framework-mcp 2.4.2 → 2.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +69 -106
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +2 -2
- package/dist/interfaces/mcp/mcp-server.js +2 -2
- package/package.json +1 -1
- package/src/core/safeguard-manager.ts +64 -101
- package/src/interfaces/http/http-server.ts +2 -2
- package/src/interfaces/mcp/mcp-server.ts +2 -2
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;
|
|
1
|
+
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAg8gB7B"}
|
|
@@ -1016,7 +1016,7 @@ export class SafeguardManager {
|
|
|
1016
1016
|
title: "Establish and Maintain a Data Management Process",
|
|
1017
1017
|
description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1018
1018
|
implementationGroup: "IG1",
|
|
1019
|
-
assetType: ["
|
|
1019
|
+
assetType: ["Data"],
|
|
1020
1020
|
securityFunction: ["Govern"],
|
|
1021
1021
|
governanceElements: [
|
|
1022
1022
|
"Establish",
|
|
@@ -1024,20 +1024,15 @@ export class SafeguardManager {
|
|
|
1024
1024
|
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1025
1025
|
],
|
|
1026
1026
|
coreRequirements: [
|
|
1027
|
-
"documented data management process"
|
|
1028
|
-
"address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
|
|
1027
|
+
"documented data management process"
|
|
1029
1028
|
],
|
|
1030
1029
|
subTaxonomicalElements: [
|
|
1031
|
-
"Documented Data management process",
|
|
1032
1030
|
"Data Sensitivity",
|
|
1033
1031
|
"Data Owner",
|
|
1034
1032
|
"Data Handling",
|
|
1035
1033
|
"Data Retention Limits",
|
|
1036
1034
|
"Disposal Requirements",
|
|
1037
|
-
"Retention Standards"
|
|
1038
|
-
"Review and update documentation",
|
|
1039
|
-
"Annually",
|
|
1040
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1035
|
+
"Retention Standards"
|
|
1041
1036
|
],
|
|
1042
1037
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1043
1038
|
],
|
|
@@ -1093,7 +1088,7 @@ export class SafeguardManager {
|
|
|
1093
1088
|
title: "Establish and Maintain a Data Inventory",
|
|
1094
1089
|
description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
|
|
1095
1090
|
implementationGroup: "IG1",
|
|
1096
|
-
assetType: ["
|
|
1091
|
+
assetType: ["Data"],
|
|
1097
1092
|
securityFunction: ["Identify"],
|
|
1098
1093
|
governanceElements: [
|
|
1099
1094
|
"Establish",
|
|
@@ -1101,16 +1096,11 @@ export class SafeguardManager {
|
|
|
1101
1096
|
"Review and update inventory annually, at a minimum, with a priority on sensitive data"
|
|
1102
1097
|
],
|
|
1103
1098
|
coreRequirements: [
|
|
1104
|
-
"data inventory
|
|
1105
|
-
"inventory sensitive data, at a minimum"
|
|
1099
|
+
"data inventory"
|
|
1106
1100
|
],
|
|
1107
1101
|
subTaxonomicalElements: [
|
|
1108
|
-
"Data Inventory",
|
|
1109
1102
|
"Based on Data Management process",
|
|
1110
|
-
"Sensitive Data at a Minimum"
|
|
1111
|
-
"Review and update inventory",
|
|
1112
|
-
"Annually, at a minimum",
|
|
1113
|
-
"Priority on sensitive data"
|
|
1103
|
+
"Sensitive Data at a Minimum"
|
|
1114
1104
|
],
|
|
1115
1105
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1116
1106
|
],
|
|
@@ -1166,14 +1156,13 @@ export class SafeguardManager {
|
|
|
1166
1156
|
title: "Configure Data Access Control Lists",
|
|
1167
1157
|
description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
|
|
1168
1158
|
implementationGroup: "IG1",
|
|
1169
|
-
assetType: ["
|
|
1159
|
+
