framework-mcp 2.4.2 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +173 -245
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +165 -237
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -1461,7 +1461,7 @@ export class SafeguardManager {
|
|
|
1461
1461
|
title: "Establish and Maintain a Data Management Process",
|
|
1462
1462
|
description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1463
1463
|
implementationGroup: "IG1",
|
|
1464
|
-
assetType: ["
|
|
1464
|
+
assetType: ["Data"],
|
|
1465
1465
|
securityFunction: ["Govern"],
|
|
1466
1466
|
governanceElements: [ // Orange - MUST be met
|
|
1467
1467
|
"Establish",
|
|
@@ -1469,20 +1469,15 @@ export class SafeguardManager {
|
|
|
1469
1469
|
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
1470
1470
|
],
|
|
1471
1471
|
coreRequirements: [ // Green - The "what"
|
|
1472
|
-
"documented data management process"
|
|
1473
|
-
"address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
|
|
1472
|
+
"documented data management process"
|
|
1474
1473
|
],
|
|
1475
1474
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1476
|
-
"Documented Data management process",
|
|
1477
1475
|
"Data Sensitivity",
|
|
1478
1476
|
"Data Owner",
|
|
1479
1477
|
"Data Handling",
|
|
1480
1478
|
"Data Retention Limits",
|
|
1481
1479
|
"Disposal Requirements",
|
|
1482
|
-
"Retention Standards"
|
|
1483
|
-
"Review and update documentation",
|
|
1484
|
-
"Annually",
|
|
1485
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1480
|
+
"Retention Standards"
|
|
1486
1481
|
],
|
|
1487
1482
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1488
1483
|
],
|
|
@@ -1572,7 +1567,7 @@ export class SafeguardManager {
|
|
|
1572
1567
|
title: "Establish and Maintain a Data Inventory",
|
|
1573
1568
|
description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
|
|
1574
1569
|
implementationGroup: "IG1",
|
|
1575
|
-
assetType: ["
|
|
1570
|
+
assetType: ["Data"],
|
|
1576
1571
|
securityFunction: ["Identify"],
|
|
1577
1572
|
governanceElements: [ // Orange - MUST be met
|
|
1578
1573
|
"Establish",
|
|
@@ -1580,16 +1575,11 @@ export class SafeguardManager {
|
|
|
1580
1575
|
"Review and update inventory annually, at a minimum, with a priority on sensitive data"
|
|
1581
1576
|
],
|
|
1582
1577
|
coreRequirements: [ // Green - The "what"
|
|
1583
|
-
"data inventory
|
|
1584
|
-
"inventory sensitive data, at a minimum"
|
|
1578
|
+
"data inventory"
|
|
1585
1579
|
],
|
|
1586
1580
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1587
|
-
"Data Inventory",
|
|
1588
1581
|
"Based on Data Management process",
|
|
1589
|
-
"Sensitive Data at a Minimum"
|
|
1590
|
-
"Review and update inventory",
|
|
1591
|
-
"Annually, at a minimum",
|
|
1592
|
-
"Priority on sensitive data"
|
|
1582
|
+
"Sensitive Data at a Minimum"
|
|
1593
1583
|
],
|
|
1594
1584
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1595
1585
|
],
|
|
@@ -1679,14 +1669,13 @@ export class SafeguardManager {
|
|
|
1679
1669
|
title: "Configure Data Access Control Lists",
|
|
1680
1670
|
description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
|
|
1681
1671
|
implementationGroup: "IG1",
|
|
1682
|
-
assetType: ["
|
|
1672
|
+
assetType: ["Data"],
|
|
1683
1673
|
securityFunction: ["Protect"],
|
|
1684
1674
|
governanceElements: [ // Orange - MUST be met
|
|
1685
|
-
"Configure"
|
|
1686
|
-
"Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
|
|
1675
|
+
"Configure"
|
|
1687
1676
|
],
|
|
1688
1677
|
coreRequirements: [ // Green - The "what"
|
|
1689
|
-
"data access control lists
|
|
1678
|
+
"data access control lists"
|
|
1690
1679
|
],
|
|
1691
1680
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1692
1681
|
"Data Access control lists",
|
|
@@ -1785,7 +1774,7 @@ export class SafeguardManager {
|
|
|
1785
1774
|
title: "Enforce Data Retention",
|
|
1786
1775
|
description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
|
|
1787
1776
|
implementationGroup: "IG1",
|
|
1788
|
-
assetType: ["
|
|
1777
|
+
assetType: ["Data"],
|
|
1789
1778
|
securityFunction: ["Protect"],
|
|
1790
1779
|
governanceElements: [ // Orange - MUST be met
|
|
1791
1780
|
"Retain",
|
|
@@ -1798,7 +1787,6 @@ export class SafeguardManager {
|
|
|
1798
1787
|
],
|
|
1799
1788
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1800
1789
|
"Data Retention",
|
|
1801
|
-
"Must Include",
|
|
1802
1790
|
"Minimum Timelines",
|
|
1803
1791
|
"Maximum timelines"
|
|
1804
1792
|
],
|
|
@@ -1890,19 +1878,17 @@ export class SafeguardManager {
|
|
|
1890
1878
|
title: "Securely Dispose of Data",
|
|
1891
1879
|
description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
|
|
1892
1880
|
implementationGroup: "IG1",
|
|
1893
|
-
assetType: ["
|
|
1881
|
+
assetType: ["Data"],
|
|
1894
1882
|
securityFunction: ["Protect"],
|
|
1895
1883
|
governanceElements: [ // Orange - MUST be met
|
|
1896
|
-
"
|
|
1884
|
+
"Disposal process and method are commensurate with the data sensitivity",
|
|
1897
1885
|
"Ensure"
|
|
1898
1886
|
],
|
|
1899
1887
|
coreRequirements: [ // Green - The "what"
|
|
1900
|
-
"
|
|
1901
|
-
"the disposal process and method are commensurate with the data sensitivity"
|
|
1888
|
+
"Securely Dispose of Data"
|
|
1902
1889
|
],
|
|
1903
1890
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1904
|
-
"Securely dispose of
|
|
1905
|
-
"Disposal process and method are commensurate with the data sensitivity"
|
|
1891
|
+
"Securely dispose of Data"
|
|
1906
1892
|
],
|
|
1907
1893
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1908
1894
|
],
|
|
@@ -1992,17 +1978,17 @@ export class SafeguardManager {
|
|
|
1992
1978
|
title: "Encrypt Data on End-User Devices",
|
|
1993
1979
|
description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
|
|
1994
1980
|
implementationGroup: "IG1",
|
|
1995
|
-
assetType: ["
|
|
1981
|
+
assetType: ["Data"],
|
|
1996
1982
|
securityFunction: ["Protect"],
|
|
1997
1983
|
governanceElements: [ // Orange - MUST be met
|
|
1998
1984
|
"Encrypt"
|
|
1999
1985
|
],
|
|
2000
1986
|
coreRequirements: [ // Green - The "what"
|
|
2001
|
-
"data on end-user devices
|
|
1987
|
+
"data on end-user devices"
|
|
2002
1988
|
],
|
|
2003
1989
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2004
1990
|
"Data on end-user devices",
|
|
2005
|
-
"Sensitive data"
|
|
1991
|
+
"that contain Sensitive data"
|
|
2006
1992
|
],
|
|
2007
1993
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2008
1994
|
"Windows Bitlocker",
|
|
@@ -2095,7 +2081,7 @@ export class SafeguardManager {
|
|
|
2095
2081
|
title: "Establish and Maintain a Data Classification Scheme",
|
|
2096
2082
|
description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2097
2083
|
implementationGroup: "IG2",
|
|
2098
|
-
assetType: ["
|
|
2084
|
+
assetType: ["Data"],
|
|
2099
2085
|
securityFunction: ["Identify"],
|
|
2100
2086
|
governanceElements: [ // Orange - MUST be met
|
|
2101
2087
|
"Establish",
|
|
@@ -2103,15 +2089,10 @@ export class SafeguardManager {
|
|
|
2103
2089
|
"Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
2104
2090
|
],
|
|
2105
2091
|
coreRequirements: [ // Green - The "what"
|
|
2106
|
-
"
|
|
2107
|
-
"classify their data according to those labels"
|
|
2092
|
+
"data classification scheme"
|
|
2108
2093
|
],
|
|
2109
2094
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2110
|
-
"
|
|
2111
|
-
"Classify their data according to labels",
|
|
2112
|
-
"Review and update classification scheme",
|
|
2113
|
-
"Annually",
|
|
2114
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2095
|
+
"Classify their data according to labels"
|
|
2115
2096
|
],
|
|
2116
2097
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2117
2098
|
"Sensitive",
|
|
@@ -2204,27 +2185,19 @@ export class SafeguardManager {
|
|
|
2204
2185
|
title: "Document Data Flows",
|
|
2205
2186
|
description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2206
2187
|
implementationGroup: "IG2",
|
|
2207
|
-
assetType: ["
|
|
2188
|
+
assetType: ["Data"],
|
|
2208
2189
|
securityFunction: ["Identify"],
|
|
2209
2190
|
