "what"
|
|
724
621
|
"technical controls",
|
|
725
622
|
"only authorized software libraries",
|
|
726
|
-
"
|
|
727
|
-
"system process loading"
|
|
623
|
+
"are allowed to load into a system process"
|
|
728
624
|
],
|
|
729
625
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
730
|
-
"
|
|
731
|
-
"
|
|
732
|
-
"
|
|
733
|
-
"
|
|
734
|
-
"
|
|
735
|
-
"
|
|
736
|
-
"
|
|
626
|
+
"Only authorized software libraries",
|
|
627
|
+
"Are allowed to load into a system process",
|
|
628
|
+
"Technical Controls",
|
|
629
|
+
"Block unauthorized libraries from loading into a system process",
|
|
630
|
+
"Reassess",
|
|
631
|
+
"Bi-Annually",
|
|
632
|
+
"More Frequently"
|
|
737
633
|
],
|
|
738
634
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
739
|
-
"
|
|
740
|
-
"
|
|
741
|
-
"
|
|
742
|
-
"kernel-level controls",
|
|
743
|
-
"signature enforcement"
|
|
635
|
+
"Specific .dll files",
|
|
636
|
+
"Specific .ocx files",
|
|
637
|
+
"Specific .so files"
|
|
744
638
|
],
|
|
745
639
|
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.7"],
|
|
746
640
|
keywords: ["allowlist", "authorized", "libraries", "dll", "ocx", "so", "system", "process", "technical"]
|
|
@@ -748,36 +642,33 @@ export class SafeguardManager {
|
|
|
748
642
|
"2.7": {
|
|
749
643
|
id: "2.7",
|
|
750
644
|
title: "Allowlist Authorized Scripts",
|
|
751
|
-
description: "Use technical controls, such as digital signatures and version control
|
|
645
|
+
description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
|
|
752
646
|
implementationGroup: "IG3",
|
|
753
647
|
assetType: ["applications"],
|
|
754
648
|
securityFunction: ["Protect"],
|
|
755
649
|
governanceElements: [ // Orange - MUST be met
|
|
756
|
-
"
|
|
757
|
-
"
|
|
758
|
-
"
|
|
650
|
+
"Use",
|
|
651
|
+
"Ensure",
|
|
652
|
+
"Block unauthorized scripts from executing",
|
|
653
|
+
"Reassess bi-annually, or more frequently"
|
|
759
654
|
],
|
|
760
655
|
coreRequirements: [ // Green - The "what"
|
|
761
656
|
"technical controls",
|
|
762
|
-
"
|
|
763
|
-
"version control systems",
|
|
764
|
-
"only authorized scripts execution"
|
|
657
|
+
"only authorized files are allowed to execute"
|
|
765
658
|
],
|
|
766
659
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
767
|
-
"
|
|
768
|
-
"
|
|
769
|
-
"
|
|
770
|
-
"
|
|
771
|
-
"
|
|
772
|
-
"
|
|
773
|
-
"runtime monitoring"
|
|
660
|
+
"Only authorized files are allowed to execute",
|
|
661
|
+
"Technical Controls",
|
|
662
|
+
"Block unauthorized scripts from executing",
|
|
663
|
+
"Reassess",
|
|
664
|
+
"Bi-Annually",
|
|
665
|
+
"More Frequently"
|
|
774
666
|
],
|
|
775
667
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
776
|
-
"
|
|
777
|
-
"
|
|
778
|
-
"
|
|
779
|
-
"
|
|
780
|
-
"code signing certificates"
|
|
668
|
+
"Digital signatures",
|
|
669
|
+
"Version control",
|
|
670
|
+
"Specific .ps1 files",
|
|
671
|
+
"Specific .py files"
|
|
781
672
|
],
|
|
782
673
|
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6"],
|
|
783
674
|
keywords: ["allowlist", "authorized", "scripts", "digital", "signatures", "version", "control", "execution"]
|
|
@@ -785,37 +676,32 @@ export class SafeguardManager {
|
|
|
785
676
|
"3.1": {
|
|
786
677
|
id: "3.1",
|
|
787
678
|
title: "Establish and Maintain a Data Management Process",
|
|
788
|
-
description: "Establish and maintain a data management process",
|
|
679
|
+
description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
789
680
|
implementationGroup: "IG1",
|
|
790
681
|
assetType: ["data"],
|
|
791
682
|
securityFunction: ["Govern"],
|
|
792
683
|
governanceElements: [ // Orange - MUST be met
|
|
793
|
-
"
|
|
794
|
-
"
|
|
795
|
-
"
|
|
796
|
-
"data management policy"
|
|
684
|
+
"Establish",
|
|
685
|
+
"Maintain",
|
|
686
|
+
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
797
687
|
],
|
|
798
688
|
coreRequirements: [ // Green - The "what"
|
|
799
|
-
"data management process",
|
|
800
|
-
"data
|
|
801
|
-
"data handling procedures",
|
|
802
|
-
"data lifecycle management"
|
|
689
|
+
"documented data management process",
|
|
690
|
+
"address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
|
|
803
691
|
],
|
|
804
692
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
805
|
-
"
|
|
806
|
-
"
|
|
807
|
-
"
|
|
808
|
-
"
|
|
809
|
-
"
|
|
810
|
-
"
|
|
811
|
-
"
|
|
693
|
+
"Documented Data management process",
|
|
694
|
+
"Data Sensitivity",
|
|
695
|
+
"Data Owner",
|
|
696
|
+
"Data Handling",
|
|
697
|
+
"Data Retention Limits",
|
|
698
|
+
"Disposal Requirements",
|
|
699
|
+
"Retention Standards",
|
|
700
|
+
"Review and update documentation",
|
|
701
|
+
"Annually",
|
|
702
|
+
"When significant enterprise changes occur that could impact this Safeguard"
|
|
812
703
|
],
|
|
813
704
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
814
|
-
"data governance platforms",
|
|
815
|
-
"data discovery tools",
|
|
816
|
-
"data classification tools",
|
|
817
|
-
"policy management systems",
|
|
818
|
-
"data lineage tracking"
|
|
819
705
|
],
|
|
820
706
|
relatedSafeguards: ["3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
|
|
821
707
|
keywords: ["data", "management", "process", "establish", "maintain", "governance", "lifecycle"]
|
|
@@ -823,38 +709,28 @@ export class SafeguardManager {
|
|
|
823
709
|
"3.2": {
|
|
824
710
|
id: "3.2",
|
|
825
711
|
title: "Establish and Maintain a Data Inventory",
|
|
826
|
-
description: "Establish and maintain a data inventory
|
|
712
|
+
description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
|
|
827
713
|
implementationGroup: "IG1",
|
|
828
714
|
assetType: ["data"],
|
|
829
715
|
securityFunction: ["Identify"],
|
|
830
716
|
governanceElements: [ // Orange - MUST be met
|
|
831
|
-
"
|
|
832
|
-
"
|
|
833
|
-
"
|
|
834
|
-
"inventory management requirements"
|
|
717
|
+
"Establish",
|
|
718
|
+
"Maintain",
|
|
719
|
+
"Review and update inventory annually, at a minimum, with a priority on sensitive data"
|
|
835
720
|
],
|
|
836
721
|
coreRequirements: [ // Green - The "what"
|
|
837
|
-
"data inventory",
|
|
838
|
-
"
|
|
839
|
-
"data asset identification",
|
|
840
|
-
"data location tracking"
|
|
722
|
+
"data inventory based on the enterprise's data management process",
|
|
723
|
+
"inventory sensitive data, at a minimum"
|
|
841
724
|
],
|
|
842
725
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
843
|
-
"
|
|
844
|
-
"
|
|
845
|
-
"
|
|
846
|
-
"
|
|
847
|
-
"
|
|
848
|
-
"data
|
|
849
|
-
"data formats",
|
|
850
|
-
"data repositories"
|
|
726
|
+
"Data Inventory",
|
|
727
|
+
"Based on Data Management process",
|
|
728
|
+
"Sensitive Data at a Minimum",
|
|
729
|
+
"Review and update inventory",
|
|
730
|
+
"Annually, at a minimum",
|
|
731
|
+
"Priority on sensitive data"
|
|
851
732
|
],
|
|
852
733
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
853
|
-
"data discovery scanners",
|
|
854
|
-
"database inventory tools",
|
|
855
|
-
"file system crawlers",
|
|
856
|
-
"cloud data discovery",
|
|
857
|
-
"automated data cataloging"
|
|
858
734
|
],
|
|
859
735
|
relatedSafeguards: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
|
|
860
736
|
keywords: ["data", "inventory", "enterprise", "management", "process", "identification", "tracking"]
|
|
@@ -862,37 +738,27 @@ export class SafeguardManager {
|
|
|
862
738
|
"3.3": {
|
|
863
739
|
id: "3.3",
|
|
864
740
|
title: "Configure Data Access Control Lists",
|
|
865
|
-
description: "Configure data access control lists based on a user's need to know",
|
|
741
|
+
description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
|
|
866
742
|
implementationGroup: "IG1",
|
|
867
743
|
assetType: ["data"],
|
|
868
744
|
securityFunction: ["Protect"],
|
|
869
745
|
governanceElements: [ // Orange - MUST be met
|
|
870
|
-
"
|
|
871
|
-
"
|
|
872
|
-
"data access governance",
|
|
873
|
-
"access control policy"
|
|
746
|
+
"Configure",
|
|
747
|
+
"Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
|
|
874
748
|
],
|
|
875
749
|
coreRequirements: [ // Green - The "what"
|
|
876
|
-
"data access control lists"
|
|
877
|
-
"user need to know basis",
|
|
878
|
-
"access restriction enforcement",
|
|
879
|
-
"granular access controls"
|
|
750
|
+
"data access control lists based on a user's need to know"
|
|
880
751
|
],
|
|
881
752
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
882
|
-
"
|
|
883
|
-
"
|
|
884
|
-
"
|
|
885
|
-
"
|
|
886
|
-
"
|
|
887
|
-
"
|
|
888
|
-
"
|
|
753
|
+
"Data Access control lists",
|
|
754
|
+
"Based on \"Need to Know\"",
|
|
755
|
+
"ACLS - \"aka\" Access Permissions",
|
|
756
|
+
"Local",
|
|
757
|
+
"Remote File Systems",
|
|
758
|
+
"Applications",
|
|
759
|
+
"Databases"
|
|
889
760
|
],
|
|
890
761
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
891
|
-
"file system ACLs",
|
|
892
|
-
"database permissions",
|
|
893
|
-
"application-level controls",
|
|
894
|
-
"identity management systems",
|
|
895
|
-
"access governance tools"
|
|
896
762
|
],
|
|
897
763
|
relatedSafeguards: ["3.1", "3.2", "3.4", "3.5", "3.6", "5.1", "6.1", "6.2"],
|
|
898
764
|
keywords: ["data", "access", "control", "lists", "need", "know", "user", "permissions"]
|
|
@@ -900,37 +766,26 @@ export class SafeguardManager {
|
|
|
900
766
|
"3.4": {
|
|
901
767
|
id: "3.4",
|
|
902
768
|
title: "Enforce Data Retention",
|
|
903
|
-
description: "Retain data according to the enterprise's data management process",
|
|
769
|
+
description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
|
|
904
770
|
implementationGroup: "IG1",
|
|
905
771
|
assetType: ["data"],
|
|
906
772
|
securityFunction: ["Protect"],
|
|
907
773
|
governanceElements: [ // Orange - MUST be met
|
|
908
|
-
"
|
|
909
|
-
"
|
|
910
|
-
"
|
|
911
|
-
"retention policy enforcement"
|
|
774
|
+
"Retain",
|
|
775
|
+
"Enforce",
|
|
776
|
+
"must include both minimum and maximum timelines"
|
|
912
777
|
],
|
|
913
778
|
coreRequirements: [ // Green - The "what"
|
|
914
|
-
"data
|
|
915
|
-
"retention
|
|
916
|
-
"data lifecycle management",
|
|
917
|
-
"retention period adherence"
|
|
779
|
+
"data according to the enterprise's documented data management process",
|
|
780
|
+
"Data retention"
|
|
