framework-mcp 2.4.2 → 2.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1461,7 +1461,7 @@ export class SafeguardManager {
1461
1461
  title: "Establish and Maintain a Data Management Process",
1462
1462
  description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1463
1463
  implementationGroup: "IG1",
1464
- assetType: ["data"],
1464
+ assetType: ["Data"],
1465
1465
  securityFunction: ["Govern"],
1466
1466
  governanceElements: [ // Orange - MUST be met
1467
1467
  "Establish",
@@ -1469,20 +1469,15 @@ export class SafeguardManager {
1469
1469
  "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
1470
1470
  ],
1471
1471
  coreRequirements: [ // Green - The "what"
1472
- "documented data management process",
1473
- "address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
1472
+ "documented data management process"
1474
1473
  ],
1475
1474
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1476
- "Documented Data management process",
1477
1475
  "Data Sensitivity",
1478
1476
  "Data Owner",
1479
1477
  "Data Handling",
1480
1478
  "Data Retention Limits",
1481
1479
  "Disposal Requirements",
1482
- "Retention Standards",
1483
- "Review and update documentation",
1484
- "Annually",
1485
- "When significant enterprise changes occur that could impact this Safeguard"
1480
+ "Retention Standards"
1486
1481
  ],
1487
1482
  implementationSuggestions: [ // Gray - Implementation suggestions
1488
1483
  ],
@@ -1572,7 +1567,7 @@ export class SafeguardManager {
1572
1567
  title: "Establish and Maintain a Data Inventory",
1573
1568
  description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
1574
1569
  implementationGroup: "IG1",
1575
- assetType: ["data"],
1570
+ assetType: ["Data"],
1576
1571
  securityFunction: ["Identify"],
1577
1572
  governanceElements: [ // Orange - MUST be met
1578
1573
  "Establish",
@@ -1580,16 +1575,11 @@ export class SafeguardManager {
1580
1575
  "Review and update inventory annually, at a minimum, with a priority on sensitive data"
1581
1576
  ],
1582
1577
  coreRequirements: [ // Green - The "what"
1583
- "data inventory based on the enterprise's data management process",
1584
- "inventory sensitive data, at a minimum"
1578
+ "data inventory"
1585
1579
  ],
1586
1580
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1587
- "Data Inventory",
1588
1581
  "Based on Data Management process",
1589
- "Sensitive Data at a Minimum",
1590
- "Review and update inventory",
1591
- "Annually, at a minimum",
1592
- "Priority on sensitive data"
1582
+ "Sensitive Data at a Minimum"
1593
1583
  ],
1594
1584
  implementationSuggestions: [ // Gray - Implementation suggestions
1595
1585
  ],
@@ -1679,14 +1669,13 @@ export class SafeguardManager {
1679
1669
  title: "Configure Data Access Control Lists",
1680
1670
  description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
1681
1671
  implementationGroup: "IG1",
1682
- assetType: ["data"],
1672
+ assetType: ["Data"],
1683
1673
  securityFunction: ["Protect"],
1684
1674
  governanceElements: [ // Orange - MUST be met
1685
- "Configure",
1686
- "Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
1675
+ "Configure"
1687
1676
  ],
1688
1677
  coreRequirements: [ // Green - The "what"
1689
- "data access control lists based on a user's need to know"
1678
+ "data access control lists"
1690
1679
  ],
1691
1680
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1692
1681
  "Data Access control lists",
@@ -1785,7 +1774,7 @@ export class SafeguardManager {
1785
1774
  title: "Enforce Data Retention",
1786
1775
  description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
1787
1776
  implementationGroup: "IG1",
1788
- assetType: ["data"],
1777
+ assetType: ["Data"],
1789
1778
  securityFunction: ["Protect"],
1790
1779
  governanceElements: [ // Orange - MUST be met
1791
1780
  "Retain",
@@ -1798,7 +1787,6 @@ export class SafeguardManager {
1798
1787
  ],
1799
1788
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1800
1789
  "Data Retention",
1801
- "Must Include",
1802
1790
  "Minimum Timelines",
1803
1791
  "Maximum timelines"
1804
1792
  ],
@@ -1890,19 +1878,17 @@ export class SafeguardManager {
1890
1878
  title: "Securely Dispose of Data",
1891
1879
  description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
1892
1880
  implementationGroup: "IG1",
1893
- assetType: ["data"],
1881
+ assetType: ["Data"],
1894
1882
  securityFunction: ["Protect"],
1895
1883
  governanceElements: [ // Orange - MUST be met
1896
- "Securely dispose of data",
1884
+ "Disposal process and method are commensurate with the data sensitivity",
1897
1885
  "Ensure"
1898
1886
  ],
1899
1887
  coreRequirements: [ // Green - The "what"
1900
- "as outlined in the enterprise's data management process",
1901
- "the disposal process and method are commensurate with the data sensitivity"
1888
+ "Securely Dispose of Data"
1902
1889
  ],
1903
1890
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1904
- "Securely dispose of data",
1905
- "Disposal process and method are commensurate with the data sensitivity"
1891
+ "Securely dispose of Data"
1906
1892
  ],
1907
1893
  implementationSuggestions: [ // Gray - Implementation suggestions
1908
1894
  ],
@@ -1992,17 +1978,17 @@ export class SafeguardManager {
1992
1978
  title: "Encrypt Data on End-User Devices",
1993
1979
  description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
1994
1980
  implementationGroup: "IG1",
1995
- assetType: ["data"],
1981
+ assetType: ["Data"],
1996
1982
  securityFunction: ["Protect"],
1997
1983
  governanceElements: [ // Orange - MUST be met
1998
1984
  "Encrypt"
1999
1985
  ],
2000
1986
  coreRequirements: [ // Green - The "what"
2001
- "data on end-user devices containing sensitive data"
1987
+ "data on end-user devices"
2002
1988
  ],
2003
1989
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2004
1990
  "Data on end-user devices",
2005
- "Sensitive data"
1991
+ "that contain Sensitive data"
2006
1992
  ],
2007
1993
  implementationSuggestions: [ // Gray - Implementation suggestions
2008
1994
  "Windows Bitlocker",
@@ -2095,7 +2081,7 @@ export class SafeguardManager {
2095
2081
  title: "Establish and Maintain a Data Classification Scheme",
2096
2082
  description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