governanceElements: [ // Orange - MUST be met
|
|
2210
|
-
"Document data flows"
|
|
2211
|
-
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
2191
|
+
"Document data flows"
|
|
2212
2192
|
],
|
|
2213
2193
|
coreRequirements: [ // Green - The "what"
|
|
2214
|
-
"Data
|
|
2194
|
+
"Document Data Flows"
|
|
2215
2195
|
],
|
|
2216
2196
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2217
|
-
"Document data flows",
|
|
2218
2197
|
"Enterprise Data Flows",
|
|
2219
|
-
"Service Provider Data Flows"
|
|
2220
|
-
"Review and update documentation",
|
|
2221
|
-
"Annually",
|
|
2222
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2198
|
+
"Service Provider Data Flows"
|
|
2223
2199
|
],
|
|
2224
2200
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2225
|
-
"Data management systems",
|
|
2226
|
-
"Data flow mapping tools",
|
|
2227
|
-
"Service provider documentation"
|
|
2228
2201
|
],
|
|
2229
2202
|
relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
|
|
2230
2203
|
systemPromptFull: {
|
|
@@ -2312,16 +2285,16 @@ export class SafeguardManager {
|
|
|
2312
2285
|
title: "Encrypt Data on Removable Media",
|
|
2313
2286
|
description: "Encrypt Data on Removable Media",
|
|
2314
2287
|
implementationGroup: "IG2",
|
|
2315
|
-
assetType: ["
|
|
2288
|
+
assetType: ["Data"],
|
|
2316
2289
|
securityFunction: ["Protect"],
|
|
2317
2290
|
governanceElements: [ // Orange - MUST be met
|
|
2318
|
-
"Encrypt
|
|
2291
|
+
"Encrypt"
|
|
2319
2292
|
],
|
|
2320
2293
|
coreRequirements: [ // Green - The "what"
|
|
2294
|
+
"Encrypt Data on Removable Media"
|
|
2321
2295
|
],
|
|
2322
2296
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2323
2297
|
"Data on Removable Media",
|
|
2324
|
-
"Maintain"
|
|
2325
2298
|
],
|
|
2326
2299
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2327
2300
|
],
|
|
@@ -2411,13 +2384,13 @@ export class SafeguardManager {
|
|
|
2411
2384
|
title: "Encrypt Sensitive Data in Transit",
|
|
2412
2385
|
description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
|
|
2413
2386
|
implementationGroup: "IG2",
|
|
2414
|
-
assetType: ["
|
|
2387
|
+
assetType: ["Data"],
|
|
2415
2388
|
securityFunction: ["Protect"],
|
|
2416
2389
|
governanceElements: [ // Orange - MUST be met
|
|
2417
2390
|
"Encrypt"
|
|
2418
2391
|
],
|
|
2419
2392
|
coreRequirements: [ // Green - The "what"
|
|
2420
|
-
"sensitive data in transit"
|
|
2393
|
+
"Encrypt sensitive data in transit"
|
|
2421
2394
|
],
|
|
2422
2395
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2423
2396
|
"Sensitive data in transit"
|
|
@@ -2512,23 +2485,21 @@ export class SafeguardManager {
|
|
|
2512
2485
|
title: "Encrypt Sensitive Data at Rest",
|
|
2513
2486
|
description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
|
|
2514
2487
|
implementationGroup: "IG2",
|
|
2515
|
-
assetType: ["
|
|
2488
|
+
assetType: ["Data"],
|
|
2516
2489
|
securityFunction: ["Protect"],
|
|
2517
2490
|
governanceElements: [ // Orange - MUST be met
|
|
2518
2491
|
"Encrypt",
|
|
2519
|
-
"
|
|
2492
|
+
"Minimum Requirement"
|
|
2520
2493
|
],
|
|
2521
2494
|
coreRequirements: [ // Green - The "what"
|
|
2522
|
-
"sensitive data at rest
|
|
2523
|
-
"Storage-layer encryption, also known as server-side encryption"
|
|
2495
|
+
"Encrypt sensitive data at rest"
|
|
2524
2496
|
],
|
|
2525
2497
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2526
|
-
"
|
|
2498
|
+
"Sensitive Data At Rest",
|
|
2527
2499
|
"Servers",
|
|
2528
|
-
"
|
|
2500
|
+
"Applications",
|
|
2529
2501
|
"Databases",
|
|
2530
|
-
"Storage Layer (server side) encryption"
|
|
2531
|
-
"Minimum Requirement"
|
|
2502
|
+
"Storage Layer (server side) encryption"
|
|
2532
2503
|
],
|
|
2533
2504
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2534
2505
|
"Application layer (client-side) encryption",
|
|
@@ -2620,19 +2591,17 @@ export class SafeguardManager {
|
|
|
2620
2591
|
title: "Segment Data Processing and Storage Based on Sensitivity",
|
|
2621
2592
|
description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
|
|
2622
2593
|
implementationGroup: "IG2",
|
|
2623
|
-
assetType: ["
|
|
2594
|
+
assetType: ["Data"],
|
|
2624
2595
|
securityFunction: ["Protect"],
|
|
2625
2596
|
governanceElements: [ // Orange - MUST be met
|
|
2626
|
-
"Segment data processing and storage based on the sensitivity of the data",
|
|
2627
2597
|
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
2628
2598
|
],
|
|
2629
2599
|
coreRequirements: [ // Green - The "what"
|
|
2600
|
+
"Segment Data Processing",
|
|
2601
|
+
"Segment Data Storage",
|
|
2602
|
+
"Based on Sensitivity"
|
|
2630
2603
|
],
|
|
2631
2604
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2632
|
-
"Based on the sensitivity of data",
|
|
2633
|
-
"Segment data processing (compute)",
|
|
2634
|
-
"Segment Storage",
|
|
2635
|
-
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
2636
2605
|
],
|
|
2637
2606
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2638
2607
|
],
|
|
@@ -2722,17 +2691,15 @@ export class SafeguardManager {
|
|
|
2722
2691
|
title: "Deploy a Data Loss Prevention Solution",
|
|
2723
2692
|
description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
|
|
2724
2693
|
implementationGroup: "IG3",
|
|
2725
|
-
assetType: ["
|
|
2694
|
+
assetType: ["Data"],
|
|
2726
2695
|
securityFunction: ["Protect"],
|
|
2727
2696
|
governanceElements: [ // Orange - MUST be met
|
|
2728
|
-
"Implement"
|
|
2729
|
-
"Update Data Inventory"
|
|
2697
|
+
"Implement"
|
|
2730
2698
|
],
|
|
2731
2699
|
coreRequirements: [ // Green - The "what"
|
|
2732
|
-
"automated tool to identify all sensitive data
|
|
2700
|
+
"automated tool to identify all sensitive data"
|
|
2733
2701
|
],
|
|
2734
2702
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2735
|
-
"Automated DLP Tool",
|
|
2736
2703
|
"Identify all sensitive Data",
|
|
2737
2704
|
"Stored",
|
|
2738
2705
|
"Processed",
|
|
@@ -2830,19 +2797,15 @@ export class SafeguardManager {
|
|
|
2830
2797
|
title: "Log Sensitive Data Access",
|
|
2831
2798
|
description: "Log sensitive data access, including modification and disposal.",
|
|
2832
2799
|
implementationGroup: "IG3",
|
|
2833
|
-
assetType: ["
|
|
2800
|
+
assetType: ["Data"],
|
|
2834
2801
|
securityFunction: ["Detect"],
|
|
2835
2802
|
governanceElements: [ // Orange - MUST be met
|
|
2836
2803
|
"Log"
|
|
2837
2804
|
],
|
|
2838
2805
|
coreRequirements: [ // Green - The "what"
|
|
2839
|
-
"sensitive data access, including modification and disposal"
|
|
2806
|
+
"Log sensitive data access, including modification and disposal"
|
|
2840
2807
|
],
|
|
2841
2808
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2842
|
-
"Sensitive Data access",
|
|
2843
|
-
"Access",
|
|
2844
|
-
"Modification",
|
|
2845
|
-
"Disposal"
|
|
2846
2809
|
],
|
|
2847
2810
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2848
2811
|
],
|
|
@@ -2932,19 +2895,17 @@ export class SafeguardManager {
|
|
|
2932
2895
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2933
2896
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2934
2897
|
implementationGroup: "IG1",
|
|
2935
|
-
assetType: ["
|
|
2898
|
+
assetType: ["Docuemntation"],
|
|
2936
2899
|
securityFunction: ["Govern"],
|
|
2937
2900
|
governanceElements: [ // Orange - MUST be met
|
|
2938
2901
|
"Establish",
|
|
2939
2902
|
"Maintain",
|
|
2940
|
-
"Documented Secure Configuration Process",
|
|
2941
2903
|
"Review and update documentation",
|
|
2942
2904
|
"Annually",
|
|
2943
2905
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2944
2906
|
],
|
|
2945
2907
|
coreRequirements: [ // Green - The "what"
|
|
2946
|
-
"documented secure configuration process
|
|
2947
|
-
"documented secure configuration process for software"
|
|
2908
|
+
"documented secure configuration process"
|
|
2948
2909
|
],
|
|
2949
2910
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2950
2911
|
"Enterprise assets",
|
|
@@ -2954,12 +2915,9 @@ export class SafeguardManager {
|
|
|
2954
2915
|
"Portable",
|
|
2955
2916
|
"Non-computing/IoT devices",
|
|
2956
2917
|
"Servers",
|
|
2957
|
-
"OS"
|
|
2958
|
-