918
781
|
],
|
|
919
782
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
920
|
-
"
|
|
921
|
-
"
|
|
922
|
-
"
|
|
923
|
-
"
|
|
924
|
-
"disposal timelines",
|
|
925
|
-
"archive procedures",
|
|
926
|
-
"retention monitoring"
|
|
783
|
+
"Data Retention",
|
|
784
|
+
"Must Include",
|
|
785
|
+
"Minimum Timelines",
|
|
786
|
+
"Maximum timelines"
|
|
927
787
|
],
|
|
928
788
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
929
|
-
"automated retention tools",
|
|
930
|
-
"data lifecycle management",
|
|
931
|
-
"archival systems",
|
|
932
|
-
"retention scheduling tools",
|
|
933
|
-
"compliance monitoring"
|
|
934
789
|
],
|
|
935
790
|
relatedSafeguards: ["3.1", "3.2", "3.5", "3.6", "3.10"],
|
|
936
791
|
keywords: ["data", "retention", "enterprise", "management", "process", "lifecycle", "schedule"]
|
|
@@ -938,37 +793,23 @@ export class SafeguardManager {
|
|
|
938
793
|
"3.5": {
|
|
939
794
|
id: "3.5",
|
|
940
795
|
title: "Securely Dispose of Data",
|
|
941
|
-
description: "Securely dispose of data as outlined in the enterprise's data management process",
|
|
796
|
+
description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
|
|
942
797
|
implementationGroup: "IG1",
|
|
943
798
|
assetType: ["data"],
|
|
944
799
|
securityFunction: ["Protect"],
|
|
945
800
|
governanceElements: [ // Orange - MUST be met
|
|
946
|
-
"
|
|
947
|
-
"
|
|
948
|
-
"data disposal governance",
|
|
949
|
-
"secure disposal policy"
|
|
801
|
+
"Securely dispose of data",
|
|
802
|
+
"Ensure"
|
|
950
803
|
],
|
|
951
804
|
coreRequirements: [ // Green - The "what"
|
|
952
|
-
"
|
|
953
|
-
"
|
|
954
|
-
"disposal method security",
|
|
955
|
-
"data destruction assurance"
|
|
805
|
+
"as outlined in the enterprise's data management process",
|
|
806
|
+
"the disposal process and method are commensurate with the data sensitivity"
|
|
956
807
|
],
|
|
957
808
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
958
|
-
"
|
|
959
|
-
"data
|
|
960
|
-
"media destruction",
|
|
961
|
-
"digital shredding",
|
|
962
|
-
"disposal verification",
|
|
963
|
-
"disposal documentation",
|
|
964
|
-
"certificate of destruction"
|
|
809
|
+
"Securely dispose of data",
|
|
810
|
+
"Disposal process and method are commensurate with the data sensitivity"
|
|
965
811
|
],
|
|
966
812
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
967
|
-
"data wiping tools",
|
|
968
|
-
"media destruction services",
|
|
969
|
-
"cryptographic erasure",
|
|
970
|
-
"physical destruction",
|
|
971
|
-
"disposal tracking systems"
|
|
972
813
|
],
|
|
973
814
|
relatedSafeguards: ["3.1", "3.2", "3.4", "3.6", "3.10"],
|
|
974
815
|
keywords: ["securely", "dispose", "data", "enterprise", "management", "process", "destruction"]
|
|
@@ -976,37 +817,24 @@ export class SafeguardManager {
|
|
|
976
817
|
"3.6": {
|
|
977
818
|
id: "3.6",
|
|
978
819
|
title: "Encrypt Data on End-User Devices",
|
|
979
|
-
description: "Encrypt data on end-user devices containing sensitive data",
|
|
820
|
+
description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
|
|
980
821
|
implementationGroup: "IG1",
|
|
981
822
|
assetType: ["data"],
|
|
982
823
|
securityFunction: ["Protect"],
|
|
983
824
|
governanceElements: [ // Orange - MUST be met
|
|
984
|
-
"
|
|
985
|
-
"end-user devices coverage",
|
|
986
|
-
"sensitive data identification",
|
|
987
|
-
"encryption policy enforcement"
|
|
825
|
+
"Encrypt"
|
|
988
826
|
],
|
|
989
827
|
coreRequirements: [ // Green - The "what"
|
|
990
|
-
"data
|
|
991
|
-
"end-user devices",
|
|
992
|
-
"sensitive data protection",
|
|
993
|
-
"encryption implementation"
|
|
828
|
+
"data on end-user devices containing sensitive data"
|
|
994
829
|
],
|
|
995
830
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
996
|
-
"
|
|
997
|
-
"
|
|
998
|
-
"encryption algorithms",
|
|
999
|
-
"key management",
|
|
1000
|
-
"device types coverage",
|
|
1001
|
-
"mobile device encryption",
|
|
1002
|
-
"laptop encryption"
|
|
831
|
+
"Data on end-user devices",
|
|
832
|
+
"Sensitive data"
|
|
1003
833
|
],
|
|
1004
834
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1005
|
-
"
|
|
1006
|
-
"FileVault
|
|
1007
|
-
"
|
|
1008
|
-
"mobile device management",
|
|
1009
|
-
"encryption key management"
|
|
835
|
+
"Windows Bitlocker",
|
|
836
|
+
"Apple FileVault",
|
|
837
|
+
"Linux dm-crypt"
|
|
1010
838
|
],
|
|
1011
839
|
relatedSafeguards: ["1.1", "3.1", "3.2", "3.7", "3.8", "3.9", "3.11"],
|
|
1012
840
|
keywords: ["encrypt", "data", "end-user", "devices", "sensitive", "protection", "encryption"]
|
|
@@ -1014,37 +842,30 @@ export class SafeguardManager {
|
|
|
1014
842
|
"3.7": {
|
|
1015
843
|
id: "3.7",
|
|
1016
844
|
title: "Establish and Maintain a Data Classification Scheme",
|
|
1017
|
-
description: "Establish and maintain
|
|
845
|
+
description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1018
846
|
implementationGroup: "IG2",
|
|
1019
847
|
assetType: ["data"],
|
|
1020
848
|
securityFunction: ["Identify"],
|
|
1021
849
|
governanceElements: [ // Orange - MUST be met
|
|
1022
|
-
"
|
|
1023
|
-
"
|
|
1024
|
-
"
|
|
1025
|
-
"classification governance"
|
|
850
|
+
"Establish",
|
|
851
|
+
"Maintain",
|
|
852
|
+
"Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1026
853
|
],
|
|
1027
854
|
coreRequirements: [ // Green - The "what"
|
|
1028
|
-
"data classification scheme",
|
|
1029
|
-
"
|
|
1030
|
-
"classification standards",
|
|
1031
|
-
"data labeling system"
|
|
855
|
+
"overall data classification scheme for the enterprise",
|
|
856
|
+
"classify their data according to those labels"
|
|
1032
857
|
],
|
|
1033
858
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1034
|
-
"classification
|
|
1035
|
-
"
|
|
1036
|
-
"classification
|
|
1037
|
-
"
|
|
1038
|
-
"
|
|
1039
|
-
"access requirements",
|
|
1040
|
-
"classification workflows"
|
|
859
|
+
"Data classification scheme",
|
|
860
|
+
"Classify their data according to labels",
|
|
861
|
+
"Review and update classification scheme",
|
|
862
|
+
"Annually",
|
|
863
|
+
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1041
864
|
],
|
|
1042
865
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1043
|
-
"
|
|
1044
|
-
"
|
|
1045
|
-
"
|
|
1046
|
-
"sensitivity scanners",
|
|
1047
|
-
"classification workflows"
|
|
866
|
+
"Sensitive",
|
|
867
|
+
"Confidential",
|
|
868
|
+
"Public"
|
|
1048
869
|
],
|
|
1049
870
|
relatedSafeguards: ["3.1", "3.2", "3.3", "3.8", "3.9", "3.10", "3.11", "3.12"],
|
|
1050
871
|
keywords: ["establish", "maintain", "data", "classification", "scheme", "sensitivity", "labeling"]
|
|
@@ -1052,37 +873,29 @@ export class SafeguardManager {
|
|
|
1052
873
|
"3.8": {
|
|
1053
874
|
id: "3.8",
|
|
1054
875
|
title: "Document Data Flows",
|
|
1055
|
-
description: "Document data flows
|
|
876
|
+
description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1056
877
|
implementationGroup: "IG2",
|
|
1057
878
|
assetType: ["data"],
|
|
1058
879
|
securityFunction: ["Identify"],
|
|
1059
880
|
governanceElements: [ // Orange - MUST be met
|
|
1060
|
-
"
|
|
1061
|
-
"
|
|
1062
|
-
"data flow documentation requirement",
|
|
1063
|
-
"flow mapping governance"
|
|
881
|
+
"Document data flows",
|
|
882
|
+
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1064
883
|
],
|
|
1065
884
|
coreRequirements: [ // Green - The "what"
|
|
1066
|
-
"
|
|
1067
|
-
"sensitive data flows",
|
|
1068
|
-
"data movement tracking",
|
|
1069
|
-
"flow visualization"
|
|
885
|
+
"Data flow documentation includes service provider data flows and should be based on the enterprise's data management process"
|
|
1070
886
|
],
|
|
1071
887
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1072
|
-
"data
|
|
1073
|
-
"
|
|
1074
|
-
"
|
|
1075
|
-
"
|
|
1076
|
-
"
|
|
1077
|
-
"
|
|
1078
|
-
"data boundaries"
|
|
888
|
+
"Document data flows",
|
|
889
|
+
"Enterprise Data Flows",
|
|
890
|
+
"Service Provider Data Flows",
|
|
891
|
+
"Review and update documentation",
|
|
892
|
+
"Annually",
|
|
893
|
+
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1079
894
|
],
|
|
1080
895
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1081
|
-
"
|
|
1082
|
-
"flow mapping
|
|
1083
|
-
"
|
|
1084
|
-
"process documentation",
|
|
1085
|
-
"network flow analysis"
|
|
896
|
+
"Data management systems",
|
|
897
|
+
"Data flow mapping tools",
|
|
898
|
+
"Service provider documentation"
|
|
1086
899
|
],
|
|
1087
900
|
relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
|
|
1088
901
|
keywords: ["document", "data", "flows", "sensitive", "mapping", "tracking", "lineage"]
|
|
@@ -1090,37 +903,20 @@ export class SafeguardManager {
|
|
|
1090
903
|
"3.9": {
|
|
1091
904
|
id: "3.9",
|
|
1092
905
|
title: "Encrypt Data on Removable Media",
|
|
1093
|
-
description: "Encrypt
|
|
906
|
+
description: "Encrypt Data on Removable Media",
|
|
1094
907
|
implementationGroup: "IG2",
|
|
1095
908
|
assetType: ["data"],
|
|
1096
909
|
securityFunction: ["Protect"],
|
|
1097
910
|
governanceElements: [ // Orange - MUST be met
|
|
1098
|
-
"
|
|
1099
|
-
"removable media coverage",
|
|
1100
|
-
"encryption policy enforcement",
|
|
1101
|
-
"removable media governance"
|
|
911
|
+
"Encrypt Data on Removable Media"
|
|
1102
912
|
],
|
|
1103
913
|
coreRequirements: [ // Green - The "what"
|
|
1104
|
-
"data encryption",
|
|
1105
|
-
"removable media",
|
|
1106
|
-
"portable storage protection",
|
|
1107
|
-
"encryption implementation"
|
|
1108
914
|
],
|
|
1109
915
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1110
|
-
"
|
|
1111
|
-
"
|
|
1112
|
-
"optical media",
|
|
1113
|
-
"memory cards",
|
|
1114
|
-
"encryption methods",
|
|
1115
|
-
"key management",
|
|
1116
|
-
"access controls"
|
|
916
|
+
"Data on Removable Media",
|
|
917
|
+
"Maintain"
|
|
1117
918
|
],
|
|
1118
919
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1119
|
-
"encrypted USB drives",
|
|
1120
|
-
"device encryption tools",
|
|
1121
|
-
"removable media controls",
|
|
1122
|
-
"encryption management",
|
|
1123
|
-
"key escrow systems"
|
|
1124
920
|
],
|
|
1125
921
|
relatedSafeguards: ["3.1", "3.6", "3.7", "3.10", "3.11"],
|
|
1126
922
|