assetType: ["Data"],
|
|
1170
1160
|
securityFunction: ["Protect"],
|
|
1171
1161
|
governanceElements: [
|
|
1172
|
-
"Configure"
|
|
1173
|
-
"Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
|
|
1162
|
+
"Configure"
|
|
1174
1163
|
],
|
|
1175
1164
|
coreRequirements: [
|
|
1176
|
-
"data access control lists
|
|
1165
|
+
"data access control lists"
|
|
1177
1166
|
],
|
|
1178
1167
|
subTaxonomicalElements: [
|
|
1179
1168
|
"Data Access control lists",
|
|
@@ -1238,7 +1227,7 @@ export class SafeguardManager {
|
|
|
1238
1227
|
title: "Enforce Data Retention",
|
|
1239
1228
|
description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
|
|
1240
1229
|
implementationGroup: "IG1",
|
|
1241
|
-
assetType: ["
|
|
1230
|
+
assetType: ["Data"],
|
|
1242
1231
|
securityFunction: ["Protect"],
|
|
1243
1232
|
governanceElements: [
|
|
1244
1233
|
"Retain",
|
|
@@ -1251,7 +1240,6 @@ export class SafeguardManager {
|
|
|
1251
1240
|
],
|
|
1252
1241
|
subTaxonomicalElements: [
|
|
1253
1242
|
"Data Retention",
|
|
1254
|
-
"Must Include",
|
|
1255
1243
|
"Minimum Timelines",
|
|
1256
1244
|
"Maximum timelines"
|
|
1257
1245
|
],
|
|
@@ -1309,19 +1297,17 @@ export class SafeguardManager {
|
|
|
1309
1297
|
title: "Securely Dispose of Data",
|
|
1310
1298
|
description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
|
|
1311
1299
|
implementationGroup: "IG1",
|
|
1312
|
-
assetType: ["
|
|
1300
|
+
assetType: ["Data"],
|
|
1313
1301
|
securityFunction: ["Protect"],
|
|
1314
1302
|
governanceElements: [
|
|
1315
|
-
"
|
|
1303
|
+
"Disposal process and method are commensurate with the data sensitivity",
|
|
1316
1304
|
"Ensure"
|
|
1317
1305
|
],
|
|
1318
1306
|
coreRequirements: [
|
|
1319
|
-
"
|
|
1320
|
-
"the disposal process and method are commensurate with the data sensitivity"
|
|
1307
|
+
"Securely Dispose of Data"
|
|
1321
1308
|
],
|
|
1322
1309
|
subTaxonomicalElements: [
|
|
1323
|
-
"Securely dispose of
|
|
1324
|
-
"Disposal process and method are commensurate with the data sensitivity"
|
|
1310
|
+
"Securely dispose of Data"
|
|
1325
1311
|
],
|
|
1326
1312
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1327
1313
|
],
|
|
@@ -1377,17 +1363,17 @@ export class SafeguardManager {
|
|
|
1377
1363
|
title: "Encrypt Data on End-User Devices",
|
|
1378
1364
|
description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
|
|
1379
1365
|
implementationGroup: "IG1",
|
|
1380
|
-
assetType: ["
|
|
1366
|
+
assetType: ["Data"],
|
|
1381
1367
|
securityFunction: ["Protect"],
|
|
1382
1368
|
governanceElements: [
|
|
1383
1369
|
"Encrypt"
|
|
1384
1370
|
],
|
|
1385
1371
|
coreRequirements: [
|
|
1386
|
-
"data on end-user devices
|
|
1372
|
+
"data on end-user devices"
|
|
1387
1373
|
],
|
|
1388
1374
|
subTaxonomicalElements: [
|
|
1389
1375
|
"Data on end-user devices",
|
|
1390
|
-
"Sensitive data"
|
|
1376
|
+
"that contain Sensitive data"
|
|
1391
1377
|
],
|
|
1392
1378
|
implementationSuggestions: [
|
|
1393
1379
|
"Windows Bitlocker",
|
|
@@ -1446,7 +1432,7 @@ export class SafeguardManager {
|
|
|
1446
1432
|
title: "Establish and Maintain a Data Classification Scheme",
|
|
1447
1433
|
description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1448
1434
|
implementationGroup: "IG2",
|
|
1449
|
-
assetType: ["
|
|
1435
|
+
assetType: ["Data"],
|
|
1450
1436
|
securityFunction: ["Identify"],
|
|
1451
1437
|