"Software"
|
|
2918
|
+
"OS"
|
|
2959
2919
|
],
|
|
2960
2920
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2961
|
-
"Secure Configuration Policy / Process",
|
|
2962
|
-
"Configuration Management Tool"
|
|
2963
2921
|
],
|
|
2964
2922
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2965
2923
|
systemPromptFull: {
|
|
@@ -3047,25 +3005,22 @@ export class SafeguardManager {
|
|
|
3047
3005
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
3048
3006
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
3049
3007
|
implementationGroup: "IG1",
|
|
3050
|
-
assetType: ["
|
|
3008
|
+
assetType: ["Documentation"],
|
|
3051
3009
|
securityFunction: ["Govern"],
|
|
3052
3010
|
governanceElements: [ // Orange - MUST be met
|
|
3053
3011
|
"Establish",
|
|
3054
3012
|
"Maintain",
|
|
3055
|
-
"Documented Secure Network Configuration Process",
|
|
3056
3013
|
"Review and update documentation",
|
|
3057
3014
|
"Annually",
|
|
3058
3015
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
3059
3016
|
],
|
|
3060
3017
|
coreRequirements: [ // Green - The "what"
|
|
3061
|
-
"documented secure configuration process
|
|
3018
|
+
"documented secure configuration process"
|
|
3062
3019
|
],
|
|
3063
3020
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3064
3021
|
"Network devices"
|
|
3065
3022
|
],
|
|
3066
3023
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3067
|
-
"Secure Configuration Policy / Process",
|
|
3068
|
-
"Configuration Management Tool"
|
|
3069
3024
|
],
|
|
3070
3025
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
3071
3026
|
systemPromptFull: {
|
|
@@ -3153,7 +3108,7 @@ export class SafeguardManager {
|
|
|
3153
3108
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
3154
3109
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
3155
3110
|
implementationGroup: "IG1",
|
|
3156
|
-
assetType: ["
|
|
3111
|
+
assetType: ["Devices"],
|
|
3157
3112
|
securityFunction: ["Protect"],
|
|
3158
3113
|
governanceElements: [ // Orange - MUST be met
|
|
3159
3114
|
"Configure",
|
|
@@ -3161,18 +3116,14 @@ export class SafeguardManager {
|
|
|
3161
3116
|
"Period must not exceed for 2 Minutes"
|
|
3162
3117
|
],
|
|
3163
3118
|
coreRequirements: [ // Green - The "what"
|
|
3164
|
-
"automatic session locking on enterprise assets
|
|
3165
|
-
"general purpose operating systems",
|
|
3166
|
-
"mobile end-user devices"
|
|
3119
|
+
"automatic session locking on enterprise assets"
|
|
3167
3120
|
],
|
|
3168
3121
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3169
|
-
"Automatic Session Locking",
|
|
3170
3122
|
"Period of inactivity",
|
|
3171
3123
|
"General Purpose OSs",
|
|
3172
3124
|
"Mobile end-user devices"
|
|
3173
3125
|
],
|
|
3174
3126
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3175
|
-
"Configuration Management Tool"
|
|
3176
3127
|
],
|
|
3177
3128
|
relatedSafeguards: ["4.1"],
|
|
3178
3129
|
systemPromptFull: {
|
|
@@ -3260,7 +3211,7 @@ export class SafeguardManager {
|
|
|
3260
3211
|
title: "Implement and Manage a Firewall on Servers",
|
|
3261
3212
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
3262
3213
|
implementationGroup: "IG1",
|
|
3263
|
-
assetType: ["
|
|
3214
|
+
assetType: ["Devices"],
|
|
3264
3215
|
securityFunction: ["Protect"],
|
|
3265
3216
|
governanceElements: [ // Orange - MUST be met
|
|
3266
3217
|
"Implement",
|
|
@@ -3277,8 +3228,6 @@ export class SafeguardManager {
|
|
|
3277
3228
|
"Virtual Firewall",
|
|
3278
3229
|
"OS Firewall",
|
|
3279
3230
|
"Third Party Firewall",
|
|
3280
|
-
"Firewall",
|
|
3281
|
-
"Configuration Management Tool"
|
|
3282
3231
|
],
|
|
3283
3232
|
relatedSafeguards: ["4.1"],
|
|
3284
3233
|
systemPromptFull: {
|
|
@@ -3366,21 +3315,18 @@ export class SafeguardManager {
|
|
|
3366
3315
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
3367
3316
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
3368
3317
|
implementationGroup: "IG1",
|
|
3369
|
-
assetType: ["
|
|
3318
|
+
assetType: ["Devices"],
|
|
3370
3319
|
securityFunction: ["Protect"],
|
|
3371
3320
|
governanceElements: [ // Orange - MUST be met
|
|
3372
3321
|
"Implement",
|
|
3373
|
-
"Manage"
|
|
3374
|
-
"Default deny rule that drops all traffic",
|
|
3375
|
-
"Except Explicitly Allowed"
|
|
3322
|
+
"Manage"
|
|
3376
3323
|
],
|
|
3377
3324
|
coreRequirements: [ // Green - The "what"
|
|
3378
3325
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
3379
3326
|
],
|
|
3380
3327
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3381
|
-
"
|
|
3382
|
-
"
|
|
3383
|
-
"End User Devices",
|
|
3328
|
+
"Default Deny Rule that drops all traffic",
|
|
3329
|
+
"Except Explicitly Allowed",
|
|
3384
3330
|
"Services",
|
|
3385
3331
|
"Ports"
|
|
3386
3332
|
],
|
|
@@ -3474,7 +3420,7 @@ export class SafeguardManager {
|
|
|
3474
3420
|
title: "Securely Manage Enterprise Assets and Software",
|
|
3475
3421
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
3476
3422
|
implementationGroup: "IG1",
|
|
3477
|
-
assetType: ["
|
|
3423
|
+
assetType: ["Devices"],
|
|
3478
3424
|
securityFunction: ["Protect"],
|
|
3479
3425
|
governanceElements: [ // Orange - MUST be met
|
|
3480
3426
|
"Do not use insecure management protocols",
|
|
@@ -3484,16 +3430,14 @@ export class SafeguardManager {
|
|
|
3484
3430
|
"Securely manage enterprise assets and software"
|
|
3485
3431
|
],
|
|
3486
3432
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3487
|
-
"Securely manage enterprise assets and software"
|
|
3433
|
+
"Securely manage enterprise assets and software",
|
|
3434
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
3488
3435
|
],
|
|
3489
3436
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3490
3437
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
3491
3438
|
"Accessing administrative interfaces over secure network protocols",
|
|
3492
|
-
"SSH",
|
|
3493
|
-
"HTTPS",
|
|
3494
|
-
"Telnet (Teletype Network)",
|
|
3495
|
-
"HTTP",
|
|
3496
|
-
"Configuration Management Tool"
|
|
3439
|
+
"SSH instead of TELNET",
|
|
3440
|
+
"HTTPS instead of HTTP",
|
|
3497
3441
|
],
|
|
3498
3442
|
relatedSafeguards: ["4.1", "12.3"],
|
|
3499
3443
|
systemPromptFull: {
|
|
@@ -3581,26 +3525,22 @@ export class SafeguardManager {
|
|
|
3581
3525
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
3582
3526
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
3583
3527
|
implementationGroup: "IG1",
|
|
3584
|
-
assetType: ["
|
|
3528
|
+
assetType: ["Users"],
|
|
3585
3529
|
securityFunction: ["Protect"],
|
|
3586
3530
|
governanceElements: [ // Orange - MUST be met
|
|
3587
3531
|
"Manage"
|
|
3588
3532
|
],
|
|
3589
3533
|
coreRequirements: [ // Green - The "what"
|
|
3590
|
-
"default accounts
|
|
3534
|
+
"default accounts"
|
|
3591
3535
|
],
|
|
3592
3536
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3593
|
-
"Default accounts",
|
|
3594
3537
|
"Enterprise assets",
|
|
3595
|
-
"Software"
|
|
3596
|
-
"Root",
|
|
3597
|
-
"Administrator",
|
|
3598
|
-
"Other pre-configured vendor accounts"
|
|
3538
|
+
"Software"
|
|
3599
3539
|
],
|
|
3600
3540
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3601
|
-
"Disabling",
|
|
3602
|
-
"Unusable",
|
|
3603
|
-
"
|
|
3541
|
+
"Disabling them",
|
|
3542
|
+
"making them Unusable",
|
|
3543
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
3604
3544
|
],
|
|
3605
3545
|
relatedSafeguards: ["4.1"],
|
|
3606
3546
|
systemPromptFull: {
|
|
@@ -3688,25 +3628,23 @@ export class SafeguardManager {
|
|
|
3688
3628
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
3689
3629
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
3690
3630
|
implementationGroup: "IG2",
|
|
3691
|
-
assetType: ["
|
|
3631
|
+
assetType: ["Devices", "Software"],
|
|
3692
3632
|
securityFunction: ["Protect"],
|
|
3693
3633
|
governanceElements: [ // Orange - MUST be met
|
|
3694
3634
|
"Uninstall",
|
|
3695
3635
|
"Disable"
|
|
3696
3636
|
],
|
|
3697
3637
|
coreRequirements: [ // Green - The "what"
|
|
3698
|
-
"unnecessary services
|
|
3638
|
+
"unnecessary services"
|
|
3699
3639
|
],
|
|
3700
3640
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3701