keywords: ["encrypt", "data", "removable", "media", "portable", "storage", "USB"]
|
|
@@ -1128,37 +924,22 @@ export class SafeguardManager {
|
|
|
1128
924
|
"3.10": {
|
|
1129
925
|
id: "3.10",
|
|
1130
926
|
title: "Encrypt Sensitive Data in Transit",
|
|
1131
|
-
description: "Encrypt sensitive data in transit",
|
|
927
|
+
description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
|
|
1132
928
|
implementationGroup: "IG2",
|
|
1133
929
|
assetType: ["data"],
|
|
1134
930
|
securityFunction: ["Protect"],
|
|
1135
931
|
governanceElements: [ // Orange - MUST be met
|
|
1136
|
-
"
|
|
1137
|
-
"in transit requirement",
|
|
1138
|
-
"transmission encryption policy",
|
|
1139
|
-
"transit encryption governance"
|
|
932
|
+
"Encrypt"
|
|
1140
933
|
],
|
|
1141
934
|
coreRequirements: [ // Green - The "what"
|
|
1142
|
-
"sensitive data
|
|
1143
|
-
"data in transit",
|
|
1144
|
-
"transmission protection",
|
|
1145
|
-
"communication security"
|
|
935
|
+
"sensitive data in transit"
|
|
1146
936
|
],
|
|
1147
937
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1148
|
-
"
|
|
1149
|
-
"encryption protocols",
|
|
1150
|
-
"TLS/SSL implementation",
|
|
1151
|
-
"VPN tunneling",
|
|
1152
|
-
"secure communication channels",
|
|
1153
|
-
"certificate management",
|
|
1154
|
-
"key exchange"
|
|
938
|
+
"Sensitive data in transit"
|
|
1155
939
|
],
|
|
1156
940
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1157
|
-
"TLS
|
|
1158
|
-
"
|
|
1159
|
-
"secure email gateways",
|
|
1160
|
-
"encrypted file transfer",
|
|
1161
|
-
"secure messaging systems"
|
|
941
|
+
"TLS",
|
|
942
|
+
"OpenSSH"
|
|
1162
943
|
],
|
|
1163
944
|
relatedSafeguards: ["3.1", "3.7", "3.8", "3.11", "13.1", "13.2"],
|
|
1164
945
|
keywords: ["encrypt", "sensitive", "data", "transit", "transmission", "TLS", "communication"]
|
|
@@ -1166,75 +947,53 @@ export class SafeguardManager {
|
|
|
1166
947
|
"3.11": {
|
|
1167
948
|
id: "3.11",
|
|
1168
949
|
title: "Encrypt Sensitive Data at Rest",
|
|
1169
|
-
description: "Encrypt sensitive data at rest",
|
|
950
|
+
description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
|
|
1170
951
|
implementationGroup: "IG2",
|
|
1171
952
|
assetType: ["data"],
|
|
1172
953
|
securityFunction: ["Protect"],
|
|
1173
954
|
governanceElements: [ // Orange - MUST be met
|
|
1174
|
-
"
|
|
1175
|
-
"
|
|
1176
|
-
"storage encryption policy",
|
|
1177
|
-
"rest encryption governance"
|
|
955
|
+
"Encrypt",
|
|
956
|
+
"meets the minimum requirement of this Safeguard"
|
|
1178
957
|
],
|
|
1179
958
|
coreRequirements: [ // Green - The "what"
|
|
1180
|
-
"sensitive data
|
|
1181
|
-
"
|
|
1182
|
-
"storage protection",
|
|
1183
|
-
"persistent data security"
|
|
959
|
+
"sensitive data at rest on servers, applications, and databases",
|
|
960
|
+
"Storage-layer encryption, also known as server-side encryption"
|
|
1184
961
|
],
|
|
1185
962
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1186
|
-
"
|
|
1187
|
-
"
|
|
1188
|
-
"
|
|
1189
|
-
"
|
|
1190
|
-
"
|
|
1191
|
-
"
|
|
1192
|
-
"encryption algorithms"
|
|
963
|
+
"Encrypt Sensitive Data At Rest",
|
|
964
|
+
"Servers",
|
|
965
|
+
"Applications",
|
|
966
|
+
"Databases",
|
|
967
|
+
"Storage Layer (server side) encryption",
|
|
968
|
+
"Minimum Requirement"
|
|
1193
969
|
],
|
|
1194
970
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1195
|
-
"
|
|
1196
|
-
"
|
|
1197
|
-
"file-level encryption",
|
|
1198
|
-
"key management services",
|
|
1199
|
-
"hardware security modules"
|
|
971
|
+
"Application layer (client-side) encryption",
|
|
972
|
+
"Where access to the data storage device(s) does not permit access to the plain-text data"
|
|
1200
973
|
],
|
|
1201
974
|
relatedSafeguards: ["3.1", "3.6", "3.7", "3.9", "3.10", "11.1"],
|
|
1202
975
|
keywords: ["encrypt", "sensitive", "data", "rest", "storage", "database", "persistent"]
|
|
1203
976
|
},
|
|
1204
977
|
"3.12": {
|
|
1205
978
|
id: "3.12",
|
|
1206
|
-
title: "Segment Data Processing and Storage Based on
|
|
1207
|
-
description: "Segment data processing and storage based on the
|
|
1208
|
-
implementationGroup: "
|
|
979
|
+
title: "Segment Data Processing and Storage Based on Sensitivity",
|
|
980
|
+
description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
|
|
981
|
+
implementationGroup: "IG2",
|
|
1209
982
|
assetType: ["data"],
|
|
1210
983
|
securityFunction: ["Protect"],
|
|
1211
984
|
governanceElements: [ // Orange - MUST be met
|
|
1212
|
-
"
|
|
1213
|
-
"
|
|
1214
|
-
"based on classification",
|
|
1215
|
-
"segmentation governance"
|
|
985
|
+
"Segment data processing and storage based on the sensitivity of the data",
|
|
986
|
+
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1216
987
|
],
|
|
1217
988
|
coreRequirements: [ // Green - The "what"
|
|
1218
|
-
"data segmentation",
|
|
1219
|
-
"processing segregation",
|
|
1220
|
-
"storage segregation",
|
|
1221
|
-
"classification-based separation"
|
|
1222
989
|
],
|
|
1223
990
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1224
|
-
"
|
|
1225
|
-
"
|
|
1226
|
-
"
|
|
1227
|
-
"
|
|
1228
|
-
"storage zones",
|
|
1229
|
-
"access boundaries",
|
|
1230
|
-
"isolation controls"
|
|
991
|
+
"Based on the sensitivity of data",
|
|
992
|
+
"Segment data processing (compute)",
|
|
993
|
+
"Segment Storage",
|
|
994
|
+
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1231
995
|
],
|
|
1232
996
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1233
|
-
"network segmentation tools",
|
|
1234
|
-
"virtualization platforms",
|
|
1235
|
-
"container isolation",
|
|
1236
|
-
"zone-based architecture",
|
|
1237
|
-
"micro-segmentation"
|
|
1238
997
|
],
|
|
1239
998
|
relatedSafeguards: ["3.1", "3.7", "12.1", "12.2", "12.3"],
|
|
1240
999
|
keywords: ["segment", "data", "processing", "storage", "classification", "separation", "isolation"]
|
|
@@ -1242,37 +1001,29 @@ export class SafeguardManager {
|
|
|
1242
1001
|
"3.13": {
|
|
1243
1002
|
id: "3.13",
|
|
1244
1003
|
title: "Deploy a Data Loss Prevention Solution",
|
|
1245
|
-
description: "
|
|
1004
|
+
description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
|
|
1246
1005
|
implementationGroup: "IG3",
|
|
1247
1006
|
assetType: ["data"],
|
|
1248
1007
|
securityFunction: ["Protect"],
|
|
1249
1008
|
governanceElements: [ // Orange - MUST be met
|
|
1250
|
-
"
|
|
1251
|
-
"
|
|
1252
|
-
"data loss prevention requirement",
|
|
1253
|
-
"DLP governance"
|
|
1009
|
+
"Implement",
|
|
1010
|
+
"Update Data Inventory"
|
|
1254
1011
|
],
|
|
1255
1012
|
coreRequirements: [ // Green - The "what"
|
|
1256
|
-
"data
|
|
1257
|
-
"sensitive data assets",
|
|
1258
|
-
"data leakage prevention",
|
|
1259
|
-
"data exfiltration controls"
|
|
1013
|
+
"automated tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider"
|
|
1260
1014
|
],
|
|
1261
1015
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1262
|
-
"
|
|
1263
|
-
"
|
|
1264
|
-
"
|
|
1265
|
-
"
|
|
1266
|
-
"
|
|
1267
|
-
"
|
|
1268
|
-
"
|
|
1016
|
+
"Automated DLP Tool",
|
|
1017
|
+
"Identify all sensitive Data",
|
|
1018
|
+
"Stored",
|
|
1019
|
+
"Processed",
|
|
1020
|
+
"Transmitted",
|
|
1021
|
+
"Onsite Data",
|
|
1022
|
+
"Remote Service Provider",
|
|
1023
|
+
"Update Data Inventory"
|
|
1269
1024
|
],
|
|
1270
1025
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1271
|
-
"DLP
|
|
1272
|
-
"content analysis engines",
|
|
1273
|
-
"policy management systems",
|
|
1274
|
-
"incident response integration",
|
|
1275
|
-
"monitoring and alerting"
|
|
1026
|
+
"Host-based Data loss Prevention (DLP) tool"
|
|
1276
1027
|
],
|
|
1277
1028
|
relatedSafeguards: ["3.1", "3.7", "3.8", "3.10", "3.11"],
|
|
1278
1029
|
keywords: ["deploy", "data", "loss", "prevention", "solution", "sensitive", "DLP"]
|
|
@@ -1280,37 +1031,23 @@ export class SafeguardManager {
|
|
|
1280
1031
|
"3.14": {
|
|
1281
1032
|
id: "3.14",
|
|
1282
1033
|
title: "Log Sensitive Data Access",
|
|
1283
|
-
description: "Log sensitive data access, including modification and disposal",
|
|
1034
|
+
description: "Log sensitive data access, including modification and disposal.",
|
|
1284
1035
|
implementationGroup: "IG3",
|
|
1285
1036
|
assetType: ["data"],
|
|
1286
1037
|
securityFunction: ["Detect"],
|
|
1287
1038
|
governanceElements: [ // Orange - MUST be met
|
|
1288
|
-
"
|
|
1289
|
-
"including modification disposal",
|
|
1290
|
-
"data access logging requirement",
|
|
1291
|
-
"access monitoring governance"
|
|
1039
|
+
"Log"
|
|
1292
1040
|
],
|
|
1293
1041
|
coreRequirements: [ // Green - The "what"
|
|
1294
|
-
"sensitive data access
|
|
1295
|
-
"modification logging",
|
|
1296
|
-
"disposal logging",
|
|
1297
|
-
"comprehensive access tracking"
|
|
1042
|
+
"sensitive data access, including modification and disposal"
|
|
1298
1043
|
],
|
|
1299
1044
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1300
|
-
"access
|
|
1301
|
-
"
|
|
1302
|
-
"
|
|
1303
|
-
"
|
|
1304
|
-
"data identification",
|
|
1305
|
-
"source system logging",
|
|
1306
|
-
"audit trail maintenance"
|
|
1045
|
+
"Sensitive Data access",
|
|
1046
|
+
"Access",
|
|
1047
|
+
"Modification",
|
|
1048
|
+
"Disposal"
|
|
1307
1049
|
],
|
|
1308
1050
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1309
|
-
"database audit logs",
|
|
1310
|
-
"file access monitoring",
|
|
1311
|
-
"SIEM integration",
|
|
1312
|
-
"log management platforms",
|
|
1313
|
-
"activity monitoring tools"
|
|
1314
1051
|
],
|
|
1315
1052
|
relatedSafeguards: ["3.1", "3.7", "3.8", "8.1", "8.2"],
|
|
1316
1053
|
keywords: ["log", "sensitive", "data", "access", "modification", "disposal", "audit"]
|
|
@@ -1318,914 +1055,733 @@ export class SafeguardManager {
|
|
|
1318
1055
|
"4.1": {
|
|
1319
1056
|
id: "4.1",
|
|
1320
1057
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
1321
|
-
description: "Establish and maintain a secure configuration process for enterprise assets and software",
|
|
1058
|
+
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1322
1059
|
implementationGroup: "IG1",
|
|
1323
|
-
assetType: ["devices", "applications"],
|
|
1060
|
+
assetType: ["end-user devices", "network devices", "IoT devices", "servers", "applications"],
|
|
1324
1061
|
