framework-mcp 2.4.2 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +173 -245
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +165 -237
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -1016,7 +1016,7 @@ export class SafeguardManager {
|
|
|
1016
1016
|
title: "Establish and Maintain a Data Management Process",
|
|
1017
1017
|
description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1018
1018
|
implementationGroup: "IG1",
|
|
1019
|
-
assetType: ["
|
|
1019
|
+
assetType: ["Data"],
|
|
1020
1020
|
securityFunction: ["Govern"],
|
|
1021
1021
|
governanceElements: [
|
|
1022
1022
|
"Establish",
|
|
@@ -1024,20 +1024,15 @@ export class SafeguardManager {
|
|
|
1024
1024
|
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1025
1025
|
],
|
|
1026
1026
|
coreRequirements: [
|
|
1027
|
-
"documented data management process"
|
|
1028
|
-
"address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
|
|
1027
|
+
"documented data management process"
|
|
1029
1028
|
],
|
|
1030
1029
|
subTaxonomicalElements: [
|
|
1031
|
-
"Documented Data management process",
|
|
1032
1030
|
"Data Sensitivity",
|
|
1033
1031
|
"Data Owner",
|
|
1034
1032
|
"Data Handling",
|
|
1035
1033
|
"Data Retention Limits",
|
|
1036
1034
|
"Disposal Requirements",
|
|
1037
|
-
"Retention Standards"
|
|
1038
|
-
"Review and update documentation",
|
|
1039
|
-
"Annually",
|
|
1040
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1035
|
+
"Retention Standards"
|
|
1041
1036
|
],
|
|
1042
1037
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1043
1038
|
],
|
|
@@ -1093,7 +1088,7 @@ export class SafeguardManager {
|
|
|
1093
1088
|
title: "Establish and Maintain a Data Inventory",
|
|
1094
1089
|
description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
|
|
1095
1090
|
implementationGroup: "IG1",
|
|
1096
|
-
assetType: ["
|
|
1091
|
+
assetType: ["Data"],
|
|
1097
1092
|
securityFunction: ["Identify"],
|
|
1098
1093
|
governanceElements: [
|
|
1099
1094
|
"Establish",
|
|
@@ -1101,16 +1096,11 @@ export class SafeguardManager {
|
|
|
1101
1096
|
"Review and update inventory annually, at a minimum, with a priority on sensitive data"
|
|
1102
1097
|
],
|
|
1103
1098
|
coreRequirements: [
|
|
1104
|
-
"data inventory
|
|
1105
|
-
"inventory sensitive data, at a minimum"
|
|
1099
|
+
"data inventory"
|
|
1106
1100
|
],
|
|
1107
1101
|
subTaxonomicalElements: [
|
|
1108
|
-
"Data Inventory",
|
|
1109
1102
|
"Based on Data Management process",
|
|
1110
|
-
"Sensitive Data at a Minimum"
|
|
1111
|
-
"Review and update inventory",
|
|
1112
|
-
"Annually, at a minimum",
|
|
1113
|
-
"Priority on sensitive data"
|
|
1103
|
+
"Sensitive Data at a Minimum"
|
|
1114
1104
|
],
|
|
1115
1105
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1116
1106
|
],
|
|
@@ -1166,14 +1156,13 @@ export class SafeguardManager {
|
|
|
1166
1156
|
title: "Configure Data Access Control Lists",
|
|
1167
1157
|
description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
|
|
1168
1158
|
implementationGroup: "IG1",
|
|
1169
|
-
assetType: ["
|
|
1159
|
+
assetType: ["Data"],
|
|
1170
1160
|
securityFunction: ["Protect"],
|
|
1171
1161
|
governanceElements: [
|
|
1172
|
-
"Configure"
|
|
1173
|
-
"Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
|
|
1162
|
+
"Configure"
|
|
1174
1163
|
],
|
|
1175
1164
|
coreRequirements: [
|
|
1176
|
-
"data access control lists
|
|
1165
|
+
"data access control lists"
|
|
1177
1166
|
],
|
|
1178
1167
|
subTaxonomicalElements: [
|
|
1179
1168
|
"Data Access control lists",
|
|
@@ -1238,7 +1227,7 @@ export class SafeguardManager {
|
|
|
1238
1227
|
title: "Enforce Data Retention",
|
|
1239
1228
|
description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
|
|
1240
1229
|
implementationGroup: "IG1",
|
|
1241
|
-
assetType: ["
|
|
1230
|
+
assetType: ["Data"],
|
|
1242
1231
|
securityFunction: ["Protect"],
|
|
1243
1232
|
governanceElements: [
|
|
1244
1233
|
"Retain",
|
|
@@ -1251,7 +1240,6 @@ export class SafeguardManager {
|
|
|
1251
1240
|
],
|
|
1252
1241
|
subTaxonomicalElements: [
|
|
1253
1242
|
"Data Retention",
|
|
1254
|
-
"Must Include",
|
|
1255
1243
|
"Minimum Timelines",
|
|
1256
1244
|
"Maximum timelines"
|
|
1257
1245
|
],
|
|
@@ -1309,19 +1297,17 @@ export class SafeguardManager {
|
|
|
1309
1297
|
title: "Securely Dispose of Data",
|
|
1310
1298
|
description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
|
|
1311
1299
|
implementationGroup: "IG1",
|
|
1312
|
-
assetType: ["
|
|
1300
|
+
assetType: ["Data"],
|
|
1313
1301
|
securityFunction: ["Protect"],
|
|
1314
1302
|
governanceElements: [
|
|
1315
|
-
"
|
|
1303
|
+
"Disposal process and method are commensurate with the data sensitivity",
|
|
1316
1304
|
"Ensure"
|
|
1317
1305
|
],
|
|
1318
1306
|
coreRequirements: [
|
|
1319
|
-
"
|
|
1320
|
-
"the disposal process and method are commensurate with the data sensitivity"
|
|
1307
|
+
"Securely Dispose of Data"
|
|
1321
1308
|
],
|
|
1322
1309
|
subTaxonomicalElements: [
|
|
1323
|
-
"Securely dispose of
|
|
1324
|
-
"Disposal process and method are commensurate with the data sensitivity"
|
|
1310
|
+
"Securely dispose of Data"
|
|
1325
1311
|
],
|
|
1326
1312
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1327
1313
|
],
|
|
@@ -1377,17 +1363,17 @@ export class SafeguardManager {
|
|
|
1377
1363
|
title: "Encrypt Data on End-User Devices",
|
|
1378
1364
|
description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
|
|
1379
1365
|
implementationGroup: "IG1",
|
|
1380
|
-
assetType: ["
|
|
1366
|
+
assetType: ["Data"],
|
|
1381
1367
|
securityFunction: ["Protect"],
|
|
1382
1368
|
governanceElements: [
|
|
1383
1369
|
"Encrypt"
|
|
1384
1370
|
],
|
|
1385
1371
|
coreRequirements: [
|
|
1386
|
-
"data on end-user devices
|
|
1372
|
+
"data on end-user devices"
|
|
1387
1373
|
],
|
|
1388
1374
|
subTaxonomicalElements: [
|
|
1389
1375
|
"Data on end-user devices",
|
|
1390
|
-
"Sensitive data"
|
|
1376
|
+
"that contain Sensitive data"
|
|
1391
1377
|
],
|
|
1392
1378
|
implementationSuggestions: [
|
|
1393
1379
|
"Windows Bitlocker",
|
|
@@ -1446,7 +1432,7 @@ export class SafeguardManager {
|
|
|
1446
1432
|
title: "Establish and Maintain a Data Classification Scheme",
|
|
1447
1433
|
description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1448
1434
|
implementationGroup: "IG2",
|
|
1449
|
-
assetType: ["
|
|
1435
|
+
assetType: ["Data"],
|
|
1450
1436
|
securityFunction: ["Identify"],
|
|
1451
1437
|
governanceElements: [
|
|
1452
1438
|
"Establish",
|
|
@@ -1454,15 +1440,10 @@ export class SafeguardManager {
|
|
|
1454
1440
|
"Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1455
1441
|
],
|
|
1456
1442
|
coreRequirements: [
|
|
1457
|
-
"
|
|
1458
|
-
"classify their data according to those labels"
|
|
1443
|
+
"data classification scheme"
|
|
1459
1444
|
],
|
|
1460
1445
|
subTaxonomicalElements: [
|
|
1461
|
-
"
|
|
1462
|
-
"Classify their data according to labels",
|
|
1463
|
-
"Review and update classification scheme",
|
|
1464
|
-
"Annually",
|
|
1465
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1446
|
+
"Classify their data according to labels"
|
|
1466
1447
|
],
|
|
1467
1448
|
implementationSuggestions: [
|
|
1468
1449
|
"Sensitive",
|
|
@@ -1521,27 +1502,19 @@ export class SafeguardManager {
|
|
|
1521
1502
|
title: "Document Data Flows",
|
|
1522
1503
|
description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1523
1504
|
implementationGroup: "IG2",
|
|
1524
|
-
assetType: ["
|
|
1505
|
+
assetType: ["Data"],
|
|
1525
1506
|
securityFunction: ["Identify"],
|
|
1526
1507
|
governanceElements: [
|
|
1527
|
-
"Document data flows"
|
|
1528
|
-