|
-
"Unnecessary Services",
|
|
3702
3641
|
"Enterprise assets",
|
|
3703
|
-
"Software"
|
|
3704
|
-
"Unused file sharing service",
|
|
3705
|
-
"Web application module",
|
|
3706
|
-
"Service function"
|
|
3642
|
+
"Software"
|
|
3707
3643
|
],
|
|
3708
3644
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3709
|
-
"
|
|
3645
|
+
"Unused File Sharing Services",
|
|
3646
|
+
"Web Application Module",
|
|
3647
|
+
"Service Function"
|
|
3710
3648
|
],
|
|
3711
3649
|
relatedSafeguards: ["4.1"],
|
|
3712
3650
|
systemPromptFull: {
|
|
@@ -3794,22 +3732,20 @@ export class SafeguardManager {
|
|
|
3794
3732
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
3795
3733
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
3796
3734
|
implementationGroup: "IG2",
|
|
3797
|
-
assetType: ["
|
|
3735
|
+
assetType: ["Devices"],
|
|
3798
3736
|
securityFunction: ["Protect"],
|
|
3799
3737
|
governanceElements: [ // Orange - MUST be met
|
|
3800
3738
|
"Configure"
|
|
3801
3739
|
],
|
|
3802
3740
|
coreRequirements: [ // Green - The "what"
|
|
3803
|
-
"trusted DNS servers
|
|
3741
|
+
"trusted DNS servers"
|
|
3804
3742
|
],
|
|
3805
3743
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3806
|
-
"Trusted DNS Servers",
|
|
3807
3744
|
"Enterprise assets"
|
|
3808
3745
|
],
|
|
3809
3746
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3810
3747
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
3811
|
-
"Reputable externally accessible DNS servers"
|
|
3812
|
-
"Configuration Management Tool"
|
|
3748
|
+
"Reputable externally accessible DNS servers"
|
|
3813
3749
|
],
|
|
3814
3750
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
3815
3751
|
systemPromptFull: {
|
|
@@ -3897,7 +3833,7 @@ export class SafeguardManager {
|
|
|
3897
3833
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
3898
3834
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
3899
3835
|
implementationGroup: "IG2",
|
|
3900
|
-
assetType: ["
|
|
3836
|
+
assetType: ["Devices"],
|
|
3901
3837
|
securityFunction: ["Protect"],
|
|
3902
3838
|
governanceElements: [ // Orange - MUST be met
|
|
3903
3839
|
"Enforce",
|
|
@@ -3906,14 +3842,13 @@ export class SafeguardManager {
|
|
|
3906
3842
|
"No more than 10 Failed Authentication Attempts"
|
|
3907
3843
|
],
|
|
3908
3844
|
coreRequirements: [ // Green - The "what"
|
|
3909
|
-
"automatic device lockout
|
|
3845
|
+
"automatic device lockout"
|
|
3910
3846
|
],
|
|
3911
3847
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3912
|
-
"
|
|
3913
|
-
"
|
|
3914
|
-
"
|
|
3915
|
-
"
|
|
3916
|
-
"Tablets and smartphones"
|
|
3848
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
3849
|
+
"On Portable end-user devices",
|
|
3850
|
+
"Such as Laptops",
|
|
3851
|
+
"Such as Tablets and smartphones"
|
|
3917
3852
|
],
|
|
3918
3853
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3919
3854
|
"Microsoft® InTune Device Lock",
|
|
@@ -4006,24 +3941,22 @@ export class SafeguardManager {
|
|
|
4006
3941
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
4007
3942
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
4008
3943
|
implementationGroup: "IG2",
|
|
4009
|
-
assetType: ["
|
|
3944
|
+
assetType: ["Devices"],
|
|
4010
3945
|
securityFunction: ["Protect"],
|
|
4011
3946
|
governanceElements: [ // Orange - MUST be met
|
|
4012
3947
|
"When deemed appropriate"
|
|
4013
3948
|
],
|
|
4014
3949
|
coreRequirements: [ // Green - The "what"
|
|
4015
|
-
"Remotely wipe enterprise data
|
|
3950
|
+
"Remotely wipe enterprise data"
|
|
4016
3951
|
],
|
|
4017
3952
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4018
|
-
"
|
|
4019
|
-
|
|
3953
|
+
"Portable end-user devices"
|
|
3954
|
+
],
|
|
3955
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4020
3956
|
"Lost devices",
|
|
4021
3957
|
"Stolen devices",
|
|
4022
3958
|
"When an individual no longer supports the enterprise"
|
|
4023
3959
|
],
|
|
4024
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4025
|
-
"Configuration Management Tool"
|
|
4026
|
-
],
|
|
4027
3960
|
relatedSafeguards: ["4.1"],
|
|
4028
3961
|
systemPromptFull: {
|
|
4029
3962
|
|
|
@@ -4110,7 +4043,7 @@ export class SafeguardManager {
|
|
|
4110
4043
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
4111
4044
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
4112
4045
|
implementationGroup: "IG3",
|
|
4113
|
-
assetType: ["
|
|
4046
|
+
assetType: ["Data"],
|
|
4114
4047
|
securityFunction: ["Protect"],
|
|
4115
4048
|
governanceElements: [ // Orange - MUST be met
|
|
4116
4049
|
"Ensure",
|
|
@@ -4120,17 +4053,12 @@ export class SafeguardManager {
|
|
|
4120
4053
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
4121
4054
|
],
|
|
4122
4055
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4123
|
-
"
|
|
4124
|
-
"
|
|
4125
|
-
"Enterprise Applications",
|
|
4126
|
-
"Enterprise Data",
|
|
4127
|
-
"Personal Applications",
|
|
4128
|
-
"Personal Data"
|
|
4056
|
+
"Enterprise Applications and Enterprise Data",
|
|
4057
|
+
"Seperate from Personal Applications and Personal Data"
|
|
4129
4058
|
],
|
|
4130
4059
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4131
4060
|
"Apple® Configuration Profile",
|
|
4132
|
-
"AndroidTM Work Profile"
|
|
4133
|
-
"Configuration Management Tool"
|
|
4061
|
+
"AndroidTM Work Profile"
|
|
4134
4062
|
],
|
|
4135
4063
|
relatedSafeguards: ["4.1"],
|
|
4136
4064
|
systemPromptFull: {
|
|
@@ -4218,7 +4146,7 @@ export class SafeguardManager {
|
|
|
4218
4146
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
4219
4147
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4220
4148
|
implementationGroup: "IG1",
|
|
4221
|
-
assetType: ["
|
|
4149
|
+
assetType: ["Users"],
|
|
4222
4150
|
securityFunction: ["Identify"],
|
|
4223
4151
|
governanceElements: [ // Orange - MUST be met
|
|
4224
4152
|
"Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
@@ -4335,7 +4263,7 @@ export class SafeguardManager {
|
|
|
4335
4263
|
title: "Use Unique Passwords",
|
|
4336
4264
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
4337
4265
|
implementationGroup: "IG1",
|
|
4338
|
-
assetType: ["
|
|
4266
|
+
assetType: ["Users"],
|
|
4339
4267
|
securityFunction: ["Protect"],
|
|
4340
4268
|
governanceElements: [ // Orange - MUST be met
|
|
4341
4269
|
"Use unique passwords for all enterprise assets",
|
|
@@ -4441,7 +4369,7 @@ export class SafeguardManager {
|
|
|
4441
4369
|
title: "Disable Dormant Accounts",
|
|
4442
4370
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
4443
4371
|
implementationGroup: "IG1",
|
|
4444
|
-
assetType: ["
|
|
4372
|
+
assetType: ["Users"],
|
|
4445
4373
|
securityFunction: ["Protect"],
|
|
4446
4374
|
governanceElements: [ // Orange - MUST be met
|
|
4447
4375
|
"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
|
|
@@ -4545,7 +4473,7 @@ export class SafeguardManager {
|
|
|
4545
4473
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
4546
4474
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
4547
4475
|
implementationGroup: "IG1",
|
|
4548
|
-
assetType: ["
|
|
4476
|
+
assetType: ["Users"],
|
|
4549
4477
|
securityFunction: ["Protect"],
|
|
4550
4478
|
governanceElements: [ // Orange - MUST be met
|
|
4551
4479
|
"Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
@@ -4655,7 +4583,7 @@ export class SafeguardManager {
|
|
|
4655
4583
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
4656
4584
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4657
4585
|
implementationGroup: "IG2",
|
|
4658
|
-
assetType: ["
|
|
4586
|
+
assetType: ["Users"],
|
|
4659
4587
|
securityFunction: ["Identify"],
|
|
4660
4588
|
governanceElements: [ // Orange - MUST be met
|
|
4661
4589
|
"Establish and maintain an inventory of service accounts",
|
|
@@ -4768,7 +4696,7 @@ export class SafeguardManager {
|
|
|
4768
4696
|
title: "Centralize Account Management",
|
|
4769
4697
|
description: "Centralize account management through a directory or identity service.",
|
|
4770
4698
|
implementationGroup: "IG2",
|
|
4771
|
-
assetType: ["
|
|
4699
|
+
assetType: ["Users"],
|
|
4772
4700
|