securityFunction: ["Govern"],
|
|
1325
1062
|
governanceElements: [ // Orange - MUST be met
|
|
1326
|
-
"
|
|
1327
|
-
"
|
|
1328
|
-
"
|
|
1329
|
-
"
|
|
1063
|
+
"Establish",
|
|
1064
|
+
"Maintain",
|
|
1065
|
+
"Documented Secure Configuration Process",
|
|
1066
|
+
"Review and update documentation",
|
|
1067
|
+
"Annually",
|
|
1068
|
+
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1330
1069
|
],
|
|
1331
1070
|
coreRequirements: [ // Green - The "what"
|
|
1332
|
-
"secure configuration process",
|
|
1333
|
-
"configuration
|
|
1334
|
-
"standardized configuration procedures",
|
|
1335
|
-
"configuration lifecycle management"
|
|
1071
|
+
"documented secure configuration process for enterprise assets",
|
|
1072
|
+
"documented secure configuration process for software"
|
|
1336
1073
|
],
|
|
1337
1074
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1338
|
-
"
|
|
1339
|
-
"
|
|
1340
|
-
"
|
|
1341
|
-
"
|
|
1342
|
-
"
|
|
1343
|
-
"
|
|
1344
|
-
"
|
|
1075
|
+
"Enterprise assets",
|
|
1076
|
+
"Software",
|
|
1077
|
+
"End-user devices",
|
|
1078
|
+
"Mobile",
|
|
1079
|
+
"Portable",
|
|
1080
|
+
"Non-computing/IoT devices",
|
|
1081
|
+
"Servers",
|
|
1082
|
+
"OS",
|
|
1083
|
+
"Applications"
|
|
1345
1084
|
],
|
|
1346
1085
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1347
|
-
"
|
|
1348
|
-
"
|
|
1349
|
-
"automated configuration systems",
|
|
1350
|
-
"compliance scanning tools",
|
|
1351
|
-
"baseline management systems"
|
|
1086
|
+
"Secure Configuration Policy / Process",
|
|
1087
|
+
"Configuration Management Tool"
|
|
1352
1088
|
],
|
|
1353
1089
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
1354
|
-
keywords: ["establish", "maintain", "secure", "configuration", "process", "enterprise", "assets", "software"]
|
|
1090
|
+
keywords: ["establish", "maintain", "documented", "secure", "configuration", "process", "enterprise", "assets", "software", "review", "update"]
|
|
1355
1091
|
},
|
|
1356
1092
|
"4.2": {
|
|
1357
1093
|
id: "4.2",
|
|
1358
1094
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
1359
|
-
description: "Establish and maintain a secure configuration process for network
|
|
1095
|
+
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1360
1096
|
implementationGroup: "IG1",
|
|
1361
|
-
assetType: ["network"],
|
|
1097
|
+
assetType: ["network devices"],
|
|
1362
1098
|
securityFunction: ["Govern"],
|
|
1363
1099
|
governanceElements: [ // Orange - MUST be met
|
|
1364
|
-
"
|
|
1365
|
-
"
|
|
1366
|
-
"
|
|
1367
|
-
"
|
|
1100
|
+
"Establish",
|
|
1101
|
+
"Maintain",
|
|
1102
|
+
"Documented Secure Network Configuration Process",
|
|
1103
|
+
"Review and update documentation",
|
|
1104
|
+
"Annually",
|
|
1105
|
+
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1368
1106
|
],
|
|
1369
1107
|
coreRequirements: [ // Green - The "what"
|
|
1370
|
-
"secure
|
|
1371
|
-
"network infrastructure management",
|
|
1372
|
-
"network security standards",
|
|
1373
|
-
"network configuration lifecycle"
|
|
1108
|
+
"documented secure configuration process for network devices"
|
|
1374
1109
|
],
|
|
1375
1110
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1376
|
-
"
|
|
1377
|
-
"routing configurations",
|
|
1378
|
-
"switching configurations",
|
|
1379
|
-
"firewall configurations",
|
|
1380
|
-
"wireless configurations",
|
|
1381
|
-
"network segmentation",
|
|
1382
|
-
"access control configurations"
|
|
1111
|
+
"Network devices"
|
|
1383
1112
|
],
|
|
1384
1113
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1385
|
-
"
|
|
1386
|
-
"
|
|
1387
|
-
"configuration templates",
|
|
1388
|
-
"network compliance scanners",
|
|
1389
|
-
"infrastructure as code"
|
|
1114
|
+
"Secure Configuration Policy / Process",
|
|
1115
|
+
"Configuration Management Tool"
|
|
1390
1116
|
],
|
|
1391
|
-
relatedSafeguards: ["1.1", "
|
|
1392
|
-
keywords: ["establish", "maintain", "secure", "configuration", "network", "infrastructure", "process"]
|
|
1117
|
+
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
1118
|
+
keywords: ["establish", "maintain", "documented", "secure", "configuration", "network", "infrastructure", "process", "devices"]
|
|
1393
1119
|
},
|
|
1394
1120
|
"4.3": {
|
|
1395
1121
|
id: "4.3",
|
|
1396
1122
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
1397
|
-
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity",
|
|
1123
|
+
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
1398
1124
|
implementationGroup: "IG1",
|
|
1399
1125
|
assetType: ["devices"],
|
|
1400
1126
|
securityFunction: ["Protect"],
|
|
1401
1127
|
governanceElements: [ // Orange - MUST be met
|
|
1402
|
-
"
|
|
1403
|
-
"
|
|
1404
|
-
"
|
|
1405
|
-
"session security policy"
|
|
1128
|
+
"Configure",
|
|
1129
|
+
"Period must not exceed for 15 Minutes",
|
|
1130
|
+
"Period must not exceed for 2 Minutes"
|
|
1406
1131
|
],
|
|
1407
1132
|
coreRequirements: [ // Green - The "what"
|
|
1408
|
-
"automatic session locking",
|
|
1409
|
-
"
|
|
1410
|
-
"
|
|
1411
|
-
"unauthorized access prevention"
|
|
1133
|
+
"automatic session locking on enterprise assets after a defined period of inactivity",
|
|
1134
|
+
"general purpose operating systems",
|
|
1135
|
+
"mobile end-user devices"
|
|
1412
1136
|
],
|
|
1413
1137
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1414
|
-
"
|
|
1415
|
-
"
|
|
1416
|
-
"
|
|
1417
|
-
"
|
|
1418
|
-
"server console locking",
|
|
1419
|
-
"application session timeouts",
|
|
1420
|
-
"idle session detection"
|
|
1138
|
+
"Automatic Session Locking",
|
|
1139
|
+
"Period of inactivity",
|
|
1140
|
+
"General Purpose OSs",
|
|
1141
|
+
"Mobile end-user devices"
|
|
1421
1142
|
],
|
|
1422
1143
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1423
|
-
"
|
|
1424
|
-
"mobile device management",
|
|
1425
|
-
"screen saver configurations",
|
|
1426
|
-
"application timeout settings",
|
|
1427
|
-
"automated locking mechanisms"
|
|
1144
|
+
"Configuration Management Tool"
|
|
1428
1145
|
],
|
|
1429
|
-
relatedSafeguards: ["
|
|
1430
|
-
keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "
|
|
1146
|
+
relatedSafeguards: ["4.1"],
|
|
1147
|
+
keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "period", "minutes", "mobile", "operating", "systems"]
|
|
1431
1148
|
},
|
|
1432
1149
|
"4.4": {
|
|
1433
1150
|
id: "4.4",
|
|
1434
1151
|
title: "Implement and Manage a Firewall on Servers",
|
|
1435
|
-
description: "Implement and manage a firewall on servers",
|
|
1152
|
+
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
1436
1153
|
implementationGroup: "IG1",
|
|
1437
1154
|
assetType: ["devices"],
|
|
1438
1155
|
securityFunction: ["Protect"],
|
|
1439
1156
|
governanceElements: [ // Orange - MUST be met
|
|
1440
|
-
"
|
|
1441
|
-
"
|
|
1442
|
-
"
|
|
1443
|
-
"firewall management governance"
|
|
1157
|
+
"Implement",
|
|
1158
|
+
"Manage",
|
|
1159
|
+
"Where Supported"
|
|
1444
1160
|
],
|
|
1445
1161
|
coreRequirements: [ // Green - The "what"
|
|
1446
|
-
"firewall
|
|
1447
|
-
"firewall management",
|
|
1448
|
-
"server protection",
|
|
1449
|
-
"network traffic filtering"
|
|
1162
|
+
"firewall on servers"
|
|
1450
1163
|
],
|
|
1451
1164
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1452
|
-
"
|
|
1453
|
-
"port access control",
|
|
1454
|
-
"protocol filtering",
|
|
1455
|
-
"traffic monitoring",
|
|
1456
|
-
"rule optimization",
|
|
1457
|
-
"logging configuration",
|
|
1458
|
-
"exception management"
|
|
1165
|
+
"Server Firewall"
|
|
1459
1166
|
],
|
|
1460
1167
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1461
|
-
"
|
|
1462
|
-
"
|
|
1463
|
-
"
|
|
1464
|
-
"
|
|
1465
|
-
"
|
|
1168
|
+
"Virtual Firewall",
|
|
1169
|
+
"OS Firewall",
|
|
1170
|
+
"Third Party Firewall",
|
|
1171
|
+
"Firewall",
|
|
1172
|
+
"Configuration Management Tool"
|
|
1466
1173
|
],
|
|
1467
|
-
relatedSafeguards: ["
|
|
1468
|
-
keywords: ["implement", "manage", "firewall", "servers", "
|
|
1174
|
+
relatedSafeguards: ["4.1"],
|
|
1175
|
+
keywords: ["implement", "manage", "firewall", "servers", "virtual", "operating", "system", "third-party", "agent"]
|
|
1469
1176
|
},
|
|
1470
1177
|
"4.5": {
|
|
1471
1178
|
id: "4.5",
|
|
1472
1179
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
1473
|
-
description: "Implement and manage a firewall on end-user devices",
|
|
1180
|
+
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
1474
1181
|
implementationGroup: "IG1",
|
|
1475
1182
|
assetType: ["devices"],
|
|
1476
1183
|
securityFunction: ["Protect"],
|
|
1477
1184
|
governanceElements: [ // Orange - MUST be met
|
|
1478
|
-
"
|
|
1479
|
-
"
|
|
1480
|
-
"
|
|
1481
|
-
"
|
|
1185
|
+
"Implement",
|
|
1186
|
+
"Manage",
|
|
1187
|
+
"Default deny rule that drops all traffic",
|
|
1188
|
+
"Except Explicitly Allowed"
|
|
1482
1189
|
],
|
|
1483
1190
|
coreRequirements: [ // Green - The "what"
|
|
1484
|
-
"firewall
|
|
1485
|
-
"firewall management",
|
|
1486
|
-
"end-user device protection",
|
|
1487
|
-
"personal firewall deployment"
|
|
1191
|
+
"host-based firewall or port-filtering tool on end-user devices"
|
|
1488
1192
|
],
|
|
1489
1193
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1490
|
-
"
|
|
1491
|
-
"
|
|
1492
|
-
"
|
|
1493
|
-
"
|
|
1494
|
-
"
|
|
1495
|
-
"exception handling",
|
|
1496
|
-
"centralized management"
|
|
1194
|
+
"Host-based Firewall",
|
|
1195
|
+
"Port Filtering Tool",
|
|
1196
|
+
"End User Devices",
|
|
1197
|
+
"Services",
|
|
1198
|
+
"Ports"
|
|
1497
1199
|
],
|
|
1498
1200
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1499
|
-
"
|
|
1500
|
-
"
|
|
1501
|
-
"third-party endpoint firewalls",
|
|
1502
|
-
"mobile device management",
|
|
1503
|
-
"centralized firewall management"
|
|
1201
|
+
"Firewall",
|
|
1202
|
+
"Configuration Management Tool"
|
|
1504
1203
|
],
|
|
1505
|
-
relatedSafeguards: ["
|
|
1506
|
-
keywords: ["implement", "manage", "firewall", "end-user", "devices", "
|
|
1204
|
+
relatedSafeguards: ["4.1"],
|
|
1205
|
+
keywords: ["implement", "manage", "host-based", "firewall", "port-filtering", "end-user", "devices", "default-deny", "explicitly", "allowed"]
|
|
1507
1206
|
},
|
|
1508
1207
|
"4.6": {
|
|
1509
1208
|
id: "4.6",
|
|