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1508
|
+
"Document data flows"
|
|
1529
1509
|
],
|
|
1530
1510
|
coreRequirements: [
|
|
1531
|
-
"Data
|
|
1511
|
+
"Document Data Flows"
|
|
1532
1512
|
],
|
|
1533
1513
|
subTaxonomicalElements: [
|
|
1534
|
-
"Document data flows",
|
|
1535
1514
|
"Enterprise Data Flows",
|
|
1536
|
-
"Service Provider Data Flows"
|
|
1537
|
-
"Review and update documentation",
|
|
1538
|
-
"Annually",
|
|
1539
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1515
|
+
"Service Provider Data Flows"
|
|
1540
1516
|
],
|
|
1541
|
-
implementationSuggestions: [
|
|
1542
|
-
"Data management systems",
|
|
1543
|
-
"Data flow mapping tools",
|
|
1544
|
-
"Service provider documentation"
|
|
1517
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1545
1518
|
],
|
|
1546
1519
|
relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
|
|
1547
1520
|
systemPromptFull: {
|
|
@@ -1595,16 +1568,16 @@ export class SafeguardManager {
|
|
|
1595
1568
|
title: "Encrypt Data on Removable Media",
|
|
1596
1569
|
description: "Encrypt Data on Removable Media",
|
|
1597
1570
|
implementationGroup: "IG2",
|
|
1598
|
-
assetType: ["
|
|
1571
|
+
assetType: ["Data"],
|
|
1599
1572
|
securityFunction: ["Protect"],
|
|
1600
1573
|
governanceElements: [
|
|
1601
|
-
"Encrypt
|
|
1574
|
+
"Encrypt"
|
|
1602
1575
|
],
|
|
1603
|
-
coreRequirements: [
|
|
1576
|
+
coreRequirements: [
|
|
1577
|
+
"Encrypt Data on Removable Media"
|
|
1604
1578
|
],
|
|
1605
1579
|
subTaxonomicalElements: [
|
|
1606
1580
|
"Data on Removable Media",
|
|
1607
|
-
"Maintain"
|
|
1608
1581
|
],
|
|
1609
1582
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1610
1583
|
],
|
|
@@ -1660,13 +1633,13 @@ export class SafeguardManager {
|
|
|
1660
1633
|
title: "Encrypt Sensitive Data in Transit",
|
|
1661
1634
|
description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
|
|
1662
1635
|
implementationGroup: "IG2",
|
|
1663
|
-
assetType: ["
|
|
1636
|
+
assetType: ["Data"],
|
|
1664
1637
|
securityFunction: ["Protect"],
|
|
1665
1638
|
governanceElements: [
|
|
1666
1639
|
"Encrypt"
|
|
1667
1640
|
],
|
|
1668
1641
|
coreRequirements: [
|
|
1669
|
-
"sensitive data in transit"
|
|
1642
|
+
"Encrypt sensitive data in transit"
|
|
1670
1643
|
],
|
|
1671
1644
|
subTaxonomicalElements: [
|
|
1672
1645
|
"Sensitive data in transit"
|
|
@@ -1727,23 +1700,21 @@ export class SafeguardManager {
|
|
|
1727
1700
|
title: "Encrypt Sensitive Data at Rest",
|
|
1728
1701
|
description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
|
|
1729
1702
|
implementationGroup: "IG2",
|
|
1730
|
-
assetType: ["
|
|
1703
|
+
assetType: ["Data"],
|
|
1731
1704
|
securityFunction: ["Protect"],
|
|
1732
1705
|
governanceElements: [
|
|
1733
1706
|
"Encrypt",
|
|
1734
|
-
"
|
|
1707
|
+
"Minimum Requirement"
|
|
1735
1708
|
],
|
|
1736
1709
|
coreRequirements: [
|
|
1737
|
-
"sensitive data at rest
|
|
1738
|
-
"Storage-layer encryption, also known as server-side encryption"
|
|
1710
|
+
"Encrypt sensitive data at rest"
|
|
1739
1711
|
],
|
|
1740
1712
|
subTaxonomicalElements: [
|
|
1741
|
-
"
|
|
1713
|
+
"Sensitive Data At Rest",
|
|
1742
1714
|
"Servers",
|
|
1743
|
-
"
|
|
1715
|
+
"Applications",
|
|
1744
1716
|
"Databases",
|
|
1745
|
-
"Storage Layer (server side) encryption"
|
|
1746
|
-
"Minimum Requirement"
|
|
1717
|
+
"Storage Layer (server side) encryption"
|
|
1747
1718
|
],
|
|
1748
1719
|
implementationSuggestions: [
|
|
1749
1720
|
"Application layer (client-side) encryption",
|
|
@@ -1801,19 +1772,17 @@ export class SafeguardManager {
|
|
|
1801
1772
|
title: "Segment Data Processing and Storage Based on Sensitivity",
|
|
1802
1773
|
description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
|
|
1803
1774
|
implementationGroup: "IG2",
|
|
1804
|
-
assetType: ["
|
|
1775
|
+
assetType: ["Data"],
|
|
1805
1776
|
securityFunction: ["Protect"],
|
|
1806
1777
|
governanceElements: [
|
|
1807
|
-
"Segment data processing and storage based on the sensitivity of the data",
|
|
1808
1778
|
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1809
1779
|
],
|
|
1810
|
-
coreRequirements: [
|
|
1780
|
+
coreRequirements: [
|
|
1781
|
+
"Segment Data Processing",
|
|
1782
|
+
"Segment Data Storage",
|
|
1783
|
+
"Based on Sensitivity"
|
|
1811
1784
|
],
|
|
1812
|
-
subTaxonomicalElements: [
|
|
1813
|
-
"Based on the sensitivity of data",
|
|
1814
|
-
"Segment data processing (compute)",
|
|
1815
|
-
"Segment Storage",
|
|
1816
|
-
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
1785
|
+
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1817
1786
|
],
|
|
1818
1787
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1819
1788
|
],
|
|
@@ -1869,17 +1838,15 @@ export class SafeguardManager {
|
|
|
1869
1838
|
title: "Deploy a Data Loss Prevention Solution",
|
|
1870
1839
|
description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
|
|
1871
1840
|
implementationGroup: "IG3",
|
|
1872
|
-
assetType: ["
|
|
1841
|
+
assetType: ["Data"],
|
|
1873
1842
|
securityFunction: ["Protect"],
|
|
1874
1843
|
governanceElements: [
|
|
1875
|
-
"Implement"
|
|
1876
|
-
"Update Data Inventory"
|
|
1844
|
+
"Implement"
|
|
1877
1845
|
],
|
|
1878
1846
|
coreRequirements: [
|
|
1879
|
-
"automated tool to identify all sensitive data
|
|
1847
|
+
"automated tool to identify all sensitive data"
|
|
1880
1848
|
],
|
|
1881
1849
|
subTaxonomicalElements: [
|
|
1882
|
-
"Automated DLP Tool",
|
|
1883
1850
|
"Identify all sensitive Data",
|
|
1884
1851
|
"Stored",
|
|
1885
1852
|
"Processed",
|
|
@@ -1943,19 +1910,15 @@ export class SafeguardManager {
|
|
|
1943
1910
|
title: "Log Sensitive Data Access",
|
|
1944
1911
|
description: "Log sensitive data access, including modification and disposal.",
|
|
1945
1912
|
implementationGroup: "IG3",
|
|
1946
|
-
assetType: ["
|
|
1913
|
+
assetType: ["Data"],
|
|
1947
1914
|
securityFunction: ["Detect"],
|
|
1948
1915
|
governanceElements: [
|
|
1949
1916
|
"Log"
|
|
1950
1917
|
],
|
|
1951
1918
|
coreRequirements: [
|
|
1952
|
-
"sensitive data access, including modification and disposal"
|
|
1919
|
+
"Log sensitive data access, including modification and disposal"
|
|
1953
1920
|
],
|
|
1954
|
-
subTaxonomicalElements: [
|
|
1955
|
-
"Sensitive Data access",
|
|
1956
|
-
"Access",
|
|
1957
|
-
"Modification",
|
|
1958
|
-
"Disposal"
|
|
1921
|
+
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1959
1922
|
],
|
|
1960
1923
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1961
1924
|
],
|
|
@@ -2011,19 +1974,17 @@ export class SafeguardManager {
|
|
|
2011
1974
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2012
1975
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2013
1976
|
implementationGroup: "IG1",
|
|
2014
|
-
assetType: ["
|
|
1977
|
+
assetType: ["Docuemntation"],
|
|
2015
1978
|
securityFunction: ["Govern"],
|
|
2016
1979
|
governanceElements: [
|
|
2017
1980
|
"Establish",
|
|
2018
1981
|
"Maintain",
|
|
2019
|
-
"Documented Secure Configuration Process",
|
|
2020
1982
|
"Review and update documentation",
|
|
2021
1983
|
"Annually",
|
|
2022
1984
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2023
1985
|
],
|
|
2024
1986
|
coreRequirements: [
|
|
2025
|
-
"documented secure configuration process
|
|
2026
|
-
"documented secure configuration process for software"
|
|
1987
|
+
"documented secure configuration process"
|
|
2027
1988
|
],
|
|
2028
1989
|
subTaxonomicalElements: [
|
|
2029
1990
|
"Enterprise assets",
|
|
@@ -2033,12 +1994,9 @@ export class SafeguardManager {
|
|
|
2033
1994
|
"Portable",
|
|
2034
1995
|
"Non-computing/IoT devices",
|
|
2035
1996
|
"Servers",
|
|
2036
|
-
"OS"
|
|
2037
|
-