governanceElements: [
|
|
1452
1438
|
"Establish",
|
|
@@ -1454,15 +1440,10 @@ export class SafeguardManager {
|
|
|
1454
1440
|
"Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1455
1441
|
],
|
|
1456
1442
|
coreRequirements: [
|
|
1457
|
-
"
|
|
1458
|
-
"classify their data according to those labels"
|
|
1443
|
+
"data classification scheme"
|
|
1459
1444
|
],
|
|
1460
1445
|
subTaxonomicalElements: [
|
|
1461
|
-
"
|
|
1462
|
-
"Classify their data according to labels",
|
|
1463
|
-
"Review and update classification scheme",
|
|
1464
|
-
"Annually",
|
|
1465
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1446
|
+
"Classify their data according to labels"
|
|
1466
1447
|
],
|
|
1467
1448
|
implementationSuggestions: [
|
|
1468
1449
|
"Sensitive",
|
|
@@ -1521,27 +1502,19 @@ export class SafeguardManager {
|
|
|
1521
1502
|
title: "Document Data Flows",
|
|
1522
1503
|
description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1523
1504
|
implementationGroup: "IG2",
|
|
1524
|
-
assetType: ["
|
|
1505
|
+
assetType: ["Data"],
|
|
1525
1506
|
securityFunction: ["Identify"],
|
|
1526
1507
|
governanceElements: [
|
|
1527
|
-
"Document data flows"
|
|
1528
|
-
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1508
|
+
"Document data flows"
|
|
1529
1509
|
],
|
|
1530
1510
|
coreRequirements: [
|
|
1531
|
-
"Data
|
|
1511
|
+
"Document Data Flows"
|
|
1532
1512
|
],
|
|
1533
1513
|
subTaxonomicalElements: [
|
|
1534
|
-
"Document data flows",
|
|
1535
1514
|
"Enterprise Data Flows",
|
|
1536
|
-
"Service Provider Data Flows"
|
|
1537
|
-
"Review and update documentation",
|
|
1538
|
-
"Annually",
|
|
1539
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1515
|
+
"Service Provider Data Flows"
|
|
1540
1516
|
],
|
|
1541
|
-
implementationSuggestions: [
|
|
1542
|
-
"Data management systems",
|
|
1543
|
-
"Data flow mapping tools",
|
|
1544
|
-
"Service provider documentation"
|
|
1517
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1545
1518
|
],
|
|
1546
1519
|
relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
|
|
1547
1520
|
systemPromptFull: {
|
|
@@ -1595,16 +1568,16 @@ export class SafeguardManager {
|
|
|
1595
1568
|
title: "Encrypt Data on Removable Media",
|
|
1596
1569
|
description: "Encrypt Data on Removable Media",
|
|
1597
1570
|
implementationGroup: "IG2",
|
|
1598
|
-
assetType: ["
|
|
1571
|
+
assetType: ["Data"],
|
|
1599
1572
|
securityFunction: ["Protect"],
|
|
1600
1573
|
governanceElements: [
|
|
1601
|
-
"Encrypt
|
|
1574
|
+
"Encrypt"
|
|
1602
1575
|
],
|
|
1603
|
-
coreRequirements: [
|
|
1576
|
+
coreRequirements: [
|
|
1577
|
+
"Encrypt Data on Removable Media"
|
|
1604
1578
|
],
|
|
1605
1579
|
subTaxonomicalElements: [
|
|
1606
1580
|
"Data on Removable Media",
|
|
1607
|
-
"Maintain"
|
|
1608
1581
|
],
|
|
1609
1582
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1610
1583
|
],
|
|
@@ -1660,13 +1633,13 @@ export class SafeguardManager {
|
|
|
1660
1633
|
title: "Encrypt Sensitive Data in Transit",
|
|
1661
1634
|
description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
|
|
1662
1635
|
implementationGroup: "IG2",
|
|
1663
|
-
assetType: ["
|
|
1636
|
+
assetType: ["Data"],
|
|
1664
1637
|
securityFunction: ["Protect"],
|
|
1665
1638
|
governanceElements: [
|
|
1666
1639
|
"Encrypt"
|
|
1667
1640
|
],
|
|
1668
1641
|
coreRequirements: [
|
|
1669
|
-