1510
1209
|
title: "Securely Manage Enterprise Assets and Software",
|
|
1511
|
-
description: "Securely manage enterprise assets and software",
|
|
1512
|
-
implementationGroup: "
|
|
1210
|
+
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
1211
|
+
implementationGroup: "IG1",
|
|
1513
1212
|
assetType: ["devices", "applications"],
|
|
1514
1213
|
securityFunction: ["Protect"],
|
|
1515
1214
|
governanceElements: [ // Orange - MUST be met
|
|
1516
|
-
"
|
|
1517
|
-
"
|
|
1518
|
-
"secure management practices",
|
|
1519
|
-
"asset and software governance"
|
|
1215
|
+
"Do not use insecure management protocols",
|
|
1216
|
+
"Unless operationally essential"
|
|
1520
1217
|
],
|
|
1521
1218
|
coreRequirements: [ // Green - The "what"
|
|
1522
|
-
"
|
|
1523
|
-
"secure software management",
|
|
1524
|
-
"management security controls",
|
|
1525
|
-
"administrative access protection"
|
|
1219
|
+
"Securely manage enterprise assets and software"
|
|
1526
1220
|
],
|
|
1527
1221
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1528
|
-
"
|
|
1529
|
-
"privileged account management",
|
|
1530
|
-
"secure remote management",
|
|
1531
|
-
"management interface protection",
|
|
1532
|
-
"configuration change controls",
|
|
1533
|
-
"management tool security",
|
|
1534
|
-
"secure maintenance procedures"
|
|
1222
|
+
"Securely manage enterprise assets and software"
|
|
1535
1223
|
],
|
|
1536
1224
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1537
|
-
"
|
|
1538
|
-
"secure
|
|
1539
|
-
"
|
|
1540
|
-
"
|
|
1541
|
-
"
|
|
1225
|
+
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
1226
|
+
"Accessing administrative interfaces over secure network protocols",
|
|
1227
|
+
"SSH",
|
|
1228
|
+
"HTTPS",
|
|
1229
|
+
"Telnet (Teletype Network)",
|
|
1230
|
+
"HTTP",
|
|
1231
|
+
"Configuration Management Tool"
|
|
1542
1232
|
],
|
|
1543
|
-
relatedSafeguards: ["
|
|
1544
|
-
keywords: ["securely", "manage", "enterprise", "assets", "software", "administrative", "
|
|
1233
|
+
relatedSafeguards: ["4.1", "12.3"],
|
|
1234
|
+
keywords: ["securely", "manage", "enterprise", "assets", "software", "infrastructure-as-code", "administrative", "interfaces", "SSH", "HTTPS", "protocols"]
|
|
1545
1235
|
},
|
|
1546
1236
|
"4.7": {
|
|
1547
1237
|
id: "4.7",
|
|
1548
1238
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
1549
|
-
description: "Manage default accounts on enterprise assets and software",
|
|
1550
|
-
implementationGroup: "
|
|
1551
|
-
assetType: ["devices", "applications"],
|
|
1239
|
+
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
1240
|
+
implementationGroup: "IG1",
|
|
1241
|
+
assetType: ["devices", "applications", "users"],
|
|
1552
1242
|
securityFunction: ["Protect"],
|
|
1553
1243
|
governanceElements: [ // Orange - MUST be met
|
|
1554
|
-
"
|
|
1555
|
-
"enterprise assets coverage",
|
|
1556
|
-
"software coverage",
|
|
1557
|
-
"default account governance"
|
|
1244
|
+
"Manage"
|
|
1558
1245
|
],
|
|
1559
1246
|
coreRequirements: [ // Green - The "what"
|
|
1560
|
-
"default
|
|
1561
|
-
"account security controls",
|
|
1562
|
-
"default credential elimination",
|
|
1563
|
-
"account hardening"
|
|
1247
|
+
"default accounts on enterprise assets and software"
|
|
1564
1248
|
],
|
|
1565
1249
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1566
|
-
"
|
|
1567
|
-
"
|
|
1568
|
-
"
|
|
1569
|
-
"
|
|
1570
|
-
"
|
|
1571
|
-
"
|
|
1572
|
-
"credential strength requirements"
|
|
1250
|
+
"Default accounts",
|
|
1251
|
+
"Enterprise assets",
|
|
1252
|
+
"Software",
|
|
1253
|
+
"Root",
|
|
1254
|
+
"Administrator",
|
|
1255
|
+
"Other pre-configured vendor accounts"
|
|
1573
1256
|
],
|
|
1574
1257
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1575
|
-
"
|
|
1576
|
-
"
|
|
1577
|
-
"
|
|
1578
|
-
"automated account hardening",
|
|
1579
|
-
"vulnerability scanners"
|
|
1258
|
+
"Disabling",
|
|
1259
|
+
"Unusable",
|
|
1260
|
+
"Configuration Management Tool"
|
|
1580
1261
|
],
|
|
1581
|
-
relatedSafeguards: ["
|
|
1582
|
-
keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "
|
|
1262
|
+
relatedSafeguards: ["4.1"],
|
|
1263
|
+
keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "root", "administrator", "pre-configured", "vendor", "disabling", "unusable"]
|
|
1583
1264
|
},
|
|
1584
1265
|
"4.8": {
|
|
1585
1266
|
id: "4.8",
|
|
1586
1267
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
1587
|
-
description: "Uninstall or disable unnecessary services on enterprise assets and software",
|
|
1268
|
+
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
1588
1269
|
implementationGroup: "IG2",
|
|
1589
1270
|
assetType: ["devices", "applications"],
|
|
1590
1271
|
securityFunction: ["Protect"],
|
|
1591
1272
|
governanceElements: [ // Orange - MUST be met
|
|
1592
|
-
"
|
|
1593
|
-
"
|
|
1594
|
-
"enterprise assets coverage",
|
|
1595
|
-
"service minimization governance"
|
|
1273
|
+
"Uninstall",
|
|
1274
|
+
"Disable"
|
|
1596
1275
|
],
|
|
1597
1276
|
coreRequirements: [ // Green - The "what"
|
|
1598
|
-
"unnecessary
|
|
1599
|
-
"service disabling",
|
|
1600
|
-
"attack surface reduction",
|
|
1601
|
-
"minimal service deployment"
|
|
1277
|
+
"unnecessary services on enterprise assets and software"
|
|
1602
1278
|
],
|
|
1603
1279
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1604
|
-
"
|
|
1605
|
-
"
|
|
1606
|
-
"
|
|
1607
|
-
"
|
|
1608
|
-
"
|
|
1609
|
-
"
|
|
1610
|
-
"service hardening"
|
|
1280
|
+
"Unnecessary Services",
|
|
1281
|
+
"Enterprise assets",
|
|
1282
|
+
"Software",
|
|
1283
|
+
"Unused file sharing service",
|
|
1284
|
+
"Web application module",
|
|
1285
|
+
"Service function"
|
|
1611
1286
|
],
|
|
1612
1287
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1613
|
-
"
|
|
1614
|
-
"port scanning tools",
|
|
1615
|
-
"configuration baselines",
|
|
1616
|
-
"system hardening guides",
|
|
1617
|
-
"automated service management"
|
|
1288
|
+
"Configuration Management Tool"
|
|
1618
1289
|
],
|
|
1619
|
-
relatedSafeguards: ["
|
|
1620
|
-
keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "
|
|
1290
|
+
relatedSafeguards: ["4.1"],
|
|
1291
|
+
keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "software", "unused", "file", "sharing", "web", "application", "module", "function"]
|
|
1621
1292
|
},
|
|
1622
1293
|
"4.9": {
|
|
1623
1294
|
id: "4.9",
|
|
1624
1295
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
1625
|
-
description: "Configure trusted DNS servers on enterprise assets",
|
|
1296
|
+
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
1626
1297
|
implementationGroup: "IG2",
|
|
1627
1298
|
assetType: ["devices"],
|
|
1628
1299
|
securityFunction: ["Protect"],
|
|
1629
1300
|
governanceElements: [ // Orange - MUST be met
|
|
1630
|
-
"
|
|
1631
|
-
"enterprise assets coverage",
|
|
1632
|
-
"DNS security requirement",
|
|
1633
|
-
"trusted DNS governance"
|
|
1301
|
+
"Configure"
|
|
1634
1302
|
],
|
|
1635
1303
|
coreRequirements: [ // Green - The "what"
|
|
1636
|
-
"trusted DNS
|
|
1637
|
-
"DNS security controls",
|
|
1638
|
-
"secure name resolution",
|
|
1639
|
-
"DNS poisoning prevention"
|
|
1304
|
+
"trusted DNS servers on enterprise assets"
|
|
1640
1305
|
],
|
|
1641
1306
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1642
|
-
"DNS
|
|
1643
|
-
"
|
|
1644
|
-
"malicious domain blocking",
|
|
1645
|
-
"DNS over HTTPS configuration",
|
|
1646
|
-
"DNS over TLS configuration",
|
|
1647
|
-
"internal DNS management",
|
|
1648
|
-
"DNS monitoring"
|
|
1307
|
+
"Trusted DNS Servers",
|
|
1308
|
+
"Enterprise assets"
|
|
1649
1309
|
],
|
|
1650
1310
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1651
|
-
"
|
|
1652
|
-
"DNS
|
|
1653
|
-
"
|
|
1654
|
-
"DNS security tools",
|
|
1655
|
-
"network-level DNS controls"
|
|
1311
|
+
"Configuring assets to use enterprise-controlled DNS servers",
|
|
1312
|
+
"Reputable externally accessible DNS servers",
|
|
1313
|
+
"Configuration Management Tool"
|
|
1656
1314
|
],
|
|
1657
|
-
relatedSafeguards: ["
|
|
1658
|
-
keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "
|
|
1315
|
+
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
1316
|
+
keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "enterprise-controlled", "reputable", "externally", "accessible"]
|
|
1659
1317
|
},
|
|
1660
1318
|
"4.10": {
|
|
1661
1319
|
id: "4.10",
|
|
1662
1320
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
1663
|
-
description: "Enforce automatic device lockout on portable end-user devices",
|
|
1321
|
+
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
1664
1322
|
implementationGroup: "IG2",
|
|
1665
1323
|
assetType: ["devices"],
|
|
1666
1324
|
securityFunction: ["Protect"],
|
|
1667
1325
|
governanceElements: [ // Orange - MUST be met
|
|
1668
|
-
"
|
|
1669
|
-
"
|
|
1670
|
-
"
|
|
1671
|
-
"
|
|
1326
|
+
"Enforce",
|
|
1327
|
+
"Where supported",
|
|
1328
|
+
"Do not allow more than 20 Failed Authentication Attempts",
|
|
1329
|
+
"No more than 10 Failed Authentication Attempts"
|
|
1672
1330
|
],
|
|
1673
1331
|
coreRequirements: [ // Green - The "what"
|
|
1674
|
-
"automatic device lockout"
|
|
1675
|
-
"portable device protection",
|
|
1676
|
-
"unauthorized access prevention",
|
|
1677
|
-
"device lock enforcement"
|
|
1332
|
+
"automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
|
|
1678
1333
|
],
|
|
1679
1334
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1680
|
-
"
|
|
1681
|
-
"
|
|
1682
|
-
"
|
|
1683
|
-
"
|
|
1684
|
-
"
|
|
1685
|
-
"failed attempt thresholds",
|
|
1686
|
-
"lockout duration settings"
|
|
1335
|
+
"Automatic Device Lockout",
|
|
1336
|
+
"Predetermined threshold of local failed authentication attempts",
|
|
1337
|
+
"Portable end-user devices",
|
|
1338
|
+
"Laptops",
|
|
1339
|
+
"Tablets and smartphones"
|
|
1687
1340
|
],
|
|
1688
1341
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1689
|
-
"
|
|
1690
|
-
"
|
|
1691
|
-
"
|
|
1692
|
-
"automated lockout systems",
|
|
1693
|
-
"device compliance tools"
|
|
1342
|
+
"Microsoft® InTune Device Lock",
|
|
1343
|
+
"Apple® Configuration Profile maxFailedAttempts",
|
|
1344
|
+
"Configuration Management Tool"
|
|
1694
1345
|
],