2097
2083
  implementationGroup: "IG2",
2098
- assetType: ["data"],
2084
+ assetType: ["Data"],
2099
2085
  securityFunction: ["Identify"],
2100
2086
  governanceElements: [ // Orange - MUST be met
2101
2087
  "Establish",
@@ -2103,15 +2089,10 @@ export class SafeguardManager {
2103
2089
  "Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
2104
2090
  ],
2105
2091
  coreRequirements: [ // Green - The "what"
2106
- "overall data classification scheme for the enterprise",
2107
- "classify their data according to those labels"
2092
+ "data classification scheme"
2108
2093
  ],
2109
2094
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2110
- "Data classification scheme",
2111
- "Classify their data according to labels",
2112
- "Review and update classification scheme",
2113
- "Annually",
2114
- "When significant enterprise changes occur that could impact this Safeguard"
2095
+ "Classify their data according to labels"
2115
2096
  ],
2116
2097
  implementationSuggestions: [ // Gray - Implementation suggestions
2117
2098
  "Sensitive",
@@ -2204,27 +2185,19 @@ export class SafeguardManager {
2204
2185
  title: "Document Data Flows",
2205
2186
  description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2206
2187
  implementationGroup: "IG2",
2207
- assetType: ["data"],
2188
+ assetType: ["Data"],
2208
2189
  securityFunction: ["Identify"],
2209
2190
  governanceElements: [ // Orange - MUST be met
2210
- "Document data flows",
2211
- "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
2191
+ "Document data flows"
2212
2192
  ],
2213
2193
  coreRequirements: [ // Green - The "what"
2214
- "Data flow documentation includes service provider data flows and should be based on the enterprise's data management process"
2194
+ "Document Data Flows"
2215
2195
  ],
2216
2196
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2217
- "Document data flows",
2218
2197
  "Enterprise Data Flows",
2219
- "Service Provider Data Flows",
2220
- "Review and update documentation",
2221
- "Annually",
2222
- "When significant enterprise changes occur that could impact this Safeguard"
2198
+ "Service Provider Data Flows"
2223
2199
  ],
2224
2200
  implementationSuggestions: [ // Gray - Implementation suggestions
2225
- "Data management systems",
2226
- "Data flow mapping tools",
2227
- "Service provider documentation"
2228
2201
  ],
2229
2202
  relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
2230
2203
  systemPromptFull: {
@@ -2312,16 +2285,16 @@ export class SafeguardManager {
2312
2285
  title: "Encrypt Data on Removable Media",
2313
2286
  description: "Encrypt Data on Removable Media",
2314
2287
  implementationGroup: "IG2",
2315
- assetType: ["data"],
2288
+ assetType: ["Data"],
2316
2289
  securityFunction: ["Protect"],
2317
2290
  governanceElements: [ // Orange - MUST be met
2318
- "Encrypt Data on Removable Media"
2291
+ "Encrypt"
2319
2292
  ],
2320
2293
  coreRequirements: [ // Green - The "what"
2294
+ "Encrypt Data on Removable Media"
2321
2295
  ],
2322
2296
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2323
2297
  "Data on Removable Media",
2324
- "Maintain"
2325
2298
  ],
2326
2299
  implementationSuggestions: [ // Gray - Implementation suggestions
2327
2300
  ],
@@ -2411,13 +2384,13 @@ export class SafeguardManager {
2411
2384
  title: "Encrypt Sensitive Data in Transit",
2412
2385
  description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
2413
2386
  implementationGroup: "IG2",
2414
- assetType: ["data"],
2387
+ assetType: ["Data"],
2415
2388
  securityFunction: ["Protect"],
2416
2389
  governanceElements: [ // Orange - MUST be met
2417
2390
  "Encrypt"
2418
2391
  ],
2419
2392
  coreRequirements: [ // Green - The "what"
2420
- "sensitive data in transit"
2393
+ "Encrypt sensitive data in transit"
2421
2394
  ],
2422
2395
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2423
2396
  "Sensitive data in transit"
@@ -2512,23 +2485,21 @@ export class SafeguardManager {
2512
2485
  title: "Encrypt Sensitive Data at Rest",
2513
2486
  description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
2514
2487
  implementationGroup: "IG2",
2515
- assetType: ["data"],
2488
+ assetType: ["Data"],
2516
2489
  securityFunction: ["Protect"],
2517
2490
  governanceElements: [ // Orange - MUST be met
2518
2491
  "Encrypt",
2519
- "meets the minimum requirement of this Safeguard"
2492
+ "Minimum Requirement"
2520
2493
  ],
2521
2494
  coreRequirements: [ // Green - The "what"
2522
- "sensitive data at rest on servers, applications, and databases",
2523
- "Storage-layer encryption, also known as server-side encryption"
2495
+ "Encrypt sensitive data at rest"
2524
2496
  ],
2525
2497
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2526
- "Encrypt Sensitive Data At Rest",
2498
+ "Sensitive Data At Rest",
2527
2499
  "Servers",
2528
- "Software",
2500
+ "Applications",
2529
2501
  "Databases",
2530
- "Storage Layer (server side) encryption",
2531
- "Minimum Requirement"
2502
+ "Storage Layer (server side) encryption"
2532
2503
  ],
2533
2504
  implementationSuggestions: [ // Gray - Implementation suggestions
2534
2505
  "Application layer (client-side) encryption",
@@ -2620,19 +2591,17 @@ export class SafeguardManager {
2620
2591
  title: "Segment Data Processing and Storage Based on Sensitivity",
2621
2592
  description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
2622
2593
  implementationGroup: "IG2",
2623
- assetType: ["data"],
2594
+ assetType: ["Data"],
2624
2595
  securityFunction: ["Protect"],
2625
2596
  governanceElements: [ // Orange - MUST be met
2626
- "Segment data processing and storage based on the sensitivity of the data",
2627
2597
  "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
2628
2598
  ],
2629
2599
  coreRequirements: [ // Green - The "what"
2600
+ "Segment Data Processing",
2601
+ "Segment Data Storage",
2602
+ "Based on Sensitivity"
2630
2603
  ],
2631
2604
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2632
- "Based on the sensitivity of data",
2633
- "Segment data processing (compute)",
2634
- "Segment Storage",
2635
- "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
2636
2605
  ],
2637
2606
  implementationSuggestions: [ // Gray - Implementation suggestions
2638
2607
  ],
@@ -2722,17 +2691,15 @@ export class SafeguardManager {
2722
2691
  title: "Deploy a Data Loss Prevention Solution",
2723
2692
  description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
2724
2693
  implementationGroup: "IG3",
2725
- assetType: ["data"],
2694
+ assetType: ["Data"],
2726
2695
  securityFunction: ["Protect"],
2727
2696
  governanceElements: [ // Orange - MUST be met
2728
- "Implement",
2729
- "Update Data Inventory"
2697
+ "Implement"
2730
2698
  ],
2731
2699
  coreRequirements: [ // Green - The "what"
2732
- "automated tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider"
2700
+ "automated tool to identify all sensitive data"
2733
2701
  ],
2734
2702
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2735
- "Automated DLP Tool",
2736
2703
  "Identify all sensitive Data",
2737
2704
  "Stored",
2738
2705
  "Processed",
@@ -2830,19 +2797,15 @@ export class SafeguardManager {
2830
2797
  title: "Log Sensitive Data Access",
2831
2798
  description: "Log sensitive data access, including modification and disposal.",
2832
2799
  implementationGroup: "IG3",
2833
- assetType: ["data"],
2800
+ assetType: ["Data"],
2834
2801
  securityFunction: ["Detect"],
2835
2802
  governanceElements: [ // Orange - MUST be met
2836
2803
  "Log"
2837
2804
  ],
2838
2805
  coreRequirements: [ // Green - The "what"
2839
- "sensitive data access, including modification and disposal"
2806
+ "Log sensitive data access, including modification and disposal"
2840
2807
  ],
2841
2808
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2842
- "Sensitive Data access",
2843
- "Access",
2844
- "Modification",
2845
- "Disposal"
2846
2809
  ],
2847
2810
  implementationSuggestions: [ // Gray - Implementation suggestions
2848
2811
  ],
@@ -2932,19 +2895,17 @@ export class SafeguardManager {
2932
2895
  title: "Establish and Maintain a Secure Configuration Process",
2933
2896
  description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2934
2897
  implementationGroup: "IG1",
2935
- assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
2898
+ assetType: ["Docuemntation"],
2936
2899
  securityFunction: ["Govern"],
2937
2900
  governanceElements: [ // Orange - MUST be met
2938
2901
  "Establish",
2939
2902
  "Maintain",
2940
- "Documented Secure Configuration Process",
2941
2903
  "Review and update documentation",
2942
2904
  "Annually",
2943
2905
  "When significant enterprise changes occur that could impact this Safeguard"
2944
2906
  ],
2945
2907
  coreRequirements: [ // Green - The "what"
2946
- "documented secure configuration process for enterprise assets",
2947
- "documented secure configuration process for software"
2908
+ "documented secure configuration process"
2948
2909
  ],
2949
2910
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2950
2911
  "Enterprise assets",
@@ -2954,12 +2915,9 @@ export class SafeguardManager {
2954
2915
  "Portable",
2955
2916
  "Non-computing/IoT devices",
2956
2917
  "Servers",
2957
- "OS",
2958
- "Software"
2918
+ "OS"
2959
2919
  ],
2960
2920
  implementationSuggestions: [ // Gray - Implementation suggestions
2961
- "Secure Configuration Policy / Process",
2962
- "Configuration Management Tool"
2963
2921
  ],
2964
2922
  relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
2965
2923
  systemPromptFull: {
@@ -3047,25 +3005,22 @@ export class SafeguardManager {
3047
3005
  title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
3048
3006
  description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
3049
3007
  implementationGroup: "IG1",
3050
- assetType: ["network devices"],
3008
+ assetType: ["Documentation"],
3051
3009
  securityFunction: ["Govern"],
3052
3010
  governanceElements: [ // Orange - MUST be met
3053
3011
  "Establish",
3054
3012
  "Maintain",
3055
- "Documented Secure Network Configuration Process",
3056
3013
  "Review and update documentation",
3057
3014
  "Annually",
3058
3015
  "When significant enterprise changes occur that could impact this Safeguard"
3059
3016
  ],
3060
3017
  coreRequirements: [ // Green - The "what"
3061
- "documented secure configuration process for network devices"
3018
+ "documented secure configuration process"
3062
3019
  ],
3063
3020
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3064
3021
  "Network devices"
3065
3022
  ],
3066
3023
  implementationSuggestions: [ // Gray - Implementation suggestions
3067
- "Secure Configuration Policy / Process",
3068
- "Configuration Management Tool"
3069
3024
  ],
3070
3025
  relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
3071
3026
  systemPromptFull: {
@@ -3153,7 +3108,7 @@ export class SafeguardManager {
3153
3108
  title: "Configure Automatic Session Locking on Enterprise Assets",
3154
3109
  description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
3155
3110
  implementationGroup: "IG1",
3156
- assetType: ["devices"],
3111
+ assetType: ["Devices"],
3157
3112
  securityFunction: ["Protect"],
3158
3113
  governanceElements: [ // Orange - MUST be met
3159
3114
  "Configure",
@@ -3161,18 +3116,14 @@ export class SafeguardManager {
3161
3116
  "Period must not exceed for 2 Minutes"
3162
3117
  ],
3163
3118
  coreRequirements: [ // Green - The "what"
3164
- "automatic session locking on enterprise assets after a defined period of inactivity",
3165
- "general purpose operating systems",
3166
- "mobile end-user devices"
3119
+ "automatic session locking on enterprise assets"
3167
3120
  ],
3168
3121
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3169
- "Automatic Session Locking",
3170
3122
  "Period of inactivity",
3171
3123
  "General Purpose OSs",
3172
3124
  "Mobile end-user devices"
3173
3125
  ],
3174
3126
  implementationSuggestions: [ // Gray - Implementation suggestions
3175
- "Configuration Management Tool"
3176
3127
  ],
3177
3128
  relatedSafeguards: ["4.1"],
3178
3129
  systemPromptFull: {
@@ -3260,7 +3211,7 @@ export class SafeguardManager {
3260
3211
  title: "Implement and Manage a Firewall on Servers",
3261
3212
  description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
3262
3213
  implementationGroup: "IG1",
3263
- assetType: ["devices"],
3214
+ assetType: ["Devices"],
3264
3215
  securityFunction: ["Protect"],
3265
3216
  governanceElements: [ // Orange - MUST be met
3266
3217
  "Implement",
@@ -3277,8 +3228,6 @@ export class SafeguardManager {
3277
3228
  "Virtual Firewall",
3278
3229
  "OS Firewall",
3279
3230
  "Third Party Firewall",
3280
- "Firewall",
3281
- "Configuration Management Tool"
3282
3231
  ],
3283
3232
  relatedSafeguards: ["4.1"],
3284
3233
  systemPromptFull: {
@@ -3366,21 +3315,18 @@ export class SafeguardManager {
3366
3315
  title: "Implement and Manage a Firewall on End-User Devices",
3367
3316
  description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
3368
3317
  implementationGroup: "IG1",
3369
- assetType: ["devices"],
3318
+ assetType: ["Devices"],
3370
3319
  securityFunction: ["Protect"],
3371
3320
  governanceElements: [ // Orange - MUST be met
3372
3321
  "Implement",
3373
- "Manage",
3374
- "Default deny rule that drops all traffic",
3375
- "Except Explicitly Allowed"
3322
+ "Manage"
3376
3323
  ],
3377
3324
  coreRequirements: [ // Green - The "what"
3378
3325
  "host-based firewall or port-filtering tool on end-user devices"
3379
3326
  ],
3380
3327
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3381
- "Host-based Firewall",
3382
- "Port Filtering Tool",
3383
- "End User Devices",
3328
+ "Default Deny Rule that drops all traffic",
3329
+ "Except Explicitly Allowed",
3384
3330
  "Services",
3385
3331
  "Ports"
3386
3332
  ],
@@ -3474,7 +3420,7 @@ export class SafeguardManager {
3474
3420
  title: "Securely Manage Enterprise Assets and Software",
3475
3421
  description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
3476
3422
  implementationGroup: "IG1",
3477
- assetType: ["devices", "Software"],
3423
+ assetType: ["Devices"],
3478
3424
  securityFunction: ["Protect"],
3479
3425
  governanceElements: [ // Orange - MUST be met
3480
3426
  "Do not use insecure management protocols",
@@ -3484,16 +3430,14 @@ export class SafeguardManager {
3484
3430
  "Securely manage enterprise assets and software"
3485
3431
  ],
3486
3432
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3487
- "Securely manage enterprise assets and software"
3433
+ "Securely manage enterprise assets and software",
3434
+ "Do not use insecure management protocols unless operationally essential"
3488
3435
  ],
3489
3436
  implementationSuggestions: [ // Gray - Implementation suggestions
3490
3437
  "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
3491
3438
  "Accessing administrative interfaces over secure network protocols",
3492
- "SSH",
3493
- "HTTPS",
3494
- "Telnet (Teletype Network)",
3495
- "HTTP",
3496
- "Configuration Management Tool"
3439
+ "SSH instead of TELNET",
3440
+ "HTTPS instead of HTTP",
3497
3441
  ],
3498
3442
  relatedSafeguards: ["4.1", "12.3"],
3499
3443
  systemPromptFull: {
@@ -3581,26 +3525,22 @@ export class SafeguardManager {
3581
3525
  title: "Manage Default Accounts on Enterprise Assets and Software",
3582
3526
  description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
3583
3527
  implementationGroup: "IG1",
3584
- assetType: ["devices", "Software", "users"],
3528
+ assetType: ["Users"],
3585
3529
  securityFunction: ["Protect"],
3586
3530
  governanceElements: [ // Orange - MUST be met
3587
3531
  "Manage"
3588
3532
  ],
3589
3533
  coreRequirements: [ // Green - The "what"
3590
- "default accounts on enterprise assets and software"
3534
+ "default accounts"
3591
3535
  ],
3592
3536
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3593
- "Default accounts",
3594
3537
  "Enterprise assets",
3595
- "Software",
3596
- "Root",
3597
- "Administrator",
3598
- "Other pre-configured vendor accounts"
3538
+ "Software"
3599
3539
  ],
3600
3540
  implementationSuggestions: [ // Gray - Implementation suggestions
3601
- "Disabling",
3602
- "Unusable",
3603
- "Configuration Management Tool"
3541
+ "Disabling them",
3542
+ "making them Unusable",
3543
+ "Root, Administrator, or other pre-configured vendor accounts"
3604
3544
  ],
3605
3545
  relatedSafeguards: ["4.1"],
3606
3546
  systemPromptFull: {
@@ -3688,25 +3628,23 @@ export class SafeguardManager {
3688
3628
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
3689
3629
  description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
3690
3630
  implementationGroup: "IG2",
3691
- assetType: ["devices", "Software"],
3631
+ assetType: ["Devices", "Software"],
3692
3632
  securityFunction: ["Protect"],
3693
3633
  governanceElements: [ // Orange - MUST be met
3694
3634
  "Uninstall",
3695
3635
  "Disable"
3696
3636
  ],
3697
3637
  coreRequirements: [ // Green - The "what"
3698
- "unnecessary services on enterprise assets and software"
3638
+ "unnecessary services"
3699
3639
  ],
3700
3640
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3701
- "Unnecessary Services",
3702
3641
  "Enterprise assets",
3703
- "Software",
3704
- "Unused file sharing service",
3705
- "Web application module",
3706
- "Service function"
3642
+ "Software"
3707
3643
  ],
3708
3644
  implementationSuggestions: [ // Gray - Implementation suggestions
3709
- "Configuration Management Tool"
3645
+ "Unused File Sharing Services",
3646
+ "Web Application Module",
3647
+ "Service Function"
3710
3648
  ],
3711
3649
  relatedSafeguards: ["4.1"],
3712
3650
  systemPromptFull: {
@@ -3794,22 +3732,20 @@ export class SafeguardManager {
3794
3732
  title: "Configure Trusted DNS Servers on Enterprise Assets",
3795
3733
  description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
3796
3734
  implementationGroup: "IG2",
3797
- assetType: ["devices"],
3735
+ assetType: ["Devices"],
3798
3736
  securityFunction: ["Protect"],
3799
3737
  governanceElements: [ // Orange - MUST be met
3800
3738
  "Configure"
3801
3739
  ],
3802
3740
  coreRequirements: [ // Green - The "what"
3803
- "trusted DNS servers on enterprise assets"
3741
+ "trusted DNS servers"
3804
3742
  ],
3805
3743
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3806
- "Trusted DNS Servers",
3807
3744
  "Enterprise assets"
3808
3745
  ],
3809
3746
  implementationSuggestions: [ // Gray - Implementation suggestions
3810
3747
  "Configuring assets to use enterprise-controlled DNS servers",
3811
- "Reputable externally accessible DNS servers",
3812
- "Configuration Management Tool"
3748
+ "Reputable externally accessible DNS servers"
3813
3749
  ],
3814
3750
  relatedSafeguards: ["4.1", "8.6", "9.2"],
3815
3751
  systemPromptFull: {
@@ -3897,7 +3833,7 @@ export class SafeguardManager {
3897
3833
  title: "Enforce Automatic Device Lockout on Portable End-User Devices",
3898
3834
  description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
3899
3835
  implementationGroup: "IG2",
3900
- assetType: ["devices"],
3836
+ assetType: ["Devices"],
3901
3837
  securityFunction: ["Protect"],
3902
3838
  governanceElements: [ // Orange - MUST be met
3903
3839
  "Enforce",
@@ -3906,14 +3842,13 @@ export class SafeguardManager {
3906
3842
  "No more than 10 Failed Authentication Attempts"
3907
3843
  ],
3908
3844
  coreRequirements: [ // Green - The "what"
3909
- "automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
3845
+ "automatic device lockout"
3910
3846
  ],
3911
3847
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3912
- "Automatic Device Lockout",
3913
- "Predetermined threshold of local failed authentication attempts",
3914
- "Portable end-user devices",
3915
- "Laptops",
3916
- "Tablets and smartphones"
3848
+ "After a Predetermined threshold of local failed authentication attempts",
3849
+ "On Portable end-user devices",
3850
+ "Such as Laptops",
3851
+ "Such as Tablets and smartphones"
3917
3852
  ],
3918
3853
  implementationSuggestions: [ // Gray - Implementation suggestions
3919
3854
  "Microsoft® InTune Device Lock",
@@ -4006,24 +3941,22 @@ export class SafeguardManager {
4006
3941
  title: "Enforce Remote Wipe Capability on Portable End-User Devices",
4007
3942
  description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
4008
3943
  implementationGroup: "IG2",
4009
- assetType: ["devices"],
3944
+ assetType: ["Devices"],
4010
3945
  securityFunction: ["Protect"],
4011
3946
  governanceElements: [ // Orange - MUST be met
4012
3947
  "When deemed appropriate"
4013
3948
  ],
4014
3949
  coreRequirements: [ // Green - The "what"
4015
- "Remotely wipe enterprise data from enterprise-owned portable end-user devices"
3950
+ "Remotely wipe enterprise data"
4016
3951
  ],
4017
3952
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4018
- "Remotely Wipe enterprise data",
4019
- "Portable end-user devices",
3953
+ "Portable end-user devices"
3954
+ ],
3955
+ implementationSuggestions: [ // Gray - Implementation suggestions
4020
3956
  "Lost devices",
4021
3957
  "Stolen devices",
4022
3958
  "When an individual no longer supports the enterprise"
4023
3959
  ],
4024
- implementationSuggestions: [ // Gray - Implementation suggestions
4025
- "Configuration Management Tool"
4026
- ],
4027
3960
  relatedSafeguards: ["4.1"],
4028
3961
  systemPromptFull: {
4029
3962
 
@@ -4110,7 +4043,7 @@ export class SafeguardManager {
4110
4043
  title: "Separate Enterprise Workspaces on Mobile End-User Devices",
4111
4044
  description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
4112
4045
  implementationGroup: "IG3",
4113
- assetType: ["devices", "data"],
4046
+ assetType: ["Data"],
4114
4047
  securityFunction: ["Protect"],
4115
4048
  governanceElements: [ // Orange - MUST be met
4116
4049
  "Ensure",
@@ -4120,17 +4053,12 @@ export class SafeguardManager {
4120
4053
  "separate enterprise workspaces are used on mobile end-user devices"
4121
4054
  ],
4122
4055
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4123
- "Separate enterprise workspaces",
4124
- "On Mobile Devices",
4125
- "Enterprise Applications",
4126
- "Enterprise Data",
4127
- "Personal Applications",
4128
- "Personal Data"
4056
+ "Enterprise Applications and Enterprise Data",
4057
+ "Seperate from Personal Applications and Personal Data"
4129
4058
  ],
4130
4059
  implementationSuggestions: [ // Gray - Implementation suggestions
4131
4060
  "Apple® Configuration Profile",
4132
- "AndroidTM Work Profile",
4133
- "Configuration Management Tool"
4061
+ "AndroidTM Work Profile"
4134
4062
  ],
4135
4063
  relatedSafeguards: ["4.1"],
4136
4064
  systemPromptFull: {
@@ -4218,7 +4146,7 @@ export class SafeguardManager {
4218
4146
  title: "Establish and Maintain an Inventory of Accounts",
4219
4147
  description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
4220
4148
  implementationGroup: "IG1",
4221
- assetType: ["users"],
4149
+ assetType: ["Users"],
4222
4150
  securityFunction: ["Identify"],
4223
4151
  governanceElements: [ // Orange - MUST be met
4224
4152
  "Establish and maintain an inventory of all accounts managed in the enterprise",
@@ -4335,7 +4263,7 @@ export class SafeguardManager {
4335
4263
  title: "Use Unique Passwords",
4336
4264
  description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
4337
4265
  implementationGroup: "IG1",
4338
- assetType: ["users"],
4266
+ assetType: ["Users"],
4339
4267
  securityFunction: ["Protect"],
4340
4268
  governanceElements: [ // Orange - MUST be met
4341
4269
  "Use unique passwords for all enterprise assets",
@@ -4441,7 +4369,7 @@ export class SafeguardManager {
4441
4369
  title: "Disable Dormant Accounts",
4442
4370
  description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
4443
4371
  implementationGroup: "IG1",
4444
- assetType: ["users"],
4372
+ assetType: ["Users"],
4445
4373
  securityFunction: ["Protect"],
4446
4374
  governanceElements: [ // Orange - MUST be met
4447
4375
  "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
@@ -4545,7 +4473,7 @@ export class SafeguardManager {
4545
4473
  title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
4546
4474
  description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
4547
4475
  implementationGroup: "IG1",
4548
- assetType: ["users"],
4476
+ assetType: ["Users"],
4549
4477
  securityFunction: ["Protect"],
4550
4478
  governanceElements: [ // Orange - MUST be met
4551
4479
  "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
@@ -4655,7 +4583,7 @@ export class SafeguardManager {
4655
4583
  title: "Establish and Maintain an Inventory of Service Accounts",
4656
4584
  description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
4657
4585
  implementationGroup: "IG2",
4658
- assetType: ["users"],
4586
+ assetType: ["Users"],
4659
4587
  securityFunction: ["Identify"],
4660
4588
  governanceElements: [ // Orange - MUST be met
4661
4589
  "Establish and maintain an inventory of service accounts",
@@ -4768,7 +4696,7 @@ export class SafeguardManager {
4768
4696
  title: "Centralize Account Management",
4769
4697
  description: "Centralize account management through a directory or identity service.",
4770
4698
  implementationGroup: "IG2",
4771
- assetType: ["users"],
4699
+ assetType: ["Users"],
4772
4700
  securityFunction: ["Govern"],
4773
4701
  governanceElements: [ // Orange - MUST be met
4774
4702
  "Centralize account management through a directory or identity service"
@@ -4872,7 +4800,7 @@ export class SafeguardManager {
4872
4800
  title: "Establish an Access Granting Process",
4873
4801
  description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
4874
4802
  implementationGroup: "IG1",
4875
- assetType: ["users"],
4803
+ assetType: ["Users"],
4876
4804
  securityFunction: ["Govern"],
4877
4805
  governanceElements: [ // Orange - MUST be met
4878
4806
  "Establish",
@@ -4983,7 +4911,7 @@ export class SafeguardManager {
4983
4911
  title: "Establish an Access Revoking Process",
4984
4912
  description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
4985
4913
  implementationGroup: "IG1",
4986
- assetType: ["users"],
4914
+ assetType: ["Users"],
4987
4915
  securityFunction: ["Govern"],
4988
4916
  governanceElements: [ // Orange - MUST be met
4989
4917
  "Establish",
@@ -5099,7 +5027,7 @@ export class SafeguardManager {
5099
5027
  title: "Require MFA for Externally-Exposed Applications",
5100
5028
  description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
5101
5029
  implementationGroup: "IG1",
5102
- assetType: ["users"],
5030
+ assetType: ["Users"],
5103
5031
  securityFunction: ["Protect"],
5104
5032
  governanceElements: [ // Orange - MUST be met
5105
5033
  "Require",
@@ -5208,7 +5136,7 @@ export class SafeguardManager {
5208
5136
  title: "Require MFA for Remote Network Access",
5209
5137
  description: "Require MFA for remote network access.",
5210
5138
  implementationGroup: "IG1",
5211
- assetType: ["users"],
5139
+ assetType: ["Users"],
5212
5140
  securityFunction: ["Protect"],
5213
5141
  governanceElements: [ // Orange - MUST be met
5214
5142
  "Require",
@@ -5312,7 +5240,7 @@ export class SafeguardManager {
5312
5240
  title: "Require MFA for Administrative Access",
5313
5241
  description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
5314
5242
  implementationGroup: "IG1",
5315
- assetType: ["users"],
5243
+ assetType: ["Users"],
5316
5244
  securityFunction: ["Protect"],
5317
5245
  governanceElements: [ // Orange - MUST be met
5318
5246
  "Require",
@@ -5533,7 +5461,7 @@ export class SafeguardManager {
5533
5461
  title: "Centralize Access Control",
5534
5462
  description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
5535
5463
  implementationGroup: "IG2",
5536
- assetType: ["users"],
5464
+ assetType: ["Users"],
5537
5465
  securityFunction: ["Protect"],
5538
5466
  governanceElements: [ // Orange - MUST be met
5539
5467
  "Centralize",
@@ -5645,7 +5573,7 @@ export class SafeguardManager {
5645
5573
  title: "Define and Maintain Role-Based Access Control",
5646
5574
  description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
5647
5575
  implementationGroup: "IG3",
5648
- assetType: ["users"],
5576
+ assetType: ["Users"],
5649
5577
  securityFunction: ["Govern"],
5650
5578
  governanceElements: [ // Orange - MUST be met
5651
5579
  "Define",
@@ -5997,7 +5925,7 @@ export class SafeguardManager {
5997
5925
  title: "Perform Automated Operating System Patch Management",
5998
5926
  description: "Perform automated operating system patch management on enterprise assets",
5999
5927
  implementationGroup: "IG1",
6000
- assetType: ["devices"],
5928
+ assetType: ["Devices"],
6001
5929
  securityFunction: ["Protect"],
6002
5930
  governanceElements: [ // Orange - MUST be met
6003
5931
  "perform automated OS patch management",
@@ -6229,7 +6157,7 @@ export class SafeguardManager {
6229
6157
  title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
6230
6158
  description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
6231
6159
  implementationGroup: "IG2",
6232
- assetType: ["devices", "Software"],
6160
+ assetType: ["Devices", "Software"],
6233
6161
  securityFunction: ["Detect"],
6234
6162
  governanceElements: [ // Orange - MUST be met
6235
6163
  "perform automated vulnerability scans",
@@ -6345,7 +6273,7 @@ export class SafeguardManager {
6345
6273
  title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
6346
6274
  description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
6347
6275
  implementationGroup: "IG2",
6348
- assetType: ["devices", "Software"],
6276
+ assetType: ["Devices", "Software"],
6349
6277
  securityFunction: ["Detect"],
6350
6278
  governanceElements: [ // Orange - MUST be met
6351
6279
  "perform automated vulnerability scans",
@@ -6577,7 +6505,7 @@ export class SafeguardManager {
6577
6505
  title: "Establish and Maintain an Audit Log Management Process",
6578
6506
  description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
6579
6507
  implementationGroup: "IG1",
6580
- assetType: ["enterprise assets", "data"],
6508
+ assetType: ["enterprise assets", "Data"],
6581
6509
  securityFunction: ["Govern"],
6582
6510
  governanceElements: [
6583
6511
  "establish and maintain",
@@ -6687,7 +6615,7 @@ export class SafeguardManager {
6687
6615
  title: "Collect Audit Logs",
6688
6616
  description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
6689
6617
  implementationGroup: "IG1",
6690
- assetType: ["enterprise assets", "data"],
6618
+ assetType: ["enterprise assets", "Data"],
6691
6619
  securityFunction: ["Detect"],
6692
6620
  governanceElements: [
6693
6621
  "per the enterprise's audit log management process"
@@ -6790,7 +6718,7 @@ export class SafeguardManager {
6790
6718
  title: "Ensure Adequate Audit Log Storage",
6791
6719
  description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
6792
6720
  implementationGroup: "IG1",
6793
- assetType: ["data"],
6721
+ assetType: ["Data"],
6794
6722
  securityFunction: ["Protect"],
6795
6723
  governanceElements: [
6796
6724
  "comply with the enterprise's audit log management process"
@@ -6894,7 +6822,7 @@ export class SafeguardManager {
6894
6822
  title: "Standardize Time Synchronization",
6895
6823
  description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
6896
6824
  implementationGroup: "IG2",
6897
- assetType: ["enterprise assets", "data"],
6825
+ assetType: ["enterprise assets", "Data"],
6898
6826
  securityFunction: ["Protect"],
6899
6827
  governanceElements: [
6900
6828
  "standardize time synchronization"
@@ -7000,7 +6928,7 @@ export class SafeguardManager {
7000
6928
  title: "Collect Detailed Audit Logs",
7001
6929
  description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
7002
6930
  implementationGroup: "IG2",
7003
- assetType: ["enterprise assets", "data"],
6931
+ assetType: ["enterprise assets", "Data"],
7004
6932
  securityFunction: ["Detect"],
7005
6933
  governanceElements: [
7006
6934
  "configure detailed audit logging"
@@ -7109,7 +7037,7 @@ export class SafeguardManager {
7109
7037
  title: "Collect DNS Query Audit Logs",
7110
7038
  description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
7111
7039
  implementationGroup: "IG2",
7112
- assetType: ["enterprise assets", "data"],
7040
+ assetType: ["enterprise assets", "Data"],
7113
7041
  securityFunction: ["Detect"],
7114
7042
  governanceElements: [
7115
7043
  "where appropriate and supported"
@@ -7214,7 +7142,7 @@ export class SafeguardManager {
7214
7142
  title: "Collect URL Request Audit Logs",
7215
7143
  description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
7216
7144
  implementationGroup: "IG2",
7217
- assetType: ["enterprise assets", "data"],
7145
+ assetType: ["enterprise assets", "Data"],
7218
7146
  securityFunction: ["Detect"],
7219
7147
  governanceElements: [
7220
7148
  "where appropriate and supported"
@@ -7319,7 +7247,7 @@ export class SafeguardManager {
7319
7247
  title: "Collect Command-Line Audit Logs",
7320
7248
  description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
7321
7249
  implementationGroup: "IG2",
7322
- assetType: ["data"],
7250
+ assetType: ["Data"],
7323
7251
  securityFunction: ["Detect"],
7324
7252
  governanceElements: [
7325
7253
  "collect command-line audit logs"
@@ -7423,7 +7351,7 @@ export class SafeguardManager {
7423
7351
  title: "Centralize Audit Logs",
7424
7352
  description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
7425
7353
  implementationGroup: "IG2",
7426
- assetType: ["enterprise assets", "data"],
7354
+ assetType: ["enterprise assets", "Data"],
7427
7355
  securityFunction: ["Detect"],
7428
7356
  governanceElements: [
7429
7357
  "in accordance with documented audit log management process",
@@ -7529,7 +7457,7 @@ export class SafeguardManager {
7529
7457
  title: "Retain Audit Logs",
7530
7458
  description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
7531
7459
  implementationGroup: "IG2",
7532
- assetType: ["enterprise assets", "data"],
7460
+ assetType: ["enterprise assets", "Data"],
7533
7461
  securityFunction: ["Protect"],
7534
7462
  governanceElements: [
7535
7463
  "minimum of 90 days"
@@ -7630,7 +7558,7 @@ export class SafeguardManager {
7630
7558
  title: "Conduct Audit Log Reviews",
7631
7559
  description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
7632
7560
  implementationGroup: "IG2",
7633
- assetType: ["data"],
7561
+ assetType: ["Data"],
7634
7562
  securityFunction: ["Detect"],
7635
7563
  governanceElements: [
7636
7564
  "conduct reviews on a weekly, or more frequent, basis"
@@ -7734,7 +7662,7 @@ export class SafeguardManager {
7734
7662
  title: "Collect Service Provider Logs",
7735
7663
  description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
7736
7664
  implementationGroup: "IG3",
7737
- assetType: ["data"],
7665
+ assetType: ["Data"],
7738
7666
  securityFunction: ["Detect"],
7739
7667
  governanceElements: [
7740
7668
  "where supported"
@@ -7951,7 +7879,7 @@ export class SafeguardManager {
7951
7879
  title: "Use DNS Filtering Services",
7952
7880
  description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
7953
7881
  implementationGroup: "IG1",
7954
- assetType: ["devices", "network"],
7882
+ assetType: ["Devices", "network"],
7955
7883
  securityFunction: ["Protect"],
7956
7884
  governanceElements: [ // Orange - MUST be met
7957
7885
  "use DNS filtering services on all end-user devices",
@@ -8627,7 +8555,7 @@ export class SafeguardManager {
8627
8555
  title: "Deploy and Maintain Anti-Malware Software",
8628
8556
  description: "Deploy and maintain anti-malware software on all enterprise assets",
8629
8557
  implementationGroup: "IG1",
8630
- assetType: ["devices"],
8558
+ assetType: ["Devices"],
8631
8559
  securityFunction: ["Detect"],
8632
8560
  governanceElements: [ // Orange - MUST be met
8633
8561
  "deploy anti-malware software",
@@ -8740,7 +8668,7 @@ export class SafeguardManager {
8740
8668
  title: "Configure Automatic Anti-Malware Signature Updates",
8741
8669
  description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
8742
8670
  implementationGroup: "IG1",
8743
- assetType: ["devices"],
8671
+ assetType: ["Devices"],
8744
8672
  securityFunction: ["Protect"],
8745
8673
  governanceElements: [ // Orange - MUST be met
8746
8674
  "configure automatic updates",
@@ -8848,7 +8776,7 @@ export class SafeguardManager {
8848
8776
  title: "Disable Autorun and Autoplay for Removable Media",
8849
8777
  description: "Disable autorun and autoplay auto-execute functionality for removable media",
8850
8778
  implementationGroup: "IG1",
8851
- assetType: ["devices"],
8779
+ assetType: ["Devices"],
8852
8780
  securityFunction: ["Protect"],
8853
8781
  governanceElements: [ // Orange - MUST be met
8854
8782
  "disable autorun functionality",
@@ -8961,7 +8889,7 @@ export class SafeguardManager {
8961
8889
  title: "Configure Automatic Anti-Malware Scanning of Removable Media",
8962
8890
  description: "Configure anti-malware software to automatically scan removable media",
8963
8891
  implementationGroup: "IG2",
8964
- assetType: ["devices"],
8892
+ assetType: ["Devices"],
8965
8893
  securityFunction: ["Detect"],
8966
8894
  governanceElements: [ // Orange - MUST be met
8967
8895
  "configure anti-malware software",
@@ -9073,7 +9001,7 @@ export class SafeguardManager {
9073
9001
  title: "Enable Anti-Exploitation Features",
9074
9002
  description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
9075
9003
  implementationGroup: "IG2",
9076
- assetType: ["devices"],
9004
+ assetType: ["Devices"],
9077
9005
  securityFunction: ["Protect"],
9078
9006
  governanceElements: [ // Orange - MUST be met
9079
9007
  "enable anti-exploitation features",
@@ -9187,7 +9115,7 @@ export class SafeguardManager {
9187
9115
  title: "Centrally Manage Anti-Malware Software",
9188
9116
  description: "Centrally manage anti-malware software",
9189
9117
  implementationGroup: "IG2",
9190
- assetType: ["devices"],
9118
+ assetType: ["Devices"],
9191
9119
  securityFunction: ["Protect"],
9192
9120
  governanceElements: [ // Orange - MUST be met
9193
9121
  "centrally manage anti-malware",
@@ -9297,7 +9225,7 @@ export class SafeguardManager {
9297
9225
  title: "Use Behavior-Based Anti-Malware Software",
9298
9226
  description: "Use behavior-based anti-malware software",
9299
9227
  implementationGroup: "IG2",
9300
- assetType: ["devices"],
9228
+ assetType: ["Devices"],
9301
9229
  securityFunction: ["Detect"],
9302
9230
  governanceElements: [ // Orange - MUST be met
9303
9231
  "use behavior-based anti-malware",
@@ -9408,7 +9336,7 @@ export class SafeguardManager {
9408
9336
  title: "Establish and Maintain a Data Recovery Process",
9409
9337
  description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
9410
9338
  implementationGroup: "IG1",
9411
- assetType: ["data"],
9339
+ assetType: ["Data"],
9412
9340
  securityFunction: ["Govern"],
9413
9341
  governanceElements: [ // Orange - MUST be met
9414
9342
  "establish documented data recovery process",
@@ -9525,7 +9453,7 @@ export class SafeguardManager {
9525
9453
  title: "Perform Automated Backups",
9526
9454
  description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
9527
9455
  implementationGroup: "IG1",
9528
- assetType: ["data"],
9456
+ assetType: ["Data"],
9529
9457
  securityFunction: ["Recover"],
9530
9458
  governanceElements: [ // Orange - MUST be met
9531
9459
  "perform automated backups",
@@ -9640,7 +9568,7 @@ export class SafeguardManager {
9640
9568
  title: "Protect Recovery Data",
9641
9569
  description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
9642
9570
  implementationGroup: "IG1",
9643
- assetType: ["data"],
9571
+ assetType: ["Data"],
9644
9572
  securityFunction: ["Protect"],
9645
9573
  governanceElements: [ // Orange - MUST be met
9646
9574
  "protect recovery data",
@@ -9754,7 +9682,7 @@ export class SafeguardManager {
9754
9682
  title: "Establish and Maintain an Isolated Instance of Recovery Data",
9755
9683
  description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
9756
9684
  implementationGroup: "IG1",
9757
- assetType: ["data"],
9685
+ assetType: ["Data"],
9758
9686
  securityFunction: ["Recover"],
9759
9687
  governanceElements: [ // Orange - MUST be met
9760
9688
  "establish isolated instance of recovery data",
@@ -9871,7 +9799,7 @@ export class SafeguardManager {
9871
9799
  title: "Test Data Recovery",
9872
9800
  description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
9873
9801
  implementationGroup: "IG2",
9874
- assetType: ["data"],
9802
+ assetType: ["Data"],
9875
9803
  securityFunction: ["Recover"],
9876
9804
  governanceElements: [ // Orange - MUST be met
9877
9805
  "test backup recovery quarterly or more frequently",
@@ -10673,7 +10601,7 @@ export class SafeguardManager {
10673
10601
  title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
10674
10602
  description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
10675
10603
  implementationGroup: "IG2",
10676
- assetType: ["devices"],
10604
+ assetType: ["Devices"],
10677
10605
  securityFunction: ["Protect"],
10678
10606
  governanceElements: [ // Orange - MUST be met
10679
10607
  "require users to authenticate to enterprise-managed VPN",
@@ -10787,7 +10715,7 @@ export class SafeguardManager {
10787
10715
  title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
10788
10716
  description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
10789
10717
  implementationGroup: "IG3",
10790
- assetType: ["devices"],
10718
+ assetType: ["Devices"],
10791
10719
  securityFunction: ["Protect"],
10792
10720
  governanceElements: [ // Orange - MUST be met
10793
10721
  "establish dedicated computing resources for administrative work",
@@ -10903,7 +10831,7 @@ export class SafeguardManager {
10903
10831
  title: "Centralize Security Event Alerting",
10904
10832
  description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
10905
10833
  implementationGroup: "IG2",
10906
- assetType: ["network", "devices"],
10834
+ assetType: ["network", "Devices"],
10907
10835
  securityFunction: ["Detect"],
10908
10836
  governanceElements: [ // Orange - MUST be met
10909
10837
  "centralize security event alerting across enterprise assets",
@@ -11016,7 +10944,7 @@ export class SafeguardManager {
11016
10944
  title: "Deploy a Host-Based Intrusion Detection Solution",
11017
10945
  description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
11018
10946
  implementationGroup: "IG2",
11019
- assetType: ["devices"],
10947
+ assetType: ["Devices"],
11020
10948
  securityFunction: ["Detect"],
11021
10949
  governanceElements: [ // Orange - MUST be met
11022
10950
  "deploy host-based intrusion detection solution",
@@ -11344,7 +11272,7 @@ export class SafeguardManager {
11344
11272
  title: "Manage Access Control for Remote Assets",
11345
11273
  description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
11346
11274
  implementationGroup: "IG2",
11347
- assetType: ["devices", "network"],
11275
+ assetType: ["Devices", "network"],
11348
11276
  securityFunction: ["Protect"],
11349
11277
  governanceElements: [ // Orange - MUST be met
11350
11278
  "manage access control for assets remotely connecting to enterprise networks",
@@ -11566,7 +11494,7 @@ export class SafeguardManager {
11566
11494
  title: "Deploy a Host-Based Intrusion Prevention Solution",
11567
11495
  description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
11568
11496
  implementationGroup: "IG3",
11569
- assetType: ["devices"],
11497
+ assetType: ["Devices"],
11570
11498
  securityFunction: ["Respond"],
11571
11499
  governanceElements: [