"sensitive data in transit"
|
|
1642
|
+
"Encrypt sensitive data in transit"
|
|
1670
1643
|
],
|
|
1671
1644
|
subTaxonomicalElements: [
|
|
1672
1645
|
"Sensitive data in transit"
|
|
@@ -1727,23 +1700,21 @@ export class SafeguardManager {
|
|
|
1727
1700
|
title: "Encrypt Sensitive Data at Rest",
|
|
1728
1701
|
description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
|
|
1729
1702
|
implementationGroup: "IG2",
|
|
1730
|
-
assetType: ["
|
|
1703
|
+
assetType: ["Data"],
|
|
1731
1704
|
securityFunction: ["Protect"],
|
|
1732
1705
|
governanceElements: [
|
|
1733
1706
|
"Encrypt",
|
|
1734
|
-
"
|
|
1707
|
+
"Minimum Requirement"
|
|
1735
1708
|
],
|
|
1736
1709
|
coreRequirements: [
|
|
1737
|
-
"sensitive data at rest
|
|
1738
|
-
"Storage-layer encryption, also known as server-side encryption"
|
|
1710
|
+
"Encrypt sensitive data at rest"
|
|
1739
1711
|
],
|
|
1740
1712
|
subTaxonomicalElements: [
|
|
1741
|
-
"
|
|
1713
|
+
"Sensitive Data At Rest",
|
|
1742
1714
|
"Servers",
|
|
1743
|
-
"
|
|
1715
|
+
"Applications",
|
|
1744
1716
|
"Databases",
|
|
1745
|
-
"Storage Layer (server side) encryption"
|
|
1746
|
-
"Minimum Requirement"
|
|
1717
|
+
"Storage Layer (server side) encryption"
|
|
1747
1718
|
],
|
|
1748
1719
|
implementationSuggestions: [
|
|
1749
1720
|
"Application layer (client-side) encryption",
|
|
@@ -1801,19 +1772,17 @@ export class SafeguardManager {
|
|
|
1801
1772
|
title: "Segment Data Processing and Storage Based on Sensitivity",
|
|
1802
1773
|
description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
|
|
1803
1774
|
implementationGroup: "IG2",
|
|
1804
|
-
assetType: ["
|
|
1775
|
+
assetType: ["Data"],
|
|
1805
1776
|
securityFunction: ["Protect"],
|
|
1806
1777
|
governanceElements: [
|
|
1807
|
-
"Segment data processing and storage based on the sensitivity of the data",
|
|
1808
1778
|
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1809
1779
|
],
|
|
1810
|
-
coreRequirements: [
|
|
1780
|
+
coreRequirements: [
|
|
1781
|
+
"Segment Data Processing",
|
|
1782
|
+
"Segment Data Storage",
|
|
1783
|
+
"Based on Sensitivity"
|
|
1811
1784
|
],
|
|
1812
|
-
subTaxonomicalElements: [
|
|
1813
|
-
"Based on the sensitivity of data",
|
|
1814
|
-
"Segment data processing (compute)",
|
|
1815
|
-
"Segment Storage",
|
|
1816
|
-
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1785
|
+
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1817
1786
|
],
|
|
1818
1787
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1819
1788
|
],
|
|
@@ -1869,17 +1838,15 @@ export class SafeguardManager {
|
|
|
1869
1838
|
title: "Deploy a Data Loss Prevention Solution",
|
|
1870
1839
|
description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
|
|
1871
1840
|
implementationGroup: "IG3",
|
|
1872
|
-
assetType: ["
|
|
1841
|
+
assetType: ["Data"],
|
|
1873
1842
|
securityFunction: ["Protect"],
|
|
1874
1843
|
governanceElements: [
|
|
1875
|
-
"Implement"
|
|
1876
|
-
"Update Data Inventory"
|
|
1844
|
+
"Implement"
|
|
1877
1845
|
],
|
|
1878
1846
|
coreRequirements: [
|
|
1879
|
-
"automated tool to identify all sensitive data
|
|
1847
|
+
"automated tool to identify all sensitive data"
|
|
1880
1848
|
],
|
|
1881
1849
|
subTaxonomicalElements: [
|
|
1882
|
-
"Automated DLP Tool",
|
|
1883
1850
|
"Identify all sensitive Data",
|
|
1884
1851
|
"Stored",
|
|
1885
1852
|
"Processed",
|
|