|
|
1695
|
-
relatedSafeguards: ["
|
|
1696
|
-
keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "
|
|
1346
|
+
relatedSafeguards: ["4.1"],
|
|
1347
|
+
keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "failed", "authentication", "attempts", "laptops", "tablets", "smartphones", "InTune", "Apple"]
|
|
1697
1348
|
},
|
|
1698
1349
|
"4.11": {
|
|
1699
1350
|
id: "4.11",
|
|
1700
1351
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
1701
|
-
description: "
|
|
1352
|
+
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
1702
1353
|
implementationGroup: "IG2",
|
|
1703
1354
|
assetType: ["devices"],
|
|
1704
1355
|
securityFunction: ["Protect"],
|
|
1705
1356
|
governanceElements: [ // Orange - MUST be met
|
|
1706
|
-
"
|
|
1707
|
-
"portable end-user devices",
|
|
1708
|
-
"remote wipe governance",
|
|
1709
|
-
"device data protection policy"
|
|
1357
|
+
"When deemed appropriate"
|
|
1710
1358
|
],
|
|
1711
1359
|
coreRequirements: [ // Green - The "what"
|
|
1712
|
-
"
|
|
1713
|
-
"portable device data protection",
|
|
1714
|
-
"emergency data removal",
|
|
1715
|
-
"lost device security"
|
|
1360
|
+
"Remotely wipe enterprise data from enterprise-owned portable end-user devices"
|
|
1716
1361
|
],
|
|
1717
1362
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1718
|
-
"
|
|
1719
|
-
"
|
|
1720
|
-
"
|
|
1721
|
-
"
|
|
1722
|
-
"
|
|
1723
|
-
"wipe trigger mechanisms",
|
|
1724
|
-
"wipe verification"
|
|
1363
|
+
"Remotely Wipe enterprise data",
|
|
1364
|
+
"Portable end-user devices",
|
|
1365
|
+
"Lost devices",
|
|
1366
|
+
"Stolen devices",
|
|
1367
|
+
"When an individual no longer supports the enterprise"
|
|
1725
1368
|
],
|
|
1726
1369
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1727
|
-
"
|
|
1728
|
-
"remote wipe solutions",
|
|
1729
|
-
"cloud-based device management",
|
|
1730
|
-
"enterprise mobility management",
|
|
1731
|
-
"device tracking systems"
|
|
1370
|
+
"Configuration Management Tool"
|
|
1732
1371
|
],
|
|
1733
|
-
relatedSafeguards: ["
|
|
1734
|
-
keywords: ["
|
|
1372
|
+
relatedSafeguards: ["4.1"],
|
|
1373
|
+
keywords: ["remotely", "wipe", "enterprise", "data", "enterprise-owned", "portable", "end-user", "devices", "lost", "stolen", "individual", "no", "longer", "supports"]
|
|
1735
1374
|
},
|
|
1736
1375
|
"4.12": {
|
|
1737
1376
|
id: "4.12",
|
|
1738
|
-
title: "Separate Enterprise
|
|
1739
|
-
description: "
|
|
1377
|
+
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
1378
|
+
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
1740
1379
|
implementationGroup: "IG3",
|
|
1741
|
-
assetType: ["
|
|
1380
|
+
assetType: ["devices", "data"],
|
|
1742
1381
|
securityFunction: ["Protect"],
|
|
1743
1382
|
governanceElements: [ // Orange - MUST be met
|
|
1744
|
-
"
|
|
1745
|
-
"
|
|
1746
|
-
"network separation requirement",
|
|
1747
|
-
"workload isolation governance"
|
|
1383
|
+
"Ensure",
|
|
1384
|
+
"Where Supported"
|
|
1748
1385
|
],
|
|
1749
1386
|
coreRequirements: [ // Green - The "what"
|
|
1750
|
-
"enterprise
|
|
1751
|
-
"untrusted network isolation",
|
|
1752
|
-
"network boundary controls",
|
|
1753
|
-
"secure network architecture"
|
|
1387
|
+
"separate enterprise workspaces are used on mobile end-user devices"
|
|
1754
1388
|
],
|
|
1755
1389
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1756
|
-
"
|
|
1757
|
-
"
|
|
1758
|
-
"
|
|
1759
|
-
"
|
|
1760
|
-
"
|
|
1761
|
-
"
|
|
1762
|
-
"network access controls"
|
|
1390
|
+
"Separate enterprise workspaces",
|
|
1391
|
+
"On Mobile Devices",
|
|
1392
|
+
"Enterprise Applications",
|
|
1393
|
+
"Enterprise Data",
|
|
1394
|
+
"Personal Applications",
|
|
1395
|
+
"Personal Data"
|
|
1763
1396
|
],
|
|
1764
1397
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1765
|
-
"
|
|
1766
|
-
"
|
|
1767
|
-
"
|
|
1768
|
-
"network access control systems",
|
|
1769
|
-
"micro-segmentation platforms"
|
|
1398
|
+
"Apple® Configuration Profile",
|
|
1399
|
+
"AndroidTM Work Profile",
|
|
1400
|
+
"Configuration Management Tool"
|
|
1770
1401
|
],
|
|
1771
|
-
relatedSafeguards: ["4.1"
|
|
1772
|
-
keywords: ["separate", "enterprise", "
|
|
1402
|
+
relatedSafeguards: ["4.1"],
|
|
1403
|
+
keywords: ["separate", "enterprise", "workspaces", "mobile", "end-user", "devices", "Apple", "Configuration", "Profile", "Android", "Work", "Profile", "applications", "data", "personal"]
|
|
1773
1404
|
},
|
|
1774
1405
|
"5.2": {
|
|
1775
1406
|
id: "5.2",
|
|
1776
1407
|
title: "Use Unique Passwords",
|
|
1777
|
-
description: "Use unique passwords for all enterprise assets",
|
|
1408
|
+
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
1778
1409
|
implementationGroup: "IG1",
|
|
1779
1410
|
assetType: ["users"],
|
|
1780
1411
|
securityFunction: ["Protect"],
|
|
1781
1412
|
governanceElements: [ // Orange - MUST be met
|
|
1782
|
-
"
|
|
1783
|
-
"
|
|
1784
|
-
"password uniqueness requirement",
|
|
1785
|
-
"password governance policy"
|
|
1413
|
+
"Use unique passwords for all enterprise assets",
|
|
1414
|
+
"Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
|
|
1786
1415
|
],
|
|
1787
1416
|
coreRequirements: [ // Green - The "what"
|
|
1788
|
-
"
|
|
1789
|
-
"password uniqueness enforcement",
|
|
1790
|
-
"no password reuse",
|
|
1791
|
-
"distinct credentials"
|
|
1417
|
+
"Unique Passwords"
|
|
1792
1418
|
],
|
|
1793
1419
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1794
|
-
"
|
|
1795
|
-
"
|
|
1796
|
-
"
|
|
1797
|
-
"
|
|
1798
|
-
"
|
|
1799
|
-
"system account passwords",
|
|
1800
|
-
"password strength validation"
|
|
1420
|
+
"Use",
|
|
1421
|
+
"At a minimum",
|
|
1422
|
+
"All Enterprise Assets",
|
|
1423
|
+
"8-character password for accounts using MFA",
|
|
1424
|
+
"14-character password for accounts not using MFA"
|
|
1801
1425
|
],
|
|
1802
1426
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1803
|
-
"
|
|
1804
|
-
"
|
|
1805
|
-
"active directory policies",
|
|
1806
|
-
"password generators",
|
|
1807
|
-
"credential vaults"
|
|
1427
|
+
"Account and Access Control Management",
|
|
1428
|
+
"Password Management Tool"
|
|
1808
1429
|
],
|
|
1809
|
-
relatedSafeguards: ["5.1"
|
|
1810
|
-
keywords: ["unique", "passwords", "enterprise", "assets", "
|
|
1430
|
+
relatedSafeguards: ["5.1"],
|
|
1431
|
+
keywords: ["use", "unique", "passwords", "enterprise", "assets", "8-character", "14-character", "MFA", "minimum"]
|
|
1811
1432
|
},
|
|
1812
1433
|
"5.3": {
|
|
1813
1434
|
id: "5.3",
|
|
1814
1435
|
title: "Disable Dormant Accounts",
|
|
1815
|
-
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity",
|
|
1436
|
+
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
1816
1437
|
implementationGroup: "IG1",
|
|
1817
1438
|
assetType: ["users"],
|
|
1818
1439
|
securityFunction: ["Protect"],
|
|
1819
1440
|
governanceElements: [ // Orange - MUST be met
|
|
1820
|
-
"
|
|
1821
|
-
"45 days inactivity period",
|
|
1822
|
-
"dormant account management",
|
|
1823
|
-
"account lifecycle governance"
|
|
1441
|
+
"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
|
|
1824
1442
|
],
|
|
1825
1443
|
coreRequirements: [ // Green - The "what"
|
|
1826
|
-
"
|
|
1827
|
-
"account deletion or disabling",
|
|
1828
|
-
"inactivity period monitoring",
|
|
1829
|
-
"automated account management"
|
|
1444
|
+
"Dormant Accounts"
|
|
1830
1445
|
],
|
|
1831
1446
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1832
|
-
"
|
|
1833
|
-
"
|
|
1834
|
-
"
|
|
1835
|
-
"
|
|
1836
|
-
"deactivation procedures",
|
|
1837
|
-
"account archival processes",
|
|
1838
|
-
"reactivation workflows"
|
|
1447
|
+
"Disable",
|
|
1448
|
+
"Delete",
|
|
1449
|
+
"Period of 45 days of inactivity",
|
|
1450
|
+
"Where Supported"
|
|
1839
1451
|
],
|
|
1840
1452
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1841
|
-
"
|
|
1842
|
-
"
|
|
1843
|
-
"activity monitoring solutions",
|
|
1844
|
-
"account governance platforms",
|
|
1845
|
-
"directory service automation"
|
|
1453
|
+
"Account and Access Control Management",
|
|
1454
|
+
"Identity and Access Management Tool"
|
|
1846
1455
|
],
|
|
1847
|
-
relatedSafeguards: ["5.1"
|
|
1848
|
-
keywords: ["disable", "dormant", "accounts", "45", "days", "inactivity", "
|
|
1456
|
+
relatedSafeguards: ["5.1"],
|
|
1457
|
+
keywords: ["delete", "disable", "dormant", "accounts", "45", "days", "inactivity", "supported"]
|
|
1849
1458
|
},
|
|
1850
1459
|
"5.4": {
|
|
1851
1460
|
id: "5.4",
|
|
1852
1461
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
1853
|
-
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
1462
|
+
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
1854
1463
|
implementationGroup: "IG1",
|
|
1855
1464
|
assetType: ["users"],
|
|
1856
1465
|
securityFunction: ["Protect"],
|
|
1857
1466
|
governanceElements: [ // Orange - MUST be met
|
|
1858
|
-
"
|
|
1859
|
-
"
|
|
1860
|
-
"enterprise assets coverage",
|
|
1861
|
-
"privilege separation governance"
|
|
1467
|
+
"Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
1468
|
+
"Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
|
|
1862
1469
|
],
|
|
1863
1470
|
coreRequirements: [ // Green - The "what"
|
|
1864
|
-
"
|
|
1865
|
-
"
|
|
1866
|
-
"privilege separation",
|
|
1867
|
-
"role-based access control"
|
|
1471
|
+
"Administrator Privileges",
|
|
1472
|
+
"Dedicated Admin Accounts"
|
|
1868
1473
|
],
|
|
1869
1474
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1870
|
-
"
|
|
1871
|
-
"
|
|
1872
|
-
"
|
|
1873
|
-
"
|
|
1874
|
-
"admin account monitoring",
|
|
1875
|
-
"privileged access workflows",
|
|
1876
|
-
"least privilege enforcement"
|
|
1475
|
+
"Restrict",
|
|
1476
|
+
"Enterprise assets",
|
|
1477
|
+
"User's primary, non-privileged account",
|
|
1478
|
+
"General Computing Activities"
|
|
1877
1479
|
],
|
|
1878
1480
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1879
|
-
"
|
|
1880
|
-
"
|
|
1881
|
-
"
|
|
1882
|
-
"
|
|
1883
|
-
"
|
|
1481
|
+
"Account and Access Control Management",
|
|
1482
|
+
"Identity and Access Management Tool",
|
|
1483
|
+
"Such as",
|
|
1484
|
+
"Internet browsing",
|
|
1485
|
+
"Email",
|
|
1486
|
+
"Productivity suite use"
|
|
1884
1487
|
],
|
|
1885
|
-
relatedSafeguards: ["4.