"Software"
|
|
1997
|
+
"OS"
|
|
2038
1998
|
],
|
|
2039
|
-
implementationSuggestions: [
|
|
2040
|
-
"Secure Configuration Policy / Process",
|
|
2041
|
-
"Configuration Management Tool"
|
|
1999
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2042
2000
|
],
|
|
2043
2001
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2044
2002
|
systemPromptFull: {
|
|
@@ -2092,25 +2050,22 @@ export class SafeguardManager {
|
|
|
2092
2050
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
2093
2051
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2094
2052
|
implementationGroup: "IG1",
|
|
2095
|
-
assetType: ["
|
|
2053
|
+
assetType: ["Documentation"],
|
|
2096
2054
|
securityFunction: ["Govern"],
|
|
2097
2055
|
governanceElements: [
|
|
2098
2056
|
"Establish",
|
|
2099
2057
|
"Maintain",
|
|
2100
|
-
"Documented Secure Network Configuration Process",
|
|
2101
2058
|
"Review and update documentation",
|
|
2102
2059
|
"Annually",
|
|
2103
2060
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2104
2061
|
],
|
|
2105
2062
|
coreRequirements: [
|
|
2106
|
-
"documented secure configuration process
|
|
2063
|
+
"documented secure configuration process"
|
|
2107
2064
|
],
|
|
2108
2065
|
subTaxonomicalElements: [
|
|
2109
2066
|
"Network devices"
|
|
2110
2067
|
],
|
|
2111
|
-
implementationSuggestions: [
|
|
2112
|
-
"Secure Configuration Policy / Process",
|
|
2113
|
-
"Configuration Management Tool"
|
|
2068
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2114
2069
|
],
|
|
2115
2070
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
2116
2071
|
systemPromptFull: {
|
|
@@ -2164,7 +2119,7 @@ export class SafeguardManager {
|
|
|
2164
2119
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
2165
2120
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
2166
2121
|
implementationGroup: "IG1",
|
|
2167
|
-
assetType: ["
|
|
2122
|
+
assetType: ["Devices"],
|
|
2168
2123
|
securityFunction: ["Protect"],
|
|
2169
2124
|
governanceElements: [
|
|
2170
2125
|
"Configure",
|
|
@@ -2172,18 +2127,14 @@ export class SafeguardManager {
|
|
|
2172
2127
|
"Period must not exceed for 2 Minutes"
|
|
2173
2128
|
],
|
|
2174
2129
|
coreRequirements: [
|
|
2175
|
-
"automatic session locking on enterprise assets
|
|
2176
|
-
"general purpose operating systems",
|
|
2177
|
-
"mobile end-user devices"
|
|
2130
|
+
"automatic session locking on enterprise assets"
|
|
2178
2131
|
],
|
|
2179
2132
|
subTaxonomicalElements: [
|
|
2180
|
-
"Automatic Session Locking",
|
|
2181
2133
|
"Period of inactivity",
|
|
2182
2134
|
"General Purpose OSs",
|
|
2183
2135
|
"Mobile end-user devices"
|
|
2184
2136
|
],
|
|
2185
|
-
implementationSuggestions: [
|
|
2186
|
-
"Configuration Management Tool"
|
|
2137
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2187
2138
|
],
|
|
2188
2139
|
relatedSafeguards: ["4.1"],
|
|
2189
2140
|
systemPromptFull: {
|
|
@@ -2237,7 +2188,7 @@ export class SafeguardManager {
|
|
|
2237
2188
|
title: "Implement and Manage a Firewall on Servers",
|
|
2238
2189
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
2239
2190
|
implementationGroup: "IG1",
|
|
2240
|
-
assetType: ["
|
|
2191
|
+
assetType: ["Devices"],
|
|
2241
2192
|
securityFunction: ["Protect"],
|
|
2242
2193
|
governanceElements: [
|
|
2243
2194
|
"Implement",
|
|
@@ -2254,8 +2205,6 @@ export class SafeguardManager {
|
|
|
2254
2205
|
"Virtual Firewall",
|
|
2255
2206
|
"OS Firewall",
|
|
2256
2207
|
"Third Party Firewall",
|
|
2257
|
-
"Firewall",
|
|
2258
|
-
"Configuration Management Tool"
|
|
2259
2208
|
],
|
|
2260
2209
|
relatedSafeguards: ["4.1"],
|
|
2261
2210
|
systemPromptFull: {
|
|
@@ -2309,21 +2258,18 @@ export class SafeguardManager {
|
|
|
2309
2258
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
2310
2259
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
2311
2260
|
implementationGroup: "IG1",
|
|
2312
|
-
assetType: ["
|
|
2261
|
+
assetType: ["Devices"],
|
|
2313
2262
|
securityFunction: ["Protect"],
|
|
2314
2263
|
governanceElements: [
|
|
2315
2264
|
"Implement",
|
|
2316
|
-
"Manage"
|
|
2317
|
-
"Default deny rule that drops all traffic",
|
|
2318
|
-
"Except Explicitly Allowed"
|
|
2265
|
+
"Manage"
|
|
2319
2266
|
],
|
|
2320
2267
|
coreRequirements: [
|
|
2321
2268
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
2322
2269
|
],
|
|
2323
2270
|
subTaxonomicalElements: [
|
|
2324
|
-
"
|
|
2325
|
-
"
|
|
2326
|
-
"End User Devices",
|
|
2271
|
+
"Default Deny Rule that drops all traffic",
|
|
2272
|
+
"Except Explicitly Allowed",
|
|
2327
2273
|
"Services",
|
|
2328
2274
|
"Ports"
|
|
2329
2275
|
],
|
|
@@ -2383,7 +2329,7 @@ export class SafeguardManager {
|
|
|
2383
2329
|
title: "Securely Manage Enterprise Assets and Software",
|
|
2384
2330
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
2385
2331
|
implementationGroup: "IG1",
|
|
2386
|
-
assetType: ["
|
|
2332
|
+
assetType: ["Devices"],
|
|
2387
2333
|
securityFunction: ["Protect"],
|
|
2388
2334
|
governanceElements: [
|
|
2389
2335
|
"Do not use insecure management protocols",
|
|
@@ -2393,16 +2339,14 @@ export class SafeguardManager {
|
|
|
2393
2339
|
"Securely manage enterprise assets and software"
|
|
2394
2340
|
],
|
|
2395
2341
|
subTaxonomicalElements: [
|
|
2396
|
-
"Securely manage enterprise assets and software"
|
|
2342
|
+
"Securely manage enterprise assets and software",
|
|
2343
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
2397
2344
|
],
|
|
2398
2345
|
implementationSuggestions: [
|
|
2399
2346
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
2400
2347
|
"Accessing administrative interfaces over secure network protocols",
|
|
2401
|
-
"SSH",
|
|
2402
|
-
"HTTPS",
|
|
2403
|
-
"Telnet (Teletype Network)",
|
|
2404
|
-
"HTTP",
|
|
2405
|
-
"Configuration Management Tool"
|
|
2348
|
+
"SSH instead of TELNET",
|
|
2349
|
+
"HTTPS instead of HTTP",
|
|
2406
2350
|
],
|
|
2407
2351
|
relatedSafeguards: ["4.1", "12.3"],
|
|
2408
2352
|
systemPromptFull: {
|
|
@@ -2456,26 +2400,22 @@ export class SafeguardManager {
|
|
|
2456
2400
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
2457
2401
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
2458
2402
|
implementationGroup: "IG1",
|
|
2459
|
-
assetType: ["
|
|
2403
|
+
assetType: ["Users"],
|
|
2460
2404
|
securityFunction: ["Protect"],
|
|
2461
2405
|
governanceElements: [
|
|
2462
2406
|
"Manage"
|
|
2463
2407
|
],
|
|
2464
2408
|
coreRequirements: [
|
|
2465
|
-
"default accounts
|
|
2409
|
+
"default accounts"
|
|
2466
2410
|
],
|
|
2467
2411
|
subTaxonomicalElements: [
|
|
2468
|
-
"Default accounts",
|
|
2469
2412
|
"Enterprise assets",
|
|
2470
|
-
"Software"
|
|
2471
|
-
"Root",
|
|
2472
|
-
"Administrator",
|
|
2473
|
-
"Other pre-configured vendor accounts"
|
|
2413
|
+
"Software"
|
|
2474
2414
|
],
|
|
2475
2415
|
implementationSuggestions: [
|
|
2476
|
-
"Disabling",
|
|
2477
|
-
"Unusable",
|
|
2478
|
-
"
|
|
2416
|
+
"Disabling them",
|
|
2417
|
+
"making them Unusable",
|
|
2418
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
2479
2419
|
],
|
|
2480
2420
|
relatedSafeguards: ["4.1"],
|
|
2481
2421
|
systemPromptFull: {
|
|
@@ -2529,25 +2469,23 @@ export class SafeguardManager {
|
|
|
2529
2469
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
2530
2470
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
2531
2471
|
implementationGroup: "IG2",
|
|
2532
|
-
assetType: ["
|
|
2472
|
+
assetType: ["Devices", "Software"],
|
|
2533
2473
|
securityFunction: ["Protect"],
|
|
2534
2474
|
governanceElements: [
|
|
2535
2475
|
"Uninstall",
|
|
2536
2476
|
"Disable"
|
|
2537
2477
|
],
|
|
2538
2478
|
coreRequirements: [
|
|
2539
|
-
"unnecessary services
|
|
2479
|
+