@@ -1943,19 +1910,15 @@ export class SafeguardManager {
|
|
|
1943
1910
|
title: "Log Sensitive Data Access",
|
|
1944
1911
|
description: "Log sensitive data access, including modification and disposal.",
|
|
1945
1912
|
implementationGroup: "IG3",
|
|
1946
|
-
assetType: ["
|
|
1913
|
+
assetType: ["Data"],
|
|
1947
1914
|
securityFunction: ["Detect"],
|
|
1948
1915
|
governanceElements: [
|
|
1949
1916
|
"Log"
|
|
1950
1917
|
],
|
|
1951
1918
|
coreRequirements: [
|
|
1952
|
-
"sensitive data access, including modification and disposal"
|
|
1919
|
+
"Log sensitive data access, including modification and disposal"
|
|
1953
1920
|
],
|
|
1954
|
-
subTaxonomicalElements: [
|
|
1955
|
-
"Sensitive Data access",
|
|
1956
|
-
"Access",
|
|
1957
|
-
"Modification",
|
|
1958
|
-
"Disposal"
|
|
1921
|
+
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1959
1922
|
],
|
|
1960
1923
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1961
1924
|
],
|
|
@@ -2815,7 +2778,7 @@ export class SafeguardManager {
|
|
|
2815
2778
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
2816
2779
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
2817
2780
|
implementationGroup: "IG3",
|
|
2818
|
-
assetType: ["devices", "
|
|
2781
|
+
assetType: ["devices", "Data"],
|
|
2819
2782
|
securityFunction: ["Protect"],
|
|
2820
2783
|
governanceElements: [
|
|
2821
2784
|
"Ensure",
|
|
@@ -4534,7 +4497,7 @@ export class SafeguardManager {
|
|
|
4534
4497
|
title: "Establish and Maintain an Audit Log Management Process",
|
|
4535
4498
|
description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
4536
4499
|
implementationGroup: "IG1",
|
|
4537
|
-
assetType: ["enterprise assets", "
|
|
4500
|
+
assetType: ["enterprise assets", "Data"],
|
|
4538
4501
|
securityFunction: ["Govern"],
|
|
4539
4502
|
governanceElements: [
|
|
4540
4503
|
"establish and maintain",
|
|
@@ -4610,7 +4573,7 @@ export class SafeguardManager {
|
|
|
4610
4573
|
title: "Collect Audit Logs",
|
|
4611
4574
|
description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
|
|
4612
4575
|
implementationGroup: "IG1",
|
|
4613
|
-
assetType: ["enterprise assets", "
|
|
4576
|
+
assetType: ["enterprise assets", "Data"],
|
|
4614
4577
|
securityFunction: ["Detect"],
|
|
4615
4578
|
governanceElements: [
|
|
4616
4579
|
"per the enterprise's audit log management process"
|
|
@@ -4679,7 +4642,7 @@ export class SafeguardManager {
|
|
|
4679
4642
|
title: "Ensure Adequate Audit Log Storage",
|
|
4680
4643
|
description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
|
|
4681
4644
|
implementationGroup: "IG1",
|
|
4682
|
-
assetType: ["
|
|
4645
|
+
assetType: ["Data"],
|
|
4683
4646
|
securityFunction: ["Protect"],
|
|
4684
4647
|
governanceElements: [
|
|
4685
4648
|
"comply with the enterprise's audit log management process"
|
|
@@ -4749,7 +4712,7 @@ export class SafeguardManager {
|
|
|
4749
4712
|
title: "Standardize Time Synchronization",
|
|
4750
4713
|
description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
|
|
4751
4714
|
implementationGroup: "IG2",
|
|
4752
|
-
assetType: ["enterprise assets", "
|
|
4715
|
+
assetType: ["enterprise assets", "Data"],
|
|
4753
4716
|
securityFunction: ["Protect"],
|
|
4754
4717
|
governanceElements: [
|
|
4755
4718
|
"standardize time synchronization"
|
|
@@ -4821,7 +4784,7 @@ export class SafeguardManager {
|
|
|
4821
4784
|
title: "Collect Detailed Audit Logs",
|
|
4822
4785
|
description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
|
|
4823
4786
|
implementationGroup: "IG2",
|
|
4824
|
-
assetType: ["enterprise assets", "
|
|
4787
|
+
assetType: ["enterprise assets", "Data"],
|
|
4825
4788
|
securityFunction: ["Detect"],
|
|
4826
4789
|
governanceElements: [
|
|
4827
4790
|
"configure detailed audit logging"
|
|
@@ -4896,7 +4859,7 @@ export class SafeguardManager {
|
|
|
4896
4859
|
title: "Collect DNS Query Audit Logs",
|
|
4897
4860
|
description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
|
|
4898
4861
|
implementationGroup: "IG2",
|
|
4899
|
-
assetType: ["enterprise assets", "
|
|
4862
|
+
assetType: ["enterprise assets", "Data"],
|
|
4900
4863
|
securityFunction: ["Detect"],
|
|
4901
4864
|
governanceElements: [
|
|
4902
4865
|
"where appropriate and supported"
|
|
@@ -4967,7 +4930,7 @@ export class SafeguardManager {
|
|
|
4967
4930
|
title: "Collect URL Request Audit Logs",
|
|
4968
4931
|
description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
|
|
4969
4932
|
implementationGroup: "IG2",
|
|
4970
|
-
assetType: ["enterprise assets", "
|
|
4933
|
+
assetType: ["enterprise assets", "Data"],
|
|
4971
4934
|
securityFunction: ["Detect"],
|
|
4972
4935
|
governanceElements: [
|
|
4973
4936
|
"where appropriate and supported"
|
|
@@ -5038,7 +5001,7 @@ export class SafeguardManager {
|
|
|
5038
5001
|
title: "Collect Command-Line Audit Logs",
|
|
5039
5002
|
description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
|
|
5040
5003
|
implementationGroup: "IG2",
|
|
5041
|
-
assetType: ["
|
|
5004
|
+
assetType: ["Data"],
|
|
5042
5005
|
securityFunction: ["Detect"],
|
|
5043
5006
|
governanceElements: [
|
|
5044
5007
|
"collect command-line audit logs"
|
|
@@ -5108,7 +5071,7 @@ export class SafeguardManager {
|
|
|
5108
5071
|
title: "Centralize Audit Logs",
|
|
5109
5072
|
description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
|
|
5110
5073
|
implementationGroup: "IG2",
|
|
5111
|
-
assetType: ["enterprise assets", "
|
|
5074
|
+
assetType: ["enterprise assets", "Data"],
|
|
5112
5075
|
securityFunction: ["Detect"],
|
|
5113
5076
|
governanceElements: [
|
|
5114
5077
|
"in accordance with documented audit log management process",
|
|
@@ -5180,7 +5143,7 @@ export class SafeguardManager {
|
|
|
5180
5143
|
title: "Retain Audit Logs",
|
|
5181
5144
|
description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
|
|
5182
5145
|
implementationGroup: "IG2",
|
|
5183
|
-
assetType: ["enterprise assets", "
|
|
5146
|
+
assetType: ["enterprise assets", "Data"],
|
|
5184
5147
|
securityFunction: ["Protect"],
|
|
5185
5148
|
governanceElements: [
|
|
5186
5149
|
"minimum of 90 days"
|
|
@@ -5247,7 +5210,7 @@ export class SafeguardManager {
|
|
|
5247
5210
|
title: "Conduct Audit Log Reviews",
|
|
5248
5211
|
description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
|
|
5249
5212
|
implementationGroup: "IG2",
|
|
5250
|
-
assetType: ["
|
|
5213
|
+
assetType: ["Data"],
|
|
5251
5214
|
securityFunction: ["Detect"],
|
|
5252
5215
|
governanceElements: [
|
|
5253
5216
|
"conduct reviews on a weekly, or more frequent, basis"
|
|
@@ -5317,7 +5280,7 @@ export class SafeguardManager {
|
|
|
5317
5280
|
title: "Collect Service Provider Logs",
|
|
5318
5281
|
description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
|
|
5319
5282
|
implementationGroup: "IG3",
|
|
5320
|
-
assetType: ["
|
|
5283
|
+
assetType: ["Data"],
|
|
5321
5284
|
securityFunction: ["Detect"],
|
|
5322
5285
|
governanceElements: [
|
|
5323
5286
|
"where supported"
|
|
@@ -6481,7 +6444,7 @@ export class SafeguardManager {
|
|
|
6481
6444
|
title: "Establish and Maintain a Data Recovery Process",
|
|
6482
6445
|
description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
6483
6446
|
implementationGroup: "IG1",
|
|
6484
|
-
assetType: ["
|
|
6447
|
+
assetType: ["Data"],
|
|
6485
6448
|
securityFunction: ["Govern"],
|
|
6486
6449
|
governanceElements: [
|
|
6487
6450
|
"establish documented data recovery process",
|
|
@@ -6564,7 +6527,7 @@ export class SafeguardManager {
|
|
|
6564
6527
|
title: "Perform Automated Backups",
|
|
6565
6528
|
description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
|
|
6566
6529
|
implementationGroup: "IG1",
|
|
6567
|
-
assetType: ["
|
|
6530
|
+
assetType: ["Data"],
|
|
6568
6531
|
securityFunction: ["Recover"],
|
|
6569
6532
|
governanceElements: [
|
|
6570
6533
|
"perform automated backups",
|
|
@@ -6645,7 +6608,7 @@ export class SafeguardManager {
|
|
|
6645
6608
|
title: "Protect Recovery Data",
|
|
6646
6609
|
description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
|
|
6647
6610
|
implementationGroup: "IG1",
|
|
6648
|
-
assetType: ["
|
|
6611
|
+
assetType: ["Data"],
|
|
6649
6612
|
securityFunction: ["Protect"],
|
|
6650
6613
|
governanceElements: [
|
|
6651
6614
|
"protect recovery data",
|
|
@@ -6725,7 +6688,7 @@ export class SafeguardManager {
|
|
|
6725
6688
|
title: "Establish and Maintain an Isolated Instance of Recovery Data",
|
|
6726
6689
|
description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
|
|
6727
6690
|
implementationGroup: "IG1",
|
|
6728
|
-
assetType: ["
|
|
6691
|
+
assetType: ["Data"],
|
|
6729
6692
|
securityFunction: ["Recover"],
|
|
6730
6693
|
governanceElements: [
|
|
6731
6694
|
"establish isolated instance of recovery data",
|
|
@@ -6808,7 +6771,7 @@ export class SafeguardManager {
|
|
|
6808
6771
|
title: "Test Data Recovery",
|
|
6809
6772
|
description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
|
|
6810
6773
|
implementationGroup: "IG2",
|
|
6811
|
-
assetType: ["
|
|
6774
|
+
assetType: ["Data"],
|
|
6812
6775
|
securityFunction: ["Recover"],
|
|
6813
6776
|
governanceElements: [
|
|
6814
6777
|
"test backup recovery quarterly or more frequently",
|
|
@@ -9494,7 +9457,7 @@ export class SafeguardManager {
|
|
|
9494
9457
|
title: "Monitor Service Providers",
|
|
9495
9458
|
description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
|
|
9496
9459
|
implementationGroup: "IG3",
|
|
9497
|
-
assetType: ["
|
|
9460
|
+
assetType: ["Data"],
|
|
9498
9461
|
securityFunction: ["Govern"],
|
|
9499
9462
|
governanceElements: [
|
|
9500
9463
|
"monitor service providers consistent with enterprise's service provider management policy",
|
|
@@ -9571,7 +9534,7 @@ export class SafeguardManager {
|
|
|
9571
9534
|
title: "Securely Decommission Service Providers",
|
|
9572
9535
|
description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
|
|
9573
9536
|
implementationGroup: "IG3",
|
|
9574
|
-
assetType: ["
|
|
9537
|
+
assetType: ["Data"],
|
|
9575
9538
|
securityFunction: ["Protect"],
|
|
9576
9539
|
governanceElements: [
|
|
9577
9540
|
"securely decommission service providers",
|