|
|
1886
|
-
keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "
|
|
1488
|
+
relatedSafeguards: ["4.1", "5.1"],
|
|
1489
|
+
keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "general", "computing", "browsing", "email", "productivity"]
|
|
1887
1490
|
},
|
|
1888
1491
|
"5.5": {
|
|
1889
1492
|
id: "5.5",
|
|
1890
1493
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
1891
|
-
description: "Establish and maintain an inventory of service accounts",
|
|
1494
|
+
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
1892
1495
|
implementationGroup: "IG2",
|
|
1893
1496
|
assetType: ["users"],
|
|
1894
1497
|
securityFunction: ["Identify"],
|
|
1895
1498
|
governanceElements: [ // Orange - MUST be met
|
|
1896
|
-
"
|
|
1897
|
-
"
|
|
1898
|
-
"service account
|
|
1899
|
-
"inventory management requirements"
|
|
1499
|
+
"Establish and maintain an inventory of service accounts",
|
|
1500
|
+
"The inventory, at a minimum, must contain department owner, review date, and purpose",
|
|
1501
|
+
"Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
|
|
1900
1502
|
],
|
|
1901
1503
|
coreRequirements: [ // Green - The "what"
|
|
1902
|
-
"
|
|
1903
|
-
"service account identification",
|
|
1904
|
-
"account classification",
|
|
1905
|
-
"service account tracking"
|
|
1504
|
+
"Inventory of Service Accounts"
|
|
1906
1505
|
],
|
|
1907
1506
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1908
|
-
"
|
|
1909
|
-
"
|
|
1910
|
-
"
|
|
1911
|
-
"account
|
|
1912
|
-
"
|
|
1913
|
-
"
|
|
1914
|
-
"
|
|
1507
|
+
"Establish",
|
|
1508
|
+
"Maintain",
|
|
1509
|
+
"At a Minimum Must Contain",
|
|
1510
|
+
"Perform service account reviews to validate that all active accounts are authorized",
|
|
1511
|
+
"On a recurring schedule",
|
|
1512
|
+
"Department Owner",
|
|
1513
|
+
"Review date",
|
|
1514
|
+
"Purpose",
|
|
1515
|
+
"At a minimum quarterly",
|
|
1516
|
+
"More frequently",
|
|
1517
|
+
"Or"
|
|
1915
1518
|
],
|
|
1916
1519
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1917
|
-
"
|
|
1918
|
-
"
|
|
1919
|
-
"account inventory systems",
|
|
1920
|
-
"automated discovery agents",
|
|
1921
|
-
"credential scanning tools"
|
|
1520
|
+
"Account and Access Control Management",
|
|
1521
|
+
"Identity and Access Management Tool"
|
|
1922
1522
|
],
|
|
1923
|
-
relatedSafeguards: ["
|
|
1924
|
-
keywords: ["establish", "maintain", "inventory", "service", "accounts", "
|
|
1523
|
+
relatedSafeguards: ["5.1"],
|
|
1524
|
+
keywords: ["establish", "maintain", "inventory", "service", "accounts", "department", "owner", "review", "date", "purpose", "quarterly", "validate", "authorized"]
|
|
1925
1525
|
},
|
|
1926
1526
|
"5.6": {
|
|
1927
1527
|
id: "5.6",
|
|
1928
1528
|
title: "Centralize Account Management",
|
|
1929
|
-
description: "Centralize account management through a directory
|
|
1529
|
+
description: "Centralize account management through a directory or identity service.",
|
|
1930
1530
|
implementationGroup: "IG2",
|
|
1931
1531
|
assetType: ["users"],
|
|
1932
|
-
securityFunction: ["
|
|
1532
|
+
securityFunction: ["Govern"],
|
|
1933
1533
|
governanceElements: [ // Orange - MUST be met
|
|
1934
|
-
"
|
|
1935
|
-
"directory service or identity provider",
|
|
1936
|
-
"centralized management requirement",
|
|
1937
|
-
"identity governance"
|
|
1534
|
+
"Centralize account management through a directory or identity service"
|
|
1938
1535
|
],
|
|
1939
1536
|
coreRequirements: [ // Green - The "what"
|
|
1940
|
-
"
|
|
1941
|
-
"directory service integration",
|
|
1942
|
-
"identity provider deployment",
|
|
1943
|
-
"unified account control"
|
|
1537
|
+
"Account Management"
|
|
1944
1538
|
],
|
|
1945
1539
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1946
|
-
"
|
|
1947
|
-
"
|
|
1948
|
-
"
|
|
1949
|
-
"
|
|
1950
|
-
"account provisioning automation",
|
|
1951
|
-
"centralized authentication",
|
|
1952
|
-
"identity synchronization"
|
|
1540
|
+
"Centralize",
|
|
1541
|
+
"Directory Service",
|
|
1542
|
+
"Identity Service",
|
|
1543
|
+
"Or"
|
|
1953
1544
|
],
|
|
1954
1545
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1955
|
-
"
|
|
1956
|
-
"
|
|
1957
|
-
"cloud identity providers",
|
|
1958
|
-
"identity management platforms",
|
|
1959
|
-
"federation services"
|
|
1546
|
+
"Account and Access Control Management",
|
|
1547
|
+
"Identity and Access Management Tool"
|
|
1960
1548
|
],
|
|
1961
|
-
relatedSafeguards: ["5.1", "
|
|
1962
|
-
keywords: ["centralize", "account", "management", "directory", "service", "identity"
|
|
1549
|
+
relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
|
|
1550
|
+
keywords: ["centralize", "account", "management", "directory", "service", "identity"]
|
|
1963
1551
|
},
|
|
1964
1552
|
"6.1": {
|
|
1965
1553
|
id: "6.1",
|
|
1966
1554
|
title: "Establish an Access Granting Process",
|
|
1967
|
-
description: "Establish and follow a process for granting access to enterprise assets upon new hire
|
|
1555
|
+
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
1968
1556
|
implementationGroup: "IG1",
|
|
1969
1557
|
assetType: ["users"],
|
|
1970
|
-
securityFunction: ["
|
|
1558
|
+
securityFunction: ["Govern"],
|
|
1971
1559
|
governanceElements: [ // Orange - MUST be met
|
|
1972
|
-
"
|
|
1973
|
-
"
|
|
1974
|
-
"
|
|
1975
|
-
"
|
|
1560
|
+
"Establish",
|
|
1561
|
+
"Follow",
|
|
1562
|
+
"Account and Access Control Management",
|
|
1563
|
+
"Account and Credential Management Policy/Process",
|
|
1564
|
+
"Documentation"
|
|
1976
1565
|
],
|
|
1977
1566
|
coreRequirements: [ // Green - The "what"
|
|
1978
|
-
"
|
|
1979
|
-
"
|
|
1980
|
-
"promotion access updates",
|
|
1981
|
-
"role change access management"
|
|
1567
|
+
"documented process",
|
|
1568
|
+
"granting access to enterprise assets"
|
|
1982
1569
|
],
|
|
1983
1570
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1984
|
-
"
|
|
1985
|
-
"
|
|
1986
|
-
"role
|
|
1987
|
-
"
|
|
1988
|
-
"
|
|
1989
|
-
"
|
|
1990
|
-
"approval audit trails"
|
|
1571
|
+
"preferably automated",
|
|
1572
|
+
"upon new hire",
|
|
1573
|
+
"role change of a user",
|
|
1574
|
+
"New Hire",
|
|
1575
|
+
"Role Change",
|
|
1576
|
+
"Enterprise assets"
|
|
1991
1577
|
],
|
|
1992
1578
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1993
|
-
"
|
|
1994
|
-
"
|
|
1995
|
-
"workflow automation tools",
|
|
1996
|
-
"role-based provisioning systems",
|
|
1997
|
-
"approval workflow tools"
|
|
1579
|
+
"Account and Access Control Management",
|
|
1580
|
+
"Account and Credential Management Policy/Process"
|
|
1998
1581
|
],
|
|
1999
|
-
relatedSafeguards: ["5.1", "
|
|
2000
|
-
keywords: ["establish", "
|
|
1582
|
+
relatedSafeguards: ["5.1", "6.7", "6.8"],
|
|
1583
|
+
keywords: ["establish", "follow", "documented", "process", "automated", "granting", "access", "enterprise", "assets", "new", "hire", "role", "change"]
|
|
2001
1584
|
},
|
|
2002
1585
|
"6.2": {
|
|
2003
1586
|
id: "6.2",
|
|
2004
1587
|
title: "Establish an Access Revoking Process",
|
|
2005
|
-
description: "Establish and follow a process for revoking access to enterprise assets upon termination,
|
|
1588
|
+
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
2006
1589
|
implementationGroup: "IG1",
|
|
2007
1590
|
assetType: ["users"],
|
|
2008
|
-
securityFunction: ["
|
|
1591
|
+
securityFunction: ["Govern"],
|
|
2009
1592
|
governanceElements: [ // Orange - MUST be met
|
|
2010
|
-
"
|
|
2011
|
-
"
|
|
2012
|
-
"
|
|
2013
|
-
"
|
|
1593
|
+
"Establish",
|
|
1594
|
+
"Follow",
|
|
1595
|
+
"Account and Access Control Management",
|
|
1596
|
+
"Account and Credential Management Policy/Process",
|
|
1597
|
+
"Documentation"
|
|
2014
1598
|
],
|
|
2015
1599
|
coreRequirements: [ // Green - The "what"
|
|
2016
|
-
"
|
|
2017
|
-
"
|
|
2018
|
-
"
|
|
2019
|
-
"role change access adjustment"
|
|
1600
|
+
"process",
|
|
1601
|
+
"revoking access to enterprise assets",
|
|
1602
|
+
"disabling accounts immediately"
|
|
2020
1603
|
],
|
|
2021
1604
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2022
|
-
"
|
|
2023
|
-
"
|
|
2024
|
-
"
|
|
2025
|
-
"
|
|
2026
|
-
"
|
|
2027
|
-
"
|
|
2028
|
-
"
|
|
1605
|
+
"preferably automated",
|
|
1606
|
+
"upon termination",
|
|
1607
|
+
"rights revocation",
|
|
1608
|
+
"role change of a user",
|
|
1609
|
+
"Role Change",
|
|
1610
|
+
"Termination",
|
|
1611
|
+
"Rights revocation",
|
|
1612
|
+
"Enterprise assets",
|
|
1613
|
+
"Disabling accounts immediately"
|
|
2029
1614
|
],
|
|
2030
1615
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2031
|
-
"
|
|
2032
|
-
"
|
|
2033
|
-
"
|
|
2034
|
-
"access revocation workflows",
|
|
2035
|
-
"termination checklist systems"
|
|
1616
|
+
"Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails",
|
|
1617
|
+
"Account and Access Control Management",
|
|
1618
|
+
"Account and Credential Management Policy/Process"
|
|
2036
1619
|
],
|
|
2037
|
-
relatedSafeguards: ["5.1", "
|
|
2038
|
-
keywords: ["establish", "
|
|
1620
|
+
relatedSafeguards: ["5.1", "6.7"],
|
|
1621
|
+
keywords: ["establish", "follow", "process", "automated", "revoking", "access", "enterprise", "assets", "disabling", "accounts", "termination", "rights", "revocation", "role", "change", "audit", "trails"]
|
|
2039
1622
|
},
|
|
2040
1623
|
"6.4": {
|
|
2041
1624
|
id: "6.4",
|
|
2042
1625
|
title: "Require MFA for Remote Network Access",
|
|
2043
|
-
description: "Require MFA for remote network access",
|
|
1626
|
+
description: "Require MFA for remote network access.",
|
|
2044
1627
|
implementationGroup: "IG1",
|
|
2045
1628
|
assetType: ["users"],
|
|
2046
1629
|
securityFunction: ["Protect"],
|
|
2047
1630
|
governanceElements: [ // Orange - MUST be met
|
|
2048
|
-
"
|
|
2049
|
-
"
|
|
2050
|
-
"
|
|
2051
|
-
"remote access governance"
|
|
1631
|
+
"Require",
|
|
1632
|
+
"Account and Access Control Management",
|
|
1633
|
+
"Multi-Factor Authentication Tool"
|
|
2052
1634
|
],
|
|
2053
1635
|
coreRequirements: [ // Green - The "what"
|
|
2054
|
-
"
|
|
2055
|
-
"remote network access"
|
|
2056
|
-
"MFA enforcement",
|
|
2057
|
-
"remote access security"
|
|
1636
|
+
"MFA",
|
|
1637
|
+
"remote network access"
|
|
2058
1638
|