"unnecessary services"
|
|
2540
2480
|
],
|
|
2541
2481
|
subTaxonomicalElements: [
|
|
2542
|
-
"Unnecessary Services",
|
|
2543
2482
|
"Enterprise assets",
|
|
2544
|
-
"Software"
|
|
2545
|
-
"Unused file sharing service",
|
|
2546
|
-
"Web application module",
|
|
2547
|
-
"Service function"
|
|
2483
|
+
"Software"
|
|
2548
2484
|
],
|
|
2549
2485
|
implementationSuggestions: [
|
|
2550
|
-
"
|
|
2486
|
+
"Unused File Sharing Services",
|
|
2487
|
+
"Web Application Module",
|
|
2488
|
+
"Service Function"
|
|
2551
2489
|
],
|
|
2552
2490
|
relatedSafeguards: ["4.1"],
|
|
2553
2491
|
systemPromptFull: {
|
|
@@ -2601,22 +2539,20 @@ export class SafeguardManager {
|
|
|
2601
2539
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
2602
2540
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
2603
2541
|
implementationGroup: "IG2",
|
|
2604
|
-
assetType: ["
|
|
2542
|
+
assetType: ["Devices"],
|
|
2605
2543
|
securityFunction: ["Protect"],
|
|
2606
2544
|
governanceElements: [
|
|
2607
2545
|
"Configure"
|
|
2608
2546
|
],
|
|
2609
2547
|
coreRequirements: [
|
|
2610
|
-
"trusted DNS servers
|
|
2548
|
+
"trusted DNS servers"
|
|
2611
2549
|
],
|
|
2612
2550
|
subTaxonomicalElements: [
|
|
2613
|
-
"Trusted DNS Servers",
|
|
2614
2551
|
"Enterprise assets"
|
|
2615
2552
|
],
|
|
2616
2553
|
implementationSuggestions: [
|
|
2617
2554
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
2618
|
-
"Reputable externally accessible DNS servers"
|
|
2619
|
-
"Configuration Management Tool"
|
|
2555
|
+
"Reputable externally accessible DNS servers"
|
|
2620
2556
|
],
|
|
2621
2557
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
2622
2558
|
systemPromptFull: {
|
|
@@ -2670,7 +2606,7 @@ export class SafeguardManager {
|
|
|
2670
2606
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
2671
2607
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
2672
2608
|
implementationGroup: "IG2",
|
|
2673
|
-
assetType: ["
|
|
2609
|
+
assetType: ["Devices"],
|
|
2674
2610
|
securityFunction: ["Protect"],
|
|
2675
2611
|
governanceElements: [
|
|
2676
2612
|
"Enforce",
|
|
@@ -2679,14 +2615,13 @@ export class SafeguardManager {
|
|
|
2679
2615
|
"No more than 10 Failed Authentication Attempts"
|
|
2680
2616
|
],
|
|
2681
2617
|
coreRequirements: [
|
|
2682
|
-
"automatic device lockout
|
|
2618
|
+
"automatic device lockout"
|
|
2683
2619
|
],
|
|
2684
2620
|
subTaxonomicalElements: [
|
|
2685
|
-
"
|
|
2686
|
-
"
|
|
2687
|
-
"
|
|
2688
|
-
"
|
|
2689
|
-
"Tablets and smartphones"
|
|
2621
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
2622
|
+
"On Portable end-user devices",
|
|
2623
|
+
"Such as Laptops",
|
|
2624
|
+
"Such as Tablets and smartphones"
|
|
2690
2625
|
],
|
|
2691
2626
|
implementationSuggestions: [
|
|
2692
2627
|
"Microsoft® InTune Device Lock",
|
|
@@ -2745,24 +2680,22 @@ export class SafeguardManager {
|
|
|
2745
2680
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
2746
2681
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
2747
2682
|
implementationGroup: "IG2",
|
|
2748
|
-
assetType: ["
|
|
2683
|
+
assetType: ["Devices"],
|
|
2749
2684
|
securityFunction: ["Protect"],
|
|
2750
2685
|
governanceElements: [
|
|
2751
2686
|
"When deemed appropriate"
|
|
2752
2687
|
],
|
|
2753
2688
|
coreRequirements: [
|
|
2754
|
-
"Remotely wipe enterprise data
|
|
2689
|
+
"Remotely wipe enterprise data"
|
|
2755
2690
|
],
|
|
2756
2691
|
subTaxonomicalElements: [
|
|
2757
|
-
"
|
|
2758
|
-
|
|
2692
|
+
"Portable end-user devices"
|
|
2693
|
+
],
|
|
2694
|
+
implementationSuggestions: [
|
|
2759
2695
|
"Lost devices",
|
|
2760
2696
|
"Stolen devices",
|
|
2761
2697
|
"When an individual no longer supports the enterprise"
|
|
2762
2698
|
],
|
|
2763
|
-
implementationSuggestions: [
|
|
2764
|
-
"Configuration Management Tool"
|
|
2765
|
-
],
|
|
2766
2699
|
relatedSafeguards: ["4.1"],
|
|
2767
2700
|
systemPromptFull: {
|
|
2768
2701
|
role: "Vendor Description Assistant and expert on CIS Controls",
|
|
@@ -2815,7 +2748,7 @@ export class SafeguardManager {
|
|
|
2815
2748
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
2816
2749
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
2817
2750
|
implementationGroup: "IG3",
|
|
2818
|
-
assetType: ["
|
|
2751
|
+
assetType: ["Data"],
|
|
2819
2752
|
securityFunction: ["Protect"],
|
|
2820
2753
|
governanceElements: [
|
|
2821
2754
|
"Ensure",
|
|
@@ -2825,17 +2758,12 @@ export class SafeguardManager {
|
|
|
2825
2758
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
2826
2759
|
],
|
|
2827
2760
|
subTaxonomicalElements: [
|
|
2828
|
-
"
|
|
2829
|
-
"
|
|
2830
|
-
"Enterprise Applications",
|
|
2831
|
-
"Enterprise Data",
|
|
2832
|
-
"Personal Applications",
|
|
2833
|
-
"Personal Data"
|
|
2761
|
+
"Enterprise Applications and Enterprise Data",
|
|
2762
|
+
"Seperate from Personal Applications and Personal Data"
|
|
2834
2763
|
],
|
|
2835
2764
|
implementationSuggestions: [
|
|
2836
2765
|
"Apple® Configuration Profile",
|
|
2837
|
-
"AndroidTM Work Profile"
|
|
2838
|
-
"Configuration Management Tool"
|
|
2766
|
+
"AndroidTM Work Profile"
|
|
2839
2767
|
],
|
|
2840
2768
|
relatedSafeguards: ["4.1"],
|
|
2841
2769
|
systemPromptFull: {
|
|
@@ -2889,7 +2817,7 @@ export class SafeguardManager {
|
|
|
2889
2817
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
2890
2818
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
2891
2819
|
implementationGroup: "IG1",
|
|
2892
|
-
assetType: ["
|
|
2820
|
+
assetType: ["Users"],
|
|
2893
2821
|
securityFunction: ["Identify"],
|
|
2894
2822
|
governanceElements: [
|
|
2895
2823
|
"Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
@@ -2972,7 +2900,7 @@ export class SafeguardManager {
|
|
|
2972
2900
|
title: "Use Unique Passwords",
|
|
2973
2901
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
2974
2902
|
implementationGroup: "IG1",
|
|
2975
|
-
assetType: ["
|
|
2903
|
+
assetType: ["Users"],
|
|
2976
2904
|
securityFunction: ["Protect"],
|
|
2977
2905
|
governanceElements: [
|
|
2978
2906
|
"Use unique passwords for all enterprise assets",
|
|
@@ -3044,7 +2972,7 @@ export class SafeguardManager {
|
|
|
3044
2972
|
title: "Disable Dormant Accounts",
|
|
3045
2973
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
3046
2974
|
implementationGroup: "IG1",
|
|
3047
|
-
assetType: ["
|
|
2975
|
+
assetType: ["Users"],
|
|
3048
2976
|
securityFunction: ["Protect"],
|
|
3049
2977
|
governanceElements: [
|
|
3050
2978
|
"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
|
|
@@ -3114,7 +3042,7 @@ export class SafeguardManager {
|
|
|
3114
3042
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
3115
3043
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
3116
3044
|
implementationGroup: "IG1",
|
|
3117
|
-
assetType: ["
|
|
3045
|
+
assetType: ["Users"],
|
|
3118
3046
|
securityFunction: ["Protect"],
|
|
3119
3047
|
governanceElements: [
|
|
3120
3048
|
"Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
@@ -3190,7 +3118,7 @@ export class SafeguardManager {
|
|
|
3190
3118
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
3191
3119
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
3192
3120
|
implementationGroup: "IG2",
|
|
3193
|
-
assetType: ["
|
|
3121
|
+
assetType: ["Users"],
|
|
3194
3122
|
securityFunction: ["Identify"],
|
|
3195
3123
|
governanceElements: [
|
|
3196
3124
|
"Establish and maintain an inventory of service accounts",
|
|
@@ -3269,7 +3197,7 @@ export class SafeguardManager {
|
|
|
3269
3197
|
title: "Centralize Account Management",
|
|
3270
3198
|
description: "Centralize account management through a directory or identity service.",
|
|
3271
3199
|
implementationGroup: "IG2",
|
|
3272
|
-
assetType: ["
|
|
3200
|
+
assetType: ["Users"],
|
|
3273
3201
|
securityFunction: ["Govern"],
|
|
3274
3202
|
governanceElements: [
|
|
3275
3203
|
"Centralize account management through a directory or identity service"
|
|
@@ -3339,7 +3267,7 @@ export class SafeguardManager {
|
|
|
3339
3267
|
title: "Establish an Access Granting Process",
|
|
3340
3268
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
3341
3269
|
implementationGroup: "IG1",
|
|
3342
|
-
assetType: ["
|
|
3270
|
+
assetType: ["Users"],
|
|
3343
3271
|
securityFunction: ["Govern"],
|
|
3344
3272
|
governanceElements: [
|
|
3345
3273
|
"Establish",
|
|
@@ -3416,7 +3344,7 @@ export class SafeguardManager {
|
|
|
3416
3344
|
title: "Establish an Access Revoking Process",
|
|
3417
3345
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
3418
3346
|
implementationGroup: "IG1",
|
|
3419
|
-
assetType: ["
|
|
3347
|
+
assetType: ["Users"],
|
|
3420
3348
|
securityFunction: ["Govern"],
|
|
3421
3349
|
governanceElements: [
|
|
3422
3350
|
"Establish",
|
|
@@ -3498,7 +3426,7 @@ export class SafeguardManager {
|
|
|
3498
3426
|
title: "Require MFA for Externally-Exposed Applications",
|
|
3499
3427
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
3500
3428
|
implementationGroup: "IG1",
|
|
3501
|
-
assetType: ["
|
|
3429
|
+
assetType: ["Users"],
|
|
3502
3430
|
securityFunction: ["Protect"],
|
|
3503
3431
|
governanceElements: [
|
|
3504
3432
|
"Require",
|
|
@@ -3573,7 +3501,7 @@ export class SafeguardManager {
|
|
|
3573
3501
|
title: "Require MFA for Remote Network Access",
|
|
3574
3502
|
description: "Require MFA for remote network access.",
|
|
3575
3503
|
implementationGroup: "IG1",
|
|
3576
|
-
assetType: ["
|
|
3504
|
+
assetType: ["Users"],
|
|
3577
3505
|
securityFunction: ["Protect"],
|
|
3578
3506
|
governanceElements: [
|
|
3579
3507
|
"Require",
|
|
@@ -3643,7 +3571,7 @@ export class SafeguardManager {
|
|
|
3643
3571
|
title: "Require MFA for Administrative Access",
|
|
3644
3572
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
3645
3573
|
implementationGroup: "IG1",
|
|
3646
|
-
assetType: ["
|
|
3574
|
+
assetType: ["Users"],
|
|
3647
3575
|
securityFunction: ["Protect"],
|
|
3648
3576
|
governanceElements: [
|
|
3649
3577
|
"Require",
|
|
@@ -3796,7 +3724,7 @@ export class SafeguardManager {
|
|
|
3796
3724
|
title: "Centralize Access Control",
|
|
3797
3725
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
3798
3726
|
implementationGroup: "IG2",
|
|
3799
|
-
assetType: ["
|
|
3727
|
+
assetType: ["Users"],
|
|
3800
3728
|
securityFunction: ["Protect"],
|
|
3801
3729
|
governanceElements: [
|
|
3802
3730
|
"Centralize",
|
|
@@ -3874,7 +3802,7 @@ export class SafeguardManager {
|
|
|
3874
3802
|
title: "Define and Maintain Role-Based Access Control",
|
|
3875
3803
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
3876
3804
|
implementationGroup: "IG3",
|
|
3877
|
-
assetType: ["
|
|
3805
|
+
assetType: ["Users"],
|
|
3878
3806
|
securityFunction: ["Govern"],
|
|
3879
3807
|
governanceElements: [
|
|
3880
3808
|
"Define",
|
|
@@ -4124,7 +4052,7 @@ export class SafeguardManager {
|
|
|
4124
4052
|
title: "Perform Automated Operating System Patch Management",
|
|
4125
4053
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
4126
4054
|
implementationGroup: "IG1",
|
|
4127
|
-
assetType: ["
|
|
4055
|
+
assetType: ["Devices"],
|
|
4128
4056
|
securityFunction: ["Protect"],
|
|
4129
4057
|
governanceElements: [
|
|
4130
4058
|
"perform automated OS patch management",
|
|
@@ -4288,7 +4216,7 @@ export class SafeguardManager {
|
|
|
4288
4216
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
4289
4217
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
4290
4218
|
implementationGroup: "IG2",
|
|
4291
|
-
assetType: ["
|
|
4219
|
+
assetType: ["Devices", "Software"],
|
|
4292
4220
|
securityFunction: ["Detect"],
|
|
4293
4221
|
governanceElements: [
|
|
4294
4222
|
"perform automated vulnerability scans",
|
|
@@ -4370,7 +4298,7 @@ export class SafeguardManager {
|
|
|
4370
4298
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
4371
4299
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
4372
4300
|
implementationGroup: "IG2",
|
|
4373
|
-
assetType: ["
|
|
4301
|
+
assetType: ["Devices", "Software"],
|
|
4374
4302
|
securityFunction: ["Detect"],
|
|
4375
4303
|
governanceElements: [
|
|
4376
4304
|
"perform automated vulnerability scans",
|
|
@@ -4534,7 +4462,7 @@ export class SafeguardManager {
|
|
|
4534
4462
|
title: "Establish and Maintain an Audit Log Management Process",
|
|
4535
4463
|
description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
4536
4464
|
implementationGroup: "IG1",
|
|
4537
|
-
assetType: ["enterprise assets", "
|
|
4465
|
+
assetType: ["enterprise assets", "Data"],
|
|
4538
4466
|
securityFunction: ["Govern"],
|
|
4539
4467
|
governanceElements: [
|
|
4540
4468
|
"establish and maintain",
|
|
@@ -4610,7 +4538,7 @@ export class SafeguardManager {
|
|
|
4610
4538
|
title: "Collect Audit Logs",
|
|
4611
4539
|
description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
|
|
4612
4540
|
implementationGroup: "IG1",
|
|
4613
|
-
assetType: ["enterprise assets", "
|
|
4541
|
+
assetType: ["enterprise assets", "Data"],
|
|
4614
4542
|
securityFunction: ["Detect"],
|
|
4615
4543
|
governanceElements: [
|
|
4616
4544
|
"per the enterprise's audit log management process"
|
|
@@ -4679,7 +4607,7 @@ export class SafeguardManager {
|
|
|
4679
4607
|
title: "Ensure Adequate Audit Log Storage",
|
|
4680
4608
|
description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
|
|
4681
4609
|
implementationGroup: "IG1",
|
|
4682
|
-
assetType: ["
|
|
4610
|
+
assetType: ["Data"],
|
|
4683
4611
|
securityFunction: ["Protect"],
|
|
4684
4612
|
governanceElements: [
|
|
4685
4613
|
"comply with the enterprise's audit log management process"
|
|
@@ -4749,7 +4677,7 @@ export class SafeguardManager {
|
|
|
4749
4677
|
title: "Standardize Time Synchronization",
|
|
4750
4678
|
description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
|
|
4751
4679
|
implementationGroup: "IG2",
|
|
4752
|
-
assetType: ["enterprise assets", "
|
|
4680
|
+
assetType: ["enterprise assets", "Data"],
|
|
4753
4681
|
securityFunction: ["Protect"],
|
|
4754
4682
|
governanceElements: [
|
|
4755
4683
|
"standardize time synchronization"
|
|
@@ -4821,7 +4749,7 @@ export class SafeguardManager {
|
|
|
4821
4749
|
title: "Collect Detailed Audit Logs",
|
|
4822
4750
|
description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
|
|
4823
4751
|
implementationGroup: "IG2",
|
|
4824
|
-
assetType: ["enterprise assets", "
|
|
4752
|
+
assetType: ["enterprise assets", "Data"],
|
|
4825
4753
|
securityFunction: ["Detect"],
|
|
4826
4754
|
governanceElements: [
|
|
4827
4755
|
"configure detailed audit logging"
|
|
@@ -4896,7 +4824,7 @@ export class SafeguardManager {
|
|
|
4896
4824
|
title: "Collect DNS Query Audit Logs",
|
|
4897
4825
|
description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
|
|
4898
4826
|
implementationGroup: "IG2",
|
|
4899
|
-
assetType: ["enterprise assets", "
|
|
4827
|
+
assetType: ["enterprise assets", "Data"],
|
|
4900
4828
|
securityFunction: ["Detect"],
|
|
4901
4829
|
governanceElements: [
|
|
4902
4830
|
"where appropriate and supported"
|
|
@@ -4967,7 +4895,7 @@ export class SafeguardManager {
|
|
|
4967
4895
|
title: "Collect URL Request Audit Logs",
|
|
4968
4896
|
description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
|
|
4969
4897
|
implementationGroup: "IG2",
|
|
4970
|
-
assetType: ["enterprise assets", "
|
|
4898
|
+
assetType: ["enterprise assets", "Data"],
|
|
4971
4899
|
securityFunction: ["Detect"],
|
|
4972
4900
|
governanceElements: [
|
|
4973
4901
|
"where appropriate and supported"
|
|
@@ -5038,7 +4966,7 @@ export class SafeguardManager {
|
|
|
5038
4966
|
title: "Collect Command-Line Audit Logs",
|
|
5039
4967
|
description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
|
|
5040
4968
|
implementationGroup: "IG2",
|
|
5041
|
-
assetType: ["
|
|
4969
|
+
assetType: ["Data"],
|
|
5042
4970
|
securityFunction: ["Detect"],
|
|
5043
4971
|
governanceElements: [
|
|
5044
4972
|
"collect command-line audit logs"
|
|
@@ -5108,7 +5036,7 @@ export class SafeguardManager {
|
|
|
5108
5036
|
title: "Centralize Audit Logs",
|
|
5109
5037
|
description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
|
|
5110
5038
|
implementationGroup: "IG2",
|
|
5111
|
-
assetType: ["enterprise assets", "
|
|
5039
|
+
assetType: ["enterprise assets", "Data"],
|
|
5112
5040
|
securityFunction: ["Detect"],
|
|
5113
5041
|
governanceElements: [
|
|
5114
5042
|
"in accordance with documented audit log management process",
|
|
@@ -5180,7 +5108,7 @@ export class SafeguardManager {
|
|
|
5180
5108
|
title: "Retain Audit Logs",
|
|
5181
5109
|
description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
|
|
5182
5110
|
implementationGroup: "IG2",
|
|
5183
|
-
assetType: ["enterprise assets", "
|
|
5111
|
+
assetType: ["enterprise assets", "Data"],
|
|
5184
5112
|
securityFunction: ["Protect"],
|
|
5185
5113
|
governanceElements: [
|
|
5186
5114
|
"minimum of 90 days"
|
|
@@ -5247,7 +5175,7 @@ export class SafeguardManager {
|
|
|
5247
5175
|
title: "Conduct Audit Log Reviews",
|
|
5248
5176
|
description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
|
|
5249
5177
|
implementationGroup: "IG2",
|
|
5250
|
-
assetType: ["
|
|
5178
|
+
assetType: ["Data"],
|
|
5251
5179
|
securityFunction: ["Detect"],
|
|
5252
5180
|
governanceElements: [
|
|
5253
5181
|
"conduct reviews on a weekly, or more frequent, basis"
|
|
@@ -5317,7 +5245,7 @@ export class SafeguardManager {
|
|
|
5317
5245
|
title: "Collect Service Provider Logs",
|
|
5318
5246
|
description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
|
|
5319
5247
|
implementationGroup: "IG3",
|
|
5320
|
-
assetType: ["
|
|
5248
|
+
assetType: ["Data"],
|
|
5321
5249
|
securityFunction: ["Detect"],
|
|
5322
5250
|
governanceElements: [
|
|
5323
5251
|
"where supported"
|
|
@@ -5466,7 +5394,7 @@ export class SafeguardManager {
|
|
|
5466
5394
|
title: "Use DNS Filtering Services",
|
|
5467
5395
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
5468
5396
|
implementationGroup: "IG1",
|
|
5469
|
-
assetType: ["
|
|
5397
|
+
assetType: ["Devices", "network"],
|
|
5470
5398
|
securityFunction: ["Protect"],
|
|
5471
5399
|
governanceElements: [
|
|
5472
5400
|
"use DNS filtering services on all end-user devices",
|
|
@@ -5938,7 +5866,7 @@ export class SafeguardManager {
|
|
|
5938
5866
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
5939
5867
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
5940
5868
|
implementationGroup: "IG1",
|
|
5941
|
-
assetType: ["
|
|
5869
|
+
assetType: ["Devices"],
|
|
5942
5870
|
securityFunction: ["Detect"],
|
|
5943
5871
|
governanceElements: [
|
|
5944
5872
|
"deploy anti-malware software",
|
|
@@ -6017,7 +5945,7 @@ export class SafeguardManager {
|
|
|
6017
5945
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
6018
5946
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
6019
5947
|
implementationGroup: "IG1",
|
|
6020
|
-
assetType: ["
|
|
5948
|
+
assetType: ["Devices"],
|
|
6021
5949
|
securityFunction: ["Protect"],
|
|
6022
5950
|
governanceElements: [
|
|
6023
5951
|
"configure automatic updates",
|
|
@@ -6091,7 +6019,7 @@ export class SafeguardManager {
|
|
|
6091
6019
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
6092
6020
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
6093
6021
|
implementationGroup: "IG1",
|
|
6094
|
-
assetType: ["
|
|
6022
|
+
assetType: ["Devices"],
|
|
6095
6023
|
securityFunction: ["Protect"],
|
|
6096
6024
|
governanceElements: [
|
|
6097
6025
|
"disable autorun functionality",
|
|
@@ -6170,7 +6098,7 @@ export class SafeguardManager {
|
|
|
6170
6098
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
6171
6099
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
6172
6100
|
implementationGroup: "IG2",
|
|
6173
|
-
assetType: ["
|
|
6101
|
+
assetType: ["Devices"],
|
|
6174
6102
|
securityFunction: ["Detect"],
|
|
6175
6103
|
governanceElements: [
|
|
6176
6104
|
"configure anti-malware software",
|
|
@@ -6248,7 +6176,7 @@ export class SafeguardManager {
|
|
|
6248
6176
|
title: "Enable Anti-Exploitation Features",
|
|
6249
6177
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
6250
6178
|
implementationGroup: "IG2",
|
|
6251
|
-
assetType: ["
|
|
6179
|
+
assetType: ["Devices"],
|
|
6252
6180
|
securityFunction: ["Protect"],
|
|
6253
6181
|
governanceElements: [
|
|
6254
6182
|
"enable anti-exploitation features",
|
|
@@ -6328,7 +6256,7 @@ export class SafeguardManager {
|
|
|
6328
6256
|
title: "Centrally Manage Anti-Malware Software",
|
|
6329
6257
|
description: "Centrally manage anti-malware software",
|
|
6330
6258
|
implementationGroup: "IG2",
|
|
6331
|
-
assetType: ["
|
|
6259
|
+
assetType: ["Devices"],
|
|
6332
6260
|
securityFunction: ["Protect"],
|
|
6333
6261
|
governanceElements: [
|
|
6334
6262
|
"centrally manage anti-malware",
|
|
@@ -6404,7 +6332,7 @@ export class SafeguardManager {
|
|
|
6404
6332
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
6405
6333
|
description: "Use behavior-based anti-malware software",
|
|
6406
6334
|
implementationGroup: "IG2",
|
|
6407
|
-
assetType: ["
|
|
6335
|
+
assetType: ["Devices"],
|
|
6408
6336
|
securityFunction: ["Detect"],
|
|
6409
6337
|
governanceElements: [
|
|
6410
6338
|
"use behavior-based anti-malware",
|
|
@@ -6481,7 +6409,7 @@ export class SafeguardManager {
|
|
|
6481
6409
|
title: "Establish and Maintain a Data Recovery Process",
|
|
6482
6410
|
description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
6483
6411
|
implementationGroup: "IG1",
|
|
6484
|
-
assetType: ["
|
|
6412
|
+
assetType: ["Data"],
|
|
6485
6413
|
securityFunction: ["Govern"],
|
|
6486
6414
|
governanceElements: [
|
|
6487
6415
|
"establish documented data recovery process",
|
|
@@ -6564,7 +6492,7 @@ export class SafeguardManager {
|
|
|
6564
6492
|
title: "Perform Automated Backups",
|
|
6565
6493
|
description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
|
|
6566
6494
|
implementationGroup: "IG1",
|
|
6567
|
-
assetType: ["
|
|
6495
|
+
assetType: ["Data"],
|
|
6568
6496
|
securityFunction: ["Recover"],
|
|
6569
6497
|
governanceElements: [
|
|
6570
6498
|
"perform automated backups",
|
|
@@ -6645,7 +6573,7 @@ export class SafeguardManager {
|
|
|
6645
6573
|
title: "Protect Recovery Data",
|
|
6646
6574
|
description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
|
|
6647
6575
|
implementationGroup: "IG1",
|
|
6648
|
-
assetType: ["
|
|
6576
|
+
assetType: ["Data"],
|
|
6649
6577
|
securityFunction: ["Protect"],
|
|
6650
6578
|
governanceElements: [
|
|
6651
6579
|
"protect recovery data",
|
|
@@ -6725,7 +6653,7 @@ export class SafeguardManager {
|
|
|
6725
6653
|
title: "Establish and Maintain an Isolated Instance of Recovery Data",
|
|
6726
6654
|
description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
|
|
6727
6655
|
implementationGroup: "IG1",
|
|
6728
|
-
assetType: ["
|
|
6656
|
+
assetType: ["Data"],
|
|
6729
6657
|
securityFunction: ["Recover"],
|
|
6730
6658
|
governanceElements: [
|
|
6731
6659
|
"establish isolated instance of recovery data",
|
|
@@ -6808,7 +6736,7 @@ export class SafeguardManager {
|
|
|
6808
6736
|
title: "Test Data Recovery",
|
|
6809
6737
|
description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
|
|
6810
6738
|
implementationGroup: "IG2",
|
|
6811
|
-
assetType: ["
|
|
6739
|
+
assetType: ["Data"],
|
|
6812
6740
|
securityFunction: ["Recover"],
|
|
6813
6741
|
governanceElements: [
|
|
6814
6742
|
"test backup recovery quarterly or more frequently",
|
|
@@ -7372,7 +7300,7 @@ export class SafeguardManager {
|
|
|
7372
7300
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
7373
7301
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
7374
7302
|
implementationGroup: "IG2",
|
|
7375
|
-
assetType: ["
|
|
7303
|
+
assetType: ["Devices"],
|
|
7376
7304
|
securityFunction: ["Protect"],
|
|
7377
7305
|
governanceElements: [
|
|
7378
7306
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -7452,7 +7380,7 @@ export class SafeguardManager {
|
|
|
7452
7380
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
7453
7381
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
7454
7382
|
implementationGroup: "IG3",
|
|
7455
|
-
assetType: ["
|
|
7383
|
+
assetType: ["Devices"],
|
|
7456
7384
|
securityFunction: ["Protect"],
|
|
7457
7385
|
governanceElements: [
|
|
7458
7386
|
"establish dedicated computing resources for administrative work",
|
|
@@ -7534,7 +7462,7 @@ export class SafeguardManager {
|
|
|
7534
7462
|
title: "Centralize Security Event Alerting",
|
|
7535
7463
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
7536
7464
|
implementationGroup: "IG2",
|
|
7537
|
-
assetType: ["network", "
|
|
7465
|
+
assetType: ["network", "Devices"],
|
|
7538
7466
|
securityFunction: ["Detect"],
|
|
7539
7467
|
governanceElements: [
|
|
7540
7468
|
"centralize security event alerting across enterprise assets",
|
|
@@ -7613,7 +7541,7 @@ export class SafeguardManager {
|
|
|
7613
7541
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
7614
7542
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
7615
7543
|
implementationGroup: "IG2",
|
|
7616
|
-
assetType: ["
|
|
7544
|
+
assetType: ["Devices"],
|
|
7617
7545
|
securityFunction: ["Detect"],
|
|
7618
7546
|
governanceElements: [
|
|
7619
7547
|
"deploy host-based intrusion detection solution",
|
|
@@ -7839,7 +7767,7 @@ export class SafeguardManager {
|
|
|
7839
7767
|
title: "Manage Access Control for Remote Assets",
|
|
7840
7768
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
7841
7769
|
implementationGroup: "IG2",
|
|
7842
|
-
assetType: ["
|
|
7770
|
+
assetType: ["Devices", "network"],
|
|
7843
7771
|
securityFunction: ["Protect"],
|
|
7844
7772
|
governanceElements: [
|
|
7845
7773
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -7993,7 +7921,7 @@ export class SafeguardManager {
|
|
|
7993
7921
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
7994
7922
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
7995
7923
|
implementationGroup: "IG3",
|
|
7996
|
-
assetType: ["
|
|
7924
|
+
assetType: ["Devices"],
|
|
7997
7925
|
securityFunction: ["Respond"],
|
|
7998
7926
|
governanceElements: [
|
|
7999
7927
|
"deploy host-based intrusion prevention solution",
|
|
@@ -8294,7 +8222,7 @@ export class SafeguardManager {
|
|
|
8294
8222
|
title: "Tune Security Event Alerting Thresholds",
|
|
8295
8223
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
8296
8224
|
implementationGroup: "IG3",
|
|
8297
|
-
assetType: ["network", "
|
|
8225
|
+
assetType: ["network", "Devices"],
|
|
8298
8226
|
securityFunction: ["Detect"],
|
|
8299
8227
|
governanceElements: [
|
|
8300
8228
|
"tune security event alerting thresholds",
|
|
@@ -8368,7 +8296,7 @@ export class SafeguardManager {
|
|
|
8368
8296
|
title: "Establish and Maintain a Security Awareness Program",
|
|
8369
8297
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
8370
8298
|
implementationGroup: "IG1",
|
|
8371
|
-
assetType: ["
|
|
8299
|
+
assetType: ["Users"],
|
|
8372
8300
|
securityFunction: ["Govern"],
|
|
8373
8301
|
governanceElements: [
|
|
8374
8302
|
"establish and maintain a security awareness program",
|
|
@@ -8450,7 +8378,7 @@ export class SafeguardManager {
|
|
|
8450
8378
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
8451
8379
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
8452
8380
|
implementationGroup: "IG1",
|
|
8453
|
-
assetType: ["
|
|
8381
|
+
assetType: ["Users"],
|
|
8454
8382
|
securityFunction: ["Protect"],
|
|
8455
8383
|
governanceElements: [
|
|
8456
8384
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -8529,7 +8457,7 @@ export class SafeguardManager {
|
|
|
8529
8457
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
8530
8458
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
8531
8459
|
implementationGroup: "IG1",
|
|
8532
|
-
assetType: ["
|
|
8460
|
+
assetType: ["Users"],
|
|
8533
8461
|
securityFunction: ["Protect"],
|
|
8534
8462
|
governanceElements: [
|
|
8535
8463
|
"train workforce members on authentication best practices",
|
|
@@ -8606,7 +8534,7 @@ export class SafeguardManager {
|
|
|
8606
8534
|
title: "Train Workforce on Data Handling Best Practices",
|
|
8607
8535
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
8608
8536
|
implementationGroup: "IG1",
|
|
8609
|
-
assetType: ["
|
|
8537
|
+
assetType: ["Users"],
|
|
8610
8538
|
securityFunction: ["Protect"],
|
|
8611
8539
|
governanceElements: [
|
|
8612
8540
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -8691,7 +8619,7 @@ export class SafeguardManager {
|
|
|
8691
8619
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
8692
8620
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
8693
8621
|
implementationGroup: "IG1",
|
|
8694
|
-
assetType: ["
|
|
8622
|
+
assetType: ["Users"],
|
|
8695
8623
|
securityFunction: ["Protect"],
|
|
8696
8624
|
governanceElements: [
|
|
8697
8625
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -8768,7 +8696,7 @@ export class SafeguardManager {
|
|
|
8768
8696
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
8769
8697
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
8770
8698
|
implementationGroup: "IG1",
|
|
8771
|
-
assetType: ["
|
|
8699
|
+
assetType: ["Users"],
|
|
8772
8700
|
securityFunction: ["Protect"],
|
|
8773
8701
|
governanceElements: [
|
|
8774
8702
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -8843,7 +8771,7 @@ export class SafeguardManager {
|
|
|
8843
8771
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
8844
8772
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
8845
8773
|
implementationGroup: "IG1",
|
|
8846
|
-
assetType: ["
|
|
8774
|
+
assetType: ["Users"],
|
|
8847
8775
|
securityFunction: ["Protect"],
|
|
8848
8776
|
governanceElements: [
|
|
8849
8777
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -8924,7 +8852,7 @@ export class SafeguardManager {
|
|
|
8924
8852
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
8925
8853
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
8926
8854
|
implementationGroup: "IG1",
|
|
8927
|
-
assetType: ["
|
|
8855
|
+
assetType: ["Users"],
|
|
8928
8856
|
securityFunction: ["Protect"],
|
|
8929
8857
|
governanceElements: [
|
|
8930
8858
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -9004,7 +8932,7 @@ export class SafeguardManager {
|
|
|
9004
8932
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
9005
8933
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
9006
8934
|
implementationGroup: "IG2",
|
|
9007
|
-
assetType: ["
|
|
8935
|
+
assetType: ["Users"],
|
|
9008
8936
|
securityFunction: ["Protect"],
|
|
9009
8937
|
governanceElements: [
|
|
9010
8938
|
"conduct role-specific security awareness and skills training",
|
|
@@ -9082,7 +9010,7 @@ export class SafeguardManager {
|
|
|
9082
9010
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
9083
9011
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9084
9012
|
implementationGroup: "IG1",
|
|
9085
|
-
assetType: ["
|
|
9013
|
+
assetType: ["Users"],
|
|
9086
9014
|
securityFunction: ["Identify"],
|
|
9087
9015
|
governanceElements: [
|
|
9088
9016
|
"establish and maintain an inventory of service providers",
|
|
@@ -9162,7 +9090,7 @@ export class SafeguardManager {
|
|
|
9162
9090
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
9163
9091
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9164
9092
|
implementationGroup: "IG2",
|
|
9165
|
-
assetType: ["
|
|
9093
|
+
assetType: ["Users"],
|
|
9166
9094
|
securityFunction: ["Govern"],
|
|
9167
9095
|
governanceElements: [
|
|
9168
9096
|
"establish and maintain a service provider management policy",
|
|
@@ -9247,7 +9175,7 @@ export class SafeguardManager {
|
|
|
9247
9175
|
title: "Classify Service Providers",
|
|
9248
9176
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9249
9177
|
implementationGroup: "IG2",
|
|
9250
|
-
assetType: ["
|
|
9178
|
+
assetType: ["Users"],
|
|
9251
9179
|
securityFunction: ["Govern"],
|
|
9252
9180
|
governanceElements: [
|
|
9253
9181
|
"classify service providers",
|
|
@@ -9330,7 +9258,7 @@ export class SafeguardManager {
|
|
|
9330
9258
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
9331
9259
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
9332
9260
|
implementationGroup: "IG2",
|
|
9333
|
-
assetType: ["
|
|
9261
|
+
assetType: ["Users"],
|
|
9334
9262
|
securityFunction: ["Govern"],
|
|
9335
9263
|
governanceElements: [
|
|
9336
9264
|
"ensure service provider contracts include security requirements",
|
|
@@ -9412,7 +9340,7 @@ export class SafeguardManager {
|
|
|
9412
9340
|
title: "Assess Service Providers",
|
|
9413
9341
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
9414
9342
|
implementationGroup: "IG3",
|
|
9415
|
-
assetType: ["
|
|
9343
|
+
assetType: ["Users"],
|
|
9416
9344
|
securityFunction: ["Govern"],
|
|
9417
9345
|
governanceElements: [
|
|
9418
9346
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -9494,7 +9422,7 @@ export class SafeguardManager {
|
|
|
9494
9422
|
title: "Monitor Service Providers",
|
|
9495
9423
|
description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
|
|
9496
9424
|
implementationGroup: "IG3",
|
|
9497
|
-
assetType: ["
|
|
9425
|
+
assetType: ["Data"],
|
|
9498
9426
|
securityFunction: ["Govern"],
|
|
9499
9427
|
governanceElements: [
|
|
9500
9428
|
"monitor service providers consistent with enterprise's service provider management policy",
|
|
@@ -9571,7 +9499,7 @@ export class SafeguardManager {
|
|
|
9571
9499
|
title: "Securely Decommission Service Providers",
|
|
9572
9500
|
description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
|
|
9573
9501
|
implementationGroup: "IG3",
|
|
9574
|
-
assetType: ["
|
|
9502
|
+
assetType: ["Data"],
|
|
9575
9503
|
securityFunction: ["Protect"],
|
|
9576
9504
|
governanceElements: [
|
|
9577
9505
|
"securely decommission service providers",
|
|
@@ -10277,7 +10205,7 @@ export class SafeguardManager {
|
|
|
10277
10205
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
10278
10206
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
10279
10207
|
implementationGroup: "IG2",
|
|
10280
|
-
assetType: ["
|
|
10208
|
+
assetType: ["Users"],
|
|
10281
10209
|
securityFunction: ["Protect"],
|
|
10282
10210
|
governanceElements: [
|
|
10283
10211
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -10753,7 +10681,7 @@ export class SafeguardManager {
|
|
|
10753
10681
|
title: "Designate Personnel to Manage Incident Handling",
|
|
10754
10682
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10755
10683
|
implementationGroup: "IG1",
|
|
10756
|
-
assetType: ["
|
|
10684
|
+
assetType: ["Users"],
|
|
10757
10685
|
securityFunction: ["Respond"],
|
|
10758
10686
|
governanceElements: [
|
|
10759
10687
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -10831,7 +10759,7 @@ export class SafeguardManager {
|
|
|
10831
10759
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
10832
10760
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
10833
10761
|
implementationGroup: "IG1",
|
|
10834
|
-
assetType: ["
|
|
10762
|
+
assetType: ["Users"],
|
|
10835
10763
|
securityFunction: ["Respond"],
|
|
10836
10764
|
governanceElements: [
|
|
10837
10765
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -10907,7 +10835,7 @@ export class SafeguardManager {
|
|
|
10907
10835
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
10908
10836
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10909
10837
|
implementationGroup: "IG1",
|
|
10910
|
-
assetType: ["
|
|
10838
|
+
assetType: ["Users"],
|
|
10911
10839
|
securityFunction: ["Govern"],
|
|
10912
10840
|
governanceElements: [
|
|
10913
10841
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -10985,7 +10913,7 @@ export class SafeguardManager {
|
|
|
10985
10913
|
title: "Establish and Maintain an Incident Response Process",
|
|
10986
10914
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10987
10915
|
implementationGroup: "IG2",
|
|
10988
|
-
assetType: ["
|
|
10916
|
+
assetType: ["Users"],
|
|
10989
10917
|
securityFunction: ["Govern"],
|
|
10990
10918
|
governanceElements: [
|
|
10991
10919
|
"establish and maintain a documented incident response process",
|
|
@@ -11060,7 +10988,7 @@ export class SafeguardManager {
|
|
|
11060
10988
|
title: "Assign Key Roles and Responsibilities",
|
|
11061
10989
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11062
10990
|
implementationGroup: "IG2",
|
|
11063
|
-
assetType: ["
|
|
10991
|
+
assetType: ["Users"],
|
|
11064
10992
|
securityFunction: ["Respond"],
|
|
11065
10993
|
governanceElements: [
|
|
11066
10994
|
"assign key roles and responsibilities for incident response",
|
|
@@ -11138,7 +11066,7 @@ export class SafeguardManager {
|
|
|
11138
11066
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
11139
11067
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11140
11068
|
implementationGroup: "IG2",
|
|
11141
|
-
assetType: ["
|
|
11069
|
+
assetType: ["Users"],
|
|
11142
11070
|
securityFunction: ["Respond"],
|
|
11143
11071
|
governanceElements: [
|
|
11144
11072
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -11215,7 +11143,7 @@ export class SafeguardManager {
|
|
|
11215
11143
|
title: "Conduct Routine Incident Response Exercises",
|
|
11216
11144
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
11217
11145
|
implementationGroup: "IG2",
|
|
11218
|
-
assetType: ["
|
|
11146
|
+
assetType: ["Users"],
|
|
11219
11147
|
securityFunction: ["Recover"],
|
|
11220
11148
|
governanceElements: [
|
|
11221
11149
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -11292,7 +11220,7 @@ export class SafeguardManager {
|
|
|
11292
11220
|
title: "Conduct Post-Incident Reviews",
|
|
11293
11221
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
11294
11222
|
implementationGroup: "IG2",
|
|
11295
|
-
assetType: ["
|
|
11223
|
+
assetType: ["Users"],
|
|
11296
11224
|
securityFunction: ["Recover"],
|
|
11297
11225
|
governanceElements: [
|
|
11298
11226
|
"conduct post-incident reviews"
|
|
@@ -11365,7 +11293,7 @@ export class SafeguardManager {
|
|
|
11365
11293
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
11366
11294
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11367
11295
|
implementationGroup: "IG3",
|
|
11368
|
-
assetType: ["
|
|
11296
|
+
assetType: ["Users"],
|
|
11369
11297
|
securityFunction: ["Recover"],
|
|
11370
11298
|
governanceElements: [
|
|
11371
11299
|
"establish and maintain security incident thresholds",
|