securityFunction: ["Govern"],
|
|
4773
4701
|
governanceElements: [ // Orange - MUST be met
|
|
4774
4702
|
"Centralize account management through a directory or identity service"
|
|
@@ -4872,7 +4800,7 @@ export class SafeguardManager {
|
|
|
4872
4800
|
title: "Establish an Access Granting Process",
|
|
4873
4801
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
4874
4802
|
implementationGroup: "IG1",
|
|
4875
|
-
assetType: ["
|
|
4803
|
+
assetType: ["Users"],
|
|
4876
4804
|
securityFunction: ["Govern"],
|
|
4877
4805
|
governanceElements: [ // Orange - MUST be met
|
|
4878
4806
|
"Establish",
|
|
@@ -4983,7 +4911,7 @@ export class SafeguardManager {
|
|
|
4983
4911
|
title: "Establish an Access Revoking Process",
|
|
4984
4912
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
4985
4913
|
implementationGroup: "IG1",
|
|
4986
|
-
assetType: ["
|
|
4914
|
+
assetType: ["Users"],
|
|
4987
4915
|
securityFunction: ["Govern"],
|
|
4988
4916
|
governanceElements: [ // Orange - MUST be met
|
|
4989
4917
|
"Establish",
|
|
@@ -5099,7 +5027,7 @@ export class SafeguardManager {
|
|
|
5099
5027
|
title: "Require MFA for Externally-Exposed Applications",
|
|
5100
5028
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
5101
5029
|
implementationGroup: "IG1",
|
|
5102
|
-
assetType: ["
|
|
5030
|
+
assetType: ["Users"],
|
|
5103
5031
|
securityFunction: ["Protect"],
|
|
5104
5032
|
governanceElements: [ // Orange - MUST be met
|
|
5105
5033
|
"Require",
|
|
@@ -5208,7 +5136,7 @@ export class SafeguardManager {
|
|
|
5208
5136
|
title: "Require MFA for Remote Network Access",
|
|
5209
5137
|
description: "Require MFA for remote network access.",
|
|
5210
5138
|
implementationGroup: "IG1",
|
|
5211
|
-
assetType: ["
|
|
5139
|
+
assetType: ["Users"],
|
|
5212
5140
|
securityFunction: ["Protect"],
|
|
5213
5141
|
governanceElements: [ // Orange - MUST be met
|
|
5214
5142
|
"Require",
|
|
@@ -5312,7 +5240,7 @@ export class SafeguardManager {
|
|
|
5312
5240
|
title: "Require MFA for Administrative Access",
|
|
5313
5241
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
5314
5242
|
implementationGroup: "IG1",
|
|
5315
|
-
assetType: ["
|
|
5243
|
+
assetType: ["Users"],
|
|
5316
5244
|
securityFunction: ["Protect"],
|
|
5317
5245
|
governanceElements: [ // Orange - MUST be met
|
|
5318
5246
|
"Require",
|
|
@@ -5533,7 +5461,7 @@ export class SafeguardManager {
|
|
|
5533
5461
|
title: "Centralize Access Control",
|
|
5534
5462
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
5535
5463
|
implementationGroup: "IG2",
|
|
5536
|
-
assetType: ["
|
|
5464
|
+
assetType: ["Users"],
|
|
5537
5465
|
securityFunction: ["Protect"],
|
|
5538
5466
|
governanceElements: [ // Orange - MUST be met
|
|
5539
5467
|
"Centralize",
|
|
@@ -5645,7 +5573,7 @@ export class SafeguardManager {
|
|
|
5645
5573
|
title: "Define and Maintain Role-Based Access Control",
|
|
5646
5574
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
5647
5575
|
implementationGroup: "IG3",
|
|
5648
|
-
assetType: ["
|
|
5576
|
+
assetType: ["Users"],
|
|
5649
5577
|
securityFunction: ["Govern"],
|
|
5650
5578
|
governanceElements: [ // Orange - MUST be met
|
|
5651
5579
|
"Define",
|
|
@@ -5997,7 +5925,7 @@ export class SafeguardManager {
|
|
|
5997
5925
|
title: "Perform Automated Operating System Patch Management",
|
|
5998
5926
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
5999
5927
|
implementationGroup: "IG1",
|
|
6000
|
-
assetType: ["
|
|
5928
|
+
assetType: ["Devices"],
|
|
6001
5929
|
securityFunction: ["Protect"],
|
|
6002
5930
|
governanceElements: [ // Orange - MUST be met
|
|
6003
5931
|
"perform automated OS patch management",
|
|
@@ -6229,7 +6157,7 @@ export class SafeguardManager {
|
|
|
6229
6157
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
6230
6158
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
6231
6159
|
implementationGroup: "IG2",
|
|
6232
|
-
assetType: ["
|
|
6160
|
+
assetType: ["Devices", "Software"],
|
|
6233
6161
|
securityFunction: ["Detect"],
|
|
6234
6162
|
governanceElements: [ // Orange - MUST be met
|
|
6235
6163
|
"perform automated vulnerability scans",
|
|
@@ -6345,7 +6273,7 @@ export class SafeguardManager {
|
|
|
6345
6273
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
6346
6274
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
6347
6275
|
implementationGroup: "IG2",
|
|
6348
|
-
assetType: ["
|
|
6276
|
+
assetType: ["Devices", "Software"],
|
|
6349
6277
|
securityFunction: ["Detect"],
|
|
6350
6278
|
governanceElements: [ // Orange - MUST be met
|
|
6351
6279
|
"perform automated vulnerability scans",
|
|
@@ -6577,7 +6505,7 @@ export class SafeguardManager {
|
|
|
6577
6505
|
title: "Establish and Maintain an Audit Log Management Process",
|
|
6578
6506
|
description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
6579
6507
|
implementationGroup: "IG1",
|
|
6580
|
-
assetType: ["enterprise assets", "
|
|
6508
|
+
assetType: ["enterprise assets", "Data"],
|
|
6581
6509
|
securityFunction: ["Govern"],
|
|
6582
6510
|
governanceElements: [
|
|
6583
6511
|
"establish and maintain",
|
|
@@ -6687,7 +6615,7 @@ export class SafeguardManager {
|
|
|
6687
6615
|
title: "Collect Audit Logs",
|
|
6688
6616
|
description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
|
|
6689
6617
|
implementationGroup: "IG1",
|
|
6690
|
-
assetType: ["enterprise assets", "
|
|
6618
|
+
assetType: ["enterprise assets", "Data"],
|
|
6691
6619
|
securityFunction: ["Detect"],
|
|
6692
6620
|
governanceElements: [
|
|
6693
6621
|
"per the enterprise's audit log management process"
|
|
@@ -6790,7 +6718,7 @@ export class SafeguardManager {
|
|
|
6790
6718
|
title: "Ensure Adequate Audit Log Storage",
|
|
6791
6719
|
description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
|
|
6792
6720
|
implementationGroup: "IG1",
|
|
6793
|
-
assetType: ["
|
|
6721
|
+
assetType: ["Data"],
|
|
6794
6722
|
securityFunction: ["Protect"],
|
|
6795
6723
|
governanceElements: [
|
|
6796
6724
|
"comply with the enterprise's audit log management process"
|
|
@@ -6894,7 +6822,7 @@ export class SafeguardManager {
|
|
|
6894
6822
|
title: "Standardize Time Synchronization",
|
|
6895
6823
|
description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
|
|
6896
6824
|
implementationGroup: "IG2",
|
|
6897
|
-
assetType: ["enterprise assets", "
|
|
6825
|
+
assetType: ["enterprise assets", "Data"],
|
|
6898
6826
|
securityFunction: ["Protect"],
|
|
6899
6827
|
governanceElements: [
|
|
6900
6828
|
"standardize time synchronization"
|
|
@@ -7000,7 +6928,7 @@ export class SafeguardManager {
|
|
|
7000
6928
|
title: "Collect Detailed Audit Logs",
|
|
7001
6929
|
description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
|
|
7002
6930
|
implementationGroup: "IG2",
|
|
7003
|
-
assetType: ["enterprise assets", "
|
|
6931
|
+
assetType: ["enterprise assets", "Data"],
|
|
7004
6932
|
securityFunction: ["Detect"],
|
|
7005
6933
|
governanceElements: [
|
|
7006
6934
|
"configure detailed audit logging"
|
|
@@ -7109,7 +7037,7 @@ export class SafeguardManager {
|
|
|
7109
7037
|
title: "Collect DNS Query Audit Logs",
|
|
7110
7038
|
description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
|
|
7111
7039
|
implementationGroup: "IG2",
|
|
7112
|
-
assetType: ["enterprise assets", "
|
|
7040
|
+
assetType: ["enterprise assets", "Data"],
|
|
7113
7041
|
securityFunction: ["Detect"],
|
|
7114
7042
|
governanceElements: [
|
|
7115
7043
|
"where appropriate and supported"
|
|
@@ -7214,7 +7142,7 @@ export class SafeguardManager {
|
|
|
7214
7142
|
title: "Collect URL Request Audit Logs",
|
|
7215
7143
|
description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
|
|
7216
7144
|
implementationGroup: "IG2",
|
|
7217
|
-
assetType: ["enterprise assets", "
|
|
7145
|
+
assetType: ["enterprise assets", "Data"],
|
|
7218
7146
|
securityFunction: ["Detect"],
|
|
7219
7147
|
governanceElements: [
|
|
7220
7148
|
"where appropriate and supported"
|
|
@@ -7319,7 +7247,7 @@ export class SafeguardManager {
|
|
|
7319
7247
|
title: "Collect Command-Line Audit Logs",
|
|
7320
7248
|
description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
|
|
7321
7249
|
implementationGroup: "IG2",
|
|
7322
|
-
assetType: ["
|
|
7250
|
+
assetType: ["Data"],
|
|
7323
7251
|
securityFunction: ["Detect"],
|
|
7324
7252
|
governanceElements: [
|
|
7325
7253
|
"collect command-line audit logs"
|
|
@@ -7423,7 +7351,7 @@ export class SafeguardManager {
|
|
|
7423
7351
|
title: "Centralize Audit Logs",
|
|
7424
7352
|
description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
|
|
7425
7353
|
implementationGroup: "IG2",
|
|
7426
|
-
assetType: ["enterprise assets", "
|
|
7354
|
+
assetType: ["enterprise assets", "Data"],
|
|
7427
7355
|
securityFunction: ["Detect"],
|
|
7428
7356
|
governanceElements: [
|
|
7429
7357
|
"in accordance with documented audit log management process",
|
|
@@ -7529,7 +7457,7 @@ export class SafeguardManager {
|
|
|
7529
7457
|
title: "Retain Audit Logs",
|
|
7530
7458
|
description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
|
|
7531
7459
|
implementationGroup: "IG2",
|
|
7532
|
-
assetType: ["enterprise assets", "
|
|
7460
|
+
assetType: ["enterprise assets", "Data"],
|
|
7533
7461
|
securityFunction: ["Protect"],
|
|
7534
7462
|
governanceElements: [
|
|
7535
7463
|
"minimum of 90 days"
|
|
@@ -7630,7 +7558,7 @@ export class SafeguardManager {
|
|
|
7630
7558
|
title: "Conduct Audit Log Reviews",
|
|
7631
7559
|
description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
|
|
7632
7560
|
implementationGroup: "IG2",
|
|
7633
|
-
assetType: ["
|
|
7561
|
+
assetType: ["Data"],
|
|
7634
7562
|
securityFunction: ["Detect"],
|
|
7635
7563
|
governanceElements: [
|
|
7636
7564
|
"conduct reviews on a weekly, or more frequent, basis"
|
|
@@ -7734,7 +7662,7 @@ export class SafeguardManager {
|
|
|
7734
7662
|
title: "Collect Service Provider Logs",
|
|
7735
7663
|
description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
|
|
7736
7664
|
implementationGroup: "IG3",
|
|
7737
|
-
assetType: ["
|
|
7665
|
+
assetType: ["Data"],
|
|
7738
7666
|
securityFunction: ["Detect"],
|
|
7739
7667
|
governanceElements: [
|
|
7740
7668
|
"where supported"
|
|
@@ -7951,7 +7879,7 @@ export class SafeguardManager {
|
|
|
7951
7879
|
title: "Use DNS Filtering Services",
|
|
7952
7880
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
7953
7881
|
implementationGroup: "IG1",
|
|
7954
|
-
assetType: ["
|
|
7882
|
+
assetType: ["Devices", "network"],
|
|
7955
7883
|
securityFunction: ["Protect"],
|
|
7956
7884
|
governanceElements: [ // Orange - MUST be met
|
|
7957
7885
|
"use DNS filtering services on all end-user devices",
|
|
@@ -8627,7 +8555,7 @@ export class SafeguardManager {
|
|
|
8627
8555
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
8628
8556
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
8629
8557
|
implementationGroup: "IG1",
|
|
8630
|
-
assetType: ["
|
|
8558
|
+
assetType: ["Devices"],
|
|
8631
8559
|
securityFunction: ["Detect"],
|
|
8632
8560
|
governanceElements: [ // Orange - MUST be met
|
|
8633
8561
|
"deploy anti-malware software",
|
|
@@ -8740,7 +8668,7 @@ export class SafeguardManager {
|
|
|
8740
8668
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
8741
8669
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
8742
8670
|
implementationGroup: "IG1",
|
|
8743
|
-
assetType: ["
|
|
8671
|
+
assetType: ["Devices"],
|
|
8744
8672
|
securityFunction: ["Protect"],
|
|
8745
8673
|
governanceElements: [ // Orange - MUST be met
|
|
8746
8674
|
"configure automatic updates",
|
|
@@ -8848,7 +8776,7 @@ export class SafeguardManager {
|
|
|
8848
8776
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
8849
8777
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
8850
8778
|
implementationGroup: "IG1",
|
|
8851
|
-
assetType: ["
|
|
8779
|
+
assetType: ["Devices"],
|
|
8852
8780
|
securityFunction: ["Protect"],
|
|
8853
8781
|
governanceElements: [ // Orange - MUST be met
|
|
8854
8782
|
"disable autorun functionality",
|
|
@@ -8961,7 +8889,7 @@ export class SafeguardManager {
|
|
|
8961
8889
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
8962
8890
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
8963
8891
|
implementationGroup: "IG2",
|
|
8964
|
-
assetType: ["
|
|
8892
|
+
assetType: ["Devices"],
|
|
8965
8893
|
securityFunction: ["Detect"],
|
|
8966
8894
|
governanceElements: [ // Orange - MUST be met
|
|
8967
8895
|
"configure anti-malware software",
|
|
@@ -9073,7 +9001,7 @@ export class SafeguardManager {
|
|
|
9073
9001
|
title: "Enable Anti-Exploitation Features",
|
|
9074
9002
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
9075
9003
|
implementationGroup: "IG2",
|
|
9076
|
-
assetType: ["
|
|
9004
|
+
assetType: ["Devices"],
|
|
9077
9005
|
securityFunction: ["Protect"],
|
|
9078
9006
|
governanceElements: [ // Orange - MUST be met
|
|
9079
9007
|
"enable anti-exploitation features",
|
|
@@ -9187,7 +9115,7 @@ export class SafeguardManager {
|
|
|
9187
9115
|
title: "Centrally Manage Anti-Malware Software",
|
|
9188
9116
|
description: "Centrally manage anti-malware software",
|
|
9189
9117
|
implementationGroup: "IG2",
|
|
9190
|
-
assetType: ["
|
|
9118
|
+
assetType: ["Devices"],
|
|
9191
9119
|
securityFunction: ["Protect"],
|
|
9192
9120
|
governanceElements: [ // Orange - MUST be met
|
|
9193
9121
|
"centrally manage anti-malware",
|
|
@@ -9297,7 +9225,7 @@ export class SafeguardManager {
|
|
|
9297
9225
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
9298
9226
|
description: "Use behavior-based anti-malware software",
|
|
9299
9227
|
implementationGroup: "IG2",
|
|
9300
|
-
assetType: ["
|
|
9228
|
+
assetType: ["Devices"],
|
|
9301
9229
|
securityFunction: ["Detect"],
|
|
9302
9230
|
governanceElements: [ // Orange - MUST be met
|
|
9303
9231
|
"use behavior-based anti-malware",
|
|
@@ -9408,7 +9336,7 @@ export class SafeguardManager {
|
|
|
9408
9336
|
title: "Establish and Maintain a Data Recovery Process",
|
|
9409
9337
|
description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9410
9338
|
implementationGroup: "IG1",
|
|
9411
|
-
assetType: ["
|
|
9339
|
+
assetType: ["Data"],
|
|
9412
9340
|
securityFunction: ["Govern"],
|
|
9413
9341
|
governanceElements: [ // Orange - MUST be met
|
|
9414
9342
|
"establish documented data recovery process",
|
|
@@ -9525,7 +9453,7 @@ export class SafeguardManager {
|
|
|
9525
9453
|
title: "Perform Automated Backups",
|
|
9526
9454
|
description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
|
|
9527
9455
|
implementationGroup: "IG1",
|
|
9528
|
-
assetType: ["
|
|
9456
|
+
assetType: ["Data"],
|
|
9529
9457
|
securityFunction: ["Recover"],
|
|
9530
9458
|
governanceElements: [ // Orange - MUST be met
|
|
9531
9459
|
"perform automated backups",
|
|
@@ -9640,7 +9568,7 @@ export class SafeguardManager {
|
|
|
9640
9568
|
title: "Protect Recovery Data",
|
|
9641
9569
|
description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
|
|
9642
9570
|
implementationGroup: "IG1",
|
|
9643
|
-
assetType: ["
|
|
9571
|
+
assetType: ["Data"],
|
|
9644
9572
|
securityFunction: ["Protect"],
|
|
9645
9573
|
governanceElements: [ // Orange - MUST be met
|
|
9646
9574
|
"protect recovery data",
|
|
@@ -9754,7 +9682,7 @@ export class SafeguardManager {
|
|
|
9754
9682
|
title: "Establish and Maintain an Isolated Instance of Recovery Data",
|
|
9755
9683
|
description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
|
|
9756
9684
|
implementationGroup: "IG1",
|
|
9757
|
-
assetType: ["
|
|
9685
|
+
assetType: ["Data"],
|
|
9758
9686
|
securityFunction: ["Recover"],
|
|
9759
9687
|
governanceElements: [ // Orange - MUST be met
|
|
9760
9688
|
"establish isolated instance of recovery data",
|
|
@@ -9871,7 +9799,7 @@ export class SafeguardManager {
|
|
|
9871
9799
|
title: "Test Data Recovery",
|
|
9872
9800
|
description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
|
|
9873
9801
|
implementationGroup: "IG2",
|
|
9874
|
-
assetType: ["
|
|
9802
|
+
assetType: ["Data"],
|
|
9875
9803
|
securityFunction: ["Recover"],
|
|
9876
9804
|
governanceElements: [ // Orange - MUST be met
|
|
9877
9805
|
"test backup recovery quarterly or more frequently",
|
|
@@ -10673,7 +10601,7 @@ export class SafeguardManager {
|
|
|
10673
10601
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
10674
10602
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
10675
10603
|
implementationGroup: "IG2",
|
|
10676
|
-
assetType: ["
|
|
10604
|
+
assetType: ["Devices"],
|
|
10677
10605
|
securityFunction: ["Protect"],
|
|
10678
10606
|
governanceElements: [ // Orange - MUST be met
|
|
10679
10607
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -10787,7 +10715,7 @@ export class SafeguardManager {
|
|
|
10787
10715
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
10788
10716
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
10789
10717
|
implementationGroup: "IG3",
|
|
10790
|
-
assetType: ["
|
|
10718
|
+
assetType: ["Devices"],
|
|
10791
10719
|
securityFunction: ["Protect"],
|
|
10792
10720
|
governanceElements: [ // Orange - MUST be met
|
|
10793
10721
|
"establish dedicated computing resources for administrative work",
|
|
@@ -10903,7 +10831,7 @@ export class SafeguardManager {
|
|
|
10903
10831
|
title: "Centralize Security Event Alerting",
|
|
10904
10832
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
10905
10833
|
implementationGroup: "IG2",
|
|
10906
|
-
assetType: ["network", "
|
|
10834
|
+
assetType: ["network", "Devices"],
|
|
10907
10835
|
securityFunction: ["Detect"],
|
|
10908
10836
|
governanceElements: [ // Orange - MUST be met
|
|
10909
10837
|
"centralize security event alerting across enterprise assets",
|
|
@@ -11016,7 +10944,7 @@ export class SafeguardManager {
|
|
|
11016
10944
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
11017
10945
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
11018
10946
|
implementationGroup: "IG2",
|
|
11019
|
-
assetType: ["
|
|
10947
|
+
assetType: ["Devices"],
|
|
11020
10948
|
securityFunction: ["Detect"],
|
|
11021
10949
|
governanceElements: [ // Orange - MUST be met
|
|
11022
10950
|
"deploy host-based intrusion detection solution",
|
|
@@ -11344,7 +11272,7 @@ export class SafeguardManager {
|
|
|
11344
11272
|
title: "Manage Access Control for Remote Assets",
|
|
11345
11273
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
11346
11274
|
implementationGroup: "IG2",
|
|
11347
|
-
assetType: ["
|
|
11275
|
+
assetType: ["Devices", "network"],
|
|
11348
11276
|
securityFunction: ["Protect"],
|
|
11349
11277
|
governanceElements: [ // Orange - MUST be met
|
|
11350
11278
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -11566,7 +11494,7 @@ export class SafeguardManager {
|
|
|
11566
11494
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
11567
11495
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
11568
11496
|
implementationGroup: "IG3",
|
|
11569
|
-
assetType: ["
|
|
11497
|
+
assetType: ["Devices"],
|
|
11570
11498
|
securityFunction: ["Respond"],
|
|
11571
11499
|
governanceElements: [ // Orange - MUST be met
|
|
11572
11500
|
"deploy host-based intrusion prevention solution",
|
|
@@ -12003,7 +11931,7 @@ export class SafeguardManager {
|
|
|
12003
11931
|
title: "Tune Security Event Alerting Thresholds",
|
|
12004
11932
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
12005
11933
|
implementationGroup: "IG3",
|
|
12006
|
-
assetType: ["network", "
|
|
11934
|
+
assetType: ["network", "Devices"],
|
|
12007
11935
|
securityFunction: ["Detect"],
|
|
12008
11936
|
governanceElements: [ // Orange - MUST be met
|
|
12009
11937
|
"tune security event alerting thresholds",
|
|
@@ -12111,7 +12039,7 @@ export class SafeguardManager {
|
|
|
12111
12039
|
title: "Establish and Maintain a Security Awareness Program",
|
|
12112
12040
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
12113
12041
|
implementationGroup: "IG1",
|
|
12114
|
-
assetType: ["
|
|
12042
|
+
assetType: ["Users"],
|
|
12115
12043
|
securityFunction: ["Govern"],
|
|
12116
12044
|
governanceElements: [ // Orange - MUST be met
|
|
12117
12045
|
"establish and maintain a security awareness program",
|
|
@@ -12227,7 +12155,7 @@ export class SafeguardManager {
|
|
|
12227
12155
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
12228
12156
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
12229
12157
|
implementationGroup: "IG1",
|
|
12230
|
-
assetType: ["
|
|
12158
|
+
assetType: ["Users"],
|
|
12231
12159
|
securityFunction: ["Protect"],
|
|
12232
12160
|
governanceElements: [ // Orange - MUST be met
|
|
12233
12161
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -12340,7 +12268,7 @@ export class SafeguardManager {
|
|
|
12340
12268
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
12341
12269
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
12342
12270
|
implementationGroup: "IG1",
|
|
12343
|
-
assetType: ["
|
|
12271
|
+
assetType: ["Users"],
|
|
12344
12272
|
securityFunction: ["Protect"],
|
|
12345
12273
|
governanceElements: [ // Orange - MUST be met
|
|
12346
12274
|
"train workforce members on authentication best practices",
|
|
@@ -12451,7 +12379,7 @@ export class SafeguardManager {
|
|
|
12451
12379
|
title: "Train Workforce on Data Handling Best Practices",
|
|
12452
12380
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
12453
12381
|
implementationGroup: "IG1",
|
|
12454
|
-
assetType: ["
|
|
12382
|
+
assetType: ["Users"],
|
|
12455
12383
|
securityFunction: ["Protect"],
|
|
12456
12384
|
governanceElements: [ // Orange - MUST be met
|
|
12457
12385
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -12570,7 +12498,7 @@ export class SafeguardManager {
|
|
|
12570
12498
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
12571
12499
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
12572
12500
|
implementationGroup: "IG1",
|
|
12573
|
-
assetType: ["
|
|
12501
|
+
assetType: ["Users"],
|
|
12574
12502
|
securityFunction: ["Protect"],
|
|
12575
12503
|
governanceElements: [ // Orange - MUST be met
|
|
12576
12504
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -12681,7 +12609,7 @@ export class SafeguardManager {
|
|
|
12681
12609
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
12682
12610
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
12683
12611
|
implementationGroup: "IG1",
|
|
12684
|
-
assetType: ["
|
|
12612
|
+
assetType: ["Users"],
|
|
12685
12613
|
securityFunction: ["Protect"],
|
|
12686
12614
|
governanceElements: [ // Orange - MUST be met
|
|
12687
12615
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -12790,7 +12718,7 @@ export class SafeguardManager {
|
|
|
12790
12718
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
12791
12719
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
12792
12720
|
implementationGroup: "IG1",
|
|
12793
|
-
assetType: ["
|
|
12721
|
+
assetType: ["Users"],
|
|
12794
12722
|
securityFunction: ["Protect"],
|
|
12795
12723
|
governanceElements: [ // Orange - MUST be met
|
|
12796
12724
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -12905,7 +12833,7 @@ export class SafeguardManager {
|
|
|
12905
12833
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
12906
12834
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
12907
12835
|
implementationGroup: "IG1",
|
|
12908
|
-
assetType: ["
|
|
12836
|
+
assetType: ["Users"],
|
|
12909
12837
|
securityFunction: ["Protect"],
|
|
12910
12838
|
governanceElements: [ // Orange - MUST be met
|
|
12911
12839
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -13019,7 +12947,7 @@ export class SafeguardManager {
|
|
|
13019
12947
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
13020
12948
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
13021
12949
|
implementationGroup: "IG2",
|
|
13022
|
-
assetType: ["
|
|
12950
|
+
assetType: ["Users"],
|
|
13023
12951
|
securityFunction: ["Protect"],
|
|
13024
12952
|
governanceElements: [ // Orange - MUST be met
|
|
13025
12953
|
"conduct role-specific security awareness and skills training",
|
|
@@ -13131,7 +13059,7 @@ export class SafeguardManager {
|
|
|
13131
13059
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
13132
13060
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13133
13061
|
implementationGroup: "IG1",
|
|
13134
|
-
assetType: ["
|
|
13062
|
+
assetType: ["Users"],
|
|
13135
13063
|
securityFunction: ["Identify"],
|
|
13136
13064
|
governanceElements: [ // Orange - MUST be met
|
|
13137
13065
|
"establish and maintain an inventory of service providers",
|
|
@@ -13245,7 +13173,7 @@ export class SafeguardManager {
|
|
|
13245
13173
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
13246
13174
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13247
13175
|
implementationGroup: "IG2",
|
|
13248
|
-
assetType: ["
|
|
13176
|
+
assetType: ["Users"],
|
|
13249
13177
|
securityFunction: ["Govern"],
|
|
13250
13178
|
governanceElements: [ // Orange - MUST be met
|
|
13251
13179
|
"establish and maintain a service provider management policy",
|
|
@@ -13364,7 +13292,7 @@ export class SafeguardManager {
|
|
|
13364
13292
|
title: "Classify Service Providers",
|
|
13365
13293
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13366
13294
|
implementationGroup: "IG2",
|
|
13367
|
-
assetType: ["
|
|
13295
|
+
assetType: ["Users"],
|
|
13368
13296
|
securityFunction: ["Govern"],
|
|
13369
13297
|
governanceElements: [ // Orange - MUST be met
|
|
13370
13298
|
"classify service providers",
|
|
@@ -13481,7 +13409,7 @@ export class SafeguardManager {
|
|
|
13481
13409
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
13482
13410
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
13483
13411
|
implementationGroup: "IG2",
|
|
13484
|
-
assetType: ["
|
|
13412
|
+
assetType: ["Users"],
|
|
13485
13413
|
securityFunction: ["Govern"],
|
|
13486
13414
|
governanceElements: [ // Orange - MUST be met
|
|
13487
13415
|
"ensure service provider contracts include security requirements",
|
|
@@ -13597,7 +13525,7 @@ export class SafeguardManager {
|
|
|
13597
13525
|
title: "Assess Service Providers",
|
|
13598
13526
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
13599
13527
|
implementationGroup: "IG3",
|
|
13600
|
-
assetType: ["
|
|
13528
|
+
assetType: ["Users"],
|
|
13601
13529
|
securityFunction: ["Govern"],
|
|
13602
13530
|
governanceElements: [ // Orange - MUST be met
|
|
13603
13531
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -13713,7 +13641,7 @@ export class SafeguardManager {
|
|
|
13713
13641
|
title: "Monitor Service Providers",
|
|
13714
13642
|
description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
|
|
13715
13643
|
implementationGroup: "IG3",
|
|
13716
|
-
assetType: ["
|
|
13644
|
+
assetType: ["Data"],
|
|
13717
13645
|
securityFunction: ["Govern"],
|
|
13718
13646
|
governanceElements: [ // Orange - MUST be met
|
|
13719
13647
|
"monitor service providers consistent with enterprise's service provider management policy",
|
|
@@ -13824,7 +13752,7 @@ export class SafeguardManager {
|
|
|
13824
13752
|
title: "Securely Decommission Service Providers",
|
|
13825
13753
|
description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
|
|
13826
13754
|
implementationGroup: "IG3",
|
|
13827
|
-
assetType: ["
|
|
13755
|
+
assetType: ["Data"],
|
|
13828
13756
|
securityFunction: ["Protect"],
|
|
13829
13757
|
governanceElements: [ // Orange - MUST be met
|
|
13830
13758
|
"securely decommission service providers",
|
|
@@ -14836,7 +14764,7 @@ export class SafeguardManager {
|
|
|
14836
14764
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
14837
14765
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
14838
14766
|
implementationGroup: "IG2",
|
|
14839
|
-
assetType: ["
|
|
14767
|
+
assetType: ["Users"],
|
|
14840
14768
|
securityFunction: ["Protect"],
|
|
14841
14769
|
governanceElements: [ // Orange - MUST be met
|
|
14842
14770
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -15516,7 +15444,7 @@ export class SafeguardManager {
|
|
|
15516
15444
|
title: "Designate Personnel to Manage Incident Handling",
|
|
15517
15445
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15518
15446
|
implementationGroup: "IG1",
|
|
15519
|
-
assetType: ["
|
|
15447
|
+
assetType: ["Users"],
|
|
15520
15448
|
securityFunction: ["Respond"],
|
|
15521
15449
|
governanceElements: [ // Orange - MUST be met
|
|
15522
15450
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -15628,7 +15556,7 @@ export class SafeguardManager {
|
|
|
15628
15556
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
15629
15557
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
15630
15558
|
implementationGroup: "IG1",
|
|
15631
|
-
assetType: ["
|
|
15559
|
+
assetType: ["Users"],
|
|
15632
15560
|
securityFunction: ["Respond"],
|
|
15633
15561
|
governanceElements: [ // Orange - MUST be met
|
|
15634
15562
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -15738,7 +15666,7 @@ export class SafeguardManager {
|
|
|
15738
15666
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
15739
15667
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15740
15668
|
implementationGroup: "IG1",
|
|
15741
|
-
assetType: ["
|
|
15669
|
+
assetType: ["Users"],
|
|
15742
15670
|
securityFunction: ["Govern"],
|
|
15743
15671
|
governanceElements: [ // Orange - MUST be met
|
|
15744
15672
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -15850,7 +15778,7 @@ export class SafeguardManager {
|
|
|
15850
15778
|
title: "Establish and Maintain an Incident Response Process",
|
|
15851
15779
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15852
15780
|
implementationGroup: "IG2",
|
|
15853
|
-
assetType: ["
|
|
15781
|
+
assetType: ["Users"],
|
|
15854
15782
|
securityFunction: ["Govern"],
|
|
15855
15783
|
governanceElements: [ // Orange - MUST be met
|
|
15856
15784
|
"establish and maintain a documented incident response process",
|
|
@@ -15959,7 +15887,7 @@ export class SafeguardManager {
|
|
|
15959
15887
|
title: "Assign Key Roles and Responsibilities",
|
|
15960
15888
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15961
15889
|
implementationGroup: "IG2",
|
|
15962
|
-
assetType: ["
|
|
15890
|
+
assetType: ["Users"],
|
|
15963
15891
|
securityFunction: ["Respond"],
|
|
15964
15892
|
governanceElements: [ // Orange - MUST be met
|
|
15965
15893
|
"assign key roles and responsibilities for incident response",
|
|
@@ -16071,7 +15999,7 @@ export class SafeguardManager {
|
|
|
16071
15999
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
16072
16000
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16073
16001
|
implementationGroup: "IG2",
|
|
16074
|
-
assetType: ["
|
|
16002
|
+
assetType: ["Users"],
|
|
16075
16003
|
securityFunction: ["Respond"],
|
|
16076
16004
|
governanceElements: [ // Orange - MUST be met
|
|
16077
16005
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -16182,7 +16110,7 @@ export class SafeguardManager {
|
|
|
16182
16110
|
title: "Conduct Routine Incident Response Exercises",
|
|
16183
16111
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
16184
16112
|
implementationGroup: "IG2",
|
|
16185
|
-
assetType: ["
|
|
16113
|
+
assetType: ["Users"],
|
|
16186
16114
|
securityFunction: ["Recover"],
|
|
16187
16115
|
governanceElements: [ // Orange - MUST be met
|
|
16188
16116
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -16293,7 +16221,7 @@ export class SafeguardManager {
|
|
|
16293
16221
|
title: "Conduct Post-Incident Reviews",
|
|
16294
16222
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
16295
16223
|
implementationGroup: "IG2",
|
|
16296
|
-
assetType: ["
|
|
16224
|
+
assetType: ["Users"],
|
|
16297
16225
|
securityFunction: ["Recover"],
|
|
16298
16226
|
governanceElements: [ // Orange - MUST be met
|
|
16299
16227
|
"conduct post-incident reviews"
|
|
@@ -16400,7 +16328,7 @@ export class SafeguardManager {
|
|
|
16400
16328
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
16401
16329
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16402
16330
|
implementationGroup: "IG3",
|
|
16403
|
-
assetType: ["
|
|
16331
|
+
assetType: ["Users"],
|
|
16404
16332
|
securityFunction: ["Recover"],
|
|
16405
16333
|
governanceElements: [ // Orange - MUST be met
|
|
16406
16334
|
"establish and maintain security incident thresholds",
|