],
|
|
2059
1639
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2060
|
-
"
|
|
2061
|
-
"remote desktop authentication",
|
|
2062
|
-
"cloud service access",
|
|
2063
|
-
"mobile device access",
|
|
2064
|
-
"authentication factors",
|
|
2065
|
-
"MFA token management",
|
|
2066
|
-
"backup authentication methods"
|
|
1640
|
+
"Remote Network Access"
|
|
2067
1641
|
],
|
|
2068
1642
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2069
|
-
"
|
|
2070
|
-
"
|
|
2071
|
-
"cloud identity providers",
|
|
2072
|
-
"MFA token systems",
|
|
2073
|
-
"biometric authentication"
|
|
1643
|
+
"Account and Access Control Management",
|
|
1644
|
+
"Multi-Factor Authentication Tool"
|
|
2074
1645
|
],
|
|
2075
|
-
relatedSafeguards: ["
|
|
2076
|
-
keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication"
|
|
1646
|
+
relatedSafeguards: ["4.2", "12.7"],
|
|
1647
|
+
keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication"]
|
|
2077
1648
|
},
|
|
2078
1649
|
"6.5": {
|
|
2079
1650
|
id: "6.5",
|
|
2080
1651
|
title: "Require MFA for Administrative Access",
|
|
2081
|
-
description: "Require MFA for administrative access
|
|
1652
|
+
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
2082
1653
|
implementationGroup: "IG1",
|
|
2083
1654
|
assetType: ["users"],
|
|
2084
1655
|
securityFunction: ["Protect"],
|
|
2085
1656
|
governanceElements: [ // Orange - MUST be met
|
|
2086
|
-
"
|
|
2087
|
-
"
|
|
2088
|
-
"
|
|
2089
|
-
"MFA policy enforcement"
|
|
1657
|
+
"Require",
|
|
1658
|
+
"Account and Access Control Management",
|
|
1659
|
+
"Multi-Factor Authentication Tool"
|
|
2090
1660
|
],
|
|
2091
1661
|
coreRequirements: [ // Green - The "what"
|
|
2092
|
-
"
|
|
2093
|
-
"administrative access",
|
|
2094
|
-
"
|
|
2095
|
-
"MFA enforcement"
|
|
1662
|
+
"MFA",
|
|
1663
|
+
"all administrative access accounts",
|
|
1664
|
+
"all enterprise assets"
|
|
2096
1665
|
],
|
|
2097
1666
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2098
|
-
"
|
|
2099
|
-
"
|
|
2100
|
-
"
|
|
2101
|
-
"
|
|
2102
|
-
"
|
|
2103
|
-
"
|
|
2104
|
-
"emergency access procedures"
|
|
1667
|
+
"where supported",
|
|
1668
|
+
"All Admin Access Accounts",
|
|
1669
|
+
"All enterprise assets",
|
|
1670
|
+
"Onsite Management",
|
|
1671
|
+
"Service Provider",
|
|
1672
|
+
"Or"
|
|
2105
1673
|
],
|
|
2106
1674
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2107
|
-
"
|
|
2108
|
-
"
|
|
2109
|
-
"just-in-time access",
|
|
2110
|
-
"privileged session management",
|
|
2111
|
-
"administrative workstations"
|
|
1675
|
+
"Account and Access Control Management",
|
|
1676
|
+
"Multi-Factor Authentication Tool"
|
|
2112
1677
|
],
|
|
2113
|
-
relatedSafeguards: ["
|
|
2114
|
-
keywords: ["require", "MFA", "administrative", "access", "enterprise", "assets", "
|
|
1678
|
+
relatedSafeguards: ["4.1"],
|
|
1679
|
+
keywords: ["require", "MFA", "administrative", "access", "accounts", "supported", "enterprise", "assets", "managed", "onsite", "service", "provider"]
|
|
2115
1680
|
},
|
|
2116
1681
|
"6.6": {
|
|
2117
1682
|
id: "6.6",
|
|
2118
1683
|
title: "Establish and Maintain an Inventory of Authentication and Authorization Systems",
|
|
2119
|
-
description: "Establish and maintain an inventory of authentication and authorization systems",
|
|
1684
|
+
description: "Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.",
|
|
2120
1685
|
implementationGroup: "IG2",
|
|
2121
|
-
assetType: ["
|
|
1686
|
+
assetType: ["software"],
|
|
2122
1687
|
securityFunction: ["Identify"],
|
|
2123
1688
|
governanceElements: [ // Orange - MUST be met
|
|
2124
|
-
"
|
|
2125
|
-
"maintain
|
|
2126
|
-
"
|
|
2127
|
-
"
|
|
1689
|
+
"Establish",
|
|
1690
|
+
"maintain",
|
|
1691
|
+
"Review and update",
|
|
1692
|
+
"Account and Access Control Management",
|
|
1693
|
+
"Account and Credential Management Policy/Process"
|
|
2128
1694
|
],
|
|
2129
1695
|
coreRequirements: [ // Green - The "what"
|
|
2130
|
-
"authentication
|
|
2131
|
-
"authorization system inventory",
|
|
2132
|
-
"identity system tracking",
|
|
2133
|
-
"access control system management"
|
|
1696
|
+
"inventory of the enterprise's authentication and authorization systems"
|
|
2134
1697
|
],
|
|
2135
1698
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2136
|
-
"
|
|
2137
|
-
"
|
|
2138
|
-
"
|
|
2139
|
-
"
|
|
2140
|
-
"
|
|
2141
|
-
"
|
|
2142
|
-
"
|
|
1699
|
+
"including those hosted on-site or at a remote service provider",
|
|
1700
|
+
"at a minimum, annually, or more frequently",
|
|
1701
|
+
"Hosted on-site",
|
|
1702
|
+
"Remote Service Provider",
|
|
1703
|
+
"Or",
|
|
1704
|
+
"At a minimum Annually",
|
|
1705
|
+
"More frequently"
|
|
2143
1706
|
],
|
|
2144
1707
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2145
|
-
"
|
|
2146
|
-
"
|
|
2147
|
-
"system catalog management",
|
|
2148
|
-
"integration mapping tools",
|
|
2149
|
-
"identity architecture documentation"
|
|
1708
|
+
"Account and Access Control Management",
|
|
1709
|
+
"Account and Credential Management Policy/Process"
|
|
2150
1710
|
],
|
|
2151
|
-
relatedSafeguards: ["1.1", "2.1", "
|
|
2152
|
-
keywords: ["establish", "maintain", "inventory", "authentication", "authorization", "systems", "
|
|
1711
|
+
relatedSafeguards: ["1.1", "2.1", "3.3", "5.6", "6.7"],
|
|
1712
|
+
keywords: ["establish", "maintain", "inventory", "enterprise", "authentication", "authorization", "systems", "hosted", "onsite", "remote", "service", "provider", "review", "update", "annually"]
|
|
2153
1713
|
},
|
|
2154
1714
|
"6.7": {
|
|
2155
1715
|
id: "6.7",
|
|
2156
1716
|
title: "Centralize Access Control",
|
|
2157
|
-
description: "Centralize access control for all enterprise assets through a directory service or SSO provider",
|
|
1717
|
+
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
2158
1718
|
implementationGroup: "IG2",
|
|
2159
1719
|
assetType: ["users"],
|
|
2160
1720
|
securityFunction: ["Protect"],
|
|
2161
1721
|
governanceElements: [ // Orange - MUST be met
|
|
2162
|
-
"
|
|
2163
|
-
"
|
|
2164
|
-
"
|
|
2165
|
-
"
|
|
1722
|
+
"Centralize",
|
|
1723
|
+
"Account and Access Control Management",
|
|
1724
|
+
"Account and Credential Management Policy/Process",
|
|
1725
|
+
"Identity and Access Management Tool"
|
|
2166
1726
|
],
|
|
2167
1727
|
coreRequirements: [ // Green - The "what"
|
|
2168
|
-
"
|
|
2169
|
-
"
|
|
2170
|
-
"SSO provider deployment",
|
|
2171
|
-
"unified access management"
|
|
1728
|
+
"access control",
|
|
1729
|
+
"all enterprise assets"
|
|
2172
1730
|
],
|
|
2173
1731
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2174
|
-
"
|
|
2175
|
-
"
|
|
2176
|
-
"
|
|
2177
|
-
"
|
|
2178
|
-
"
|
|
2179
|
-
"
|
|
2180
|
-
"
|
|
1732
|
+
"through a directory service or SSO provider",
|
|
1733
|
+
"where supported",
|
|
1734
|
+
"Directory Service",
|
|
1735
|
+
"SSO Provider",
|
|
1736
|
+
"Or",
|
|
1737
|
+
"All enterprise assets",
|
|
1738
|
+
"Where Supported"
|
|
2181
1739
|
],
|
|
2182
1740
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2183
|
-
"
|
|
2184
|
-
"
|
|
2185
|
-
"
|
|
2186
|
-
"identity federation platforms",
|
|
2187
|
-
"centralized access gateways"
|
|
1741
|
+
"Account and Access Control Management",
|
|
1742
|
+
"Account and Credential Management Policy/Process",
|
|
1743
|
+
"Identity and Access Management Tool"
|
|
2188
1744
|
],
|
|
2189
|
-
relatedSafeguards: ["
|
|
2190
|
-
keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO"]
|
|
1745
|
+
relatedSafeguards: ["4.1", "5.1", "5.6", "6.1", "6.2", "6.6", "12.5", "12.7"],
|
|
1746
|
+
keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO", "provider", "supported"]
|
|
2191
1747
|
},
|
|
2192
1748
|
"6.8": {
|
|
2193
1749
|
id: "6.8",
|
|
2194
1750
|
title: "Define and Maintain Role-Based Access Control",
|
|
2195
|
-
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise",
|
|
1751
|
+
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
2196
1752
|
implementationGroup: "IG3",
|
|
2197
1753
|
assetType: ["users"],
|
|
2198
|
-
securityFunction: ["
|
|
1754
|
+
securityFunction: ["Govern"],
|
|
2199
1755
|
governanceElements: [ // Orange - MUST be met
|
|
2200
|
-
"
|
|
2201
|
-
"maintain
|
|
2202
|
-
"
|
|
2203
|
-
"
|
|
1756
|
+
"Define",
|
|
1757
|
+
"maintain",
|
|
1758
|
+
"Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently",
|
|
1759
|
+
"Account and Access Control Management",
|
|
1760
|
+
"Account and Credential Management Policy/Process",
|
|
1761
|
+
"Identity and Access management Tool"
|
|
2204
1762
|
],
|
|
2205
1763
|
coreRequirements: [ // Green - The "what"
|
|
2206
1764
|
"role-based access control",
|
|
2207
|
-
"access rights
|
|
2208
|
-
"role documentation",
|
|
2209
|
-
"RBAC implementation"
|
|
1765
|
+
"determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties"
|
|
2210
1766
|
],
|
|
2211
1767
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2212
|
-
"
|
|
2213
|
-
"
|
|
2214
|
-
"
|
|
2215
|
-
"
|
|
2216
|
-
"
|
|
2217
|
-
"
|
|
2218
|
-
"
|
|
1768
|
+
"Access rights",
|
|
1769
|
+
"Each Role",
|
|
1770
|
+
"Necessary",
|
|
1771
|
+
"Successfully carry out its assigned duties",
|
|
1772
|
+
"Determining",
|
|
1773
|
+
"Documenting",
|
|
1774
|
+
"At a minimum Annually",
|
|
1775
|
+
"More frequently",
|
|
1776
|
+
"Or"
|
|
2219
1777
|
],
|
|
2220
1778
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2221
|
-
"
|
|
2222
|
-
"
|
|
2223
|
-
"
|
|
2224
|
-
"permission analysis tools",
|
|
2225
|
-
"role governance systems"
|
|
1779
|
+
"Account and Access Control Management",
|
|
1780
|
+
"Account and Credential Management Policy/Process",
|
|
1781
|
+
"Identity and Access management Tool"
|
|
2226
1782
|
],
|
|
2227
|
-
relatedSafeguards: ["
|
|
2228
|
-
keywords: ["define", "maintain", "role-based", "access", "control", "
|
|
1783
|
+
relatedSafeguards: ["3.3", "4.1", "6.1"],
|
|
1784
|
+
keywords: ["define", "maintain", "role-based", "access", "control", "determining", "documenting", "rights", "necessary", "role", "enterprise", "duties", "perform", "reviews", "validate", "privileges", "authorized", "recurring", "annually"]
|
|
2229
1785
|
},
|
|
2230
1786
|
"7.2": {
|
|
2231
1787
|
id: "7.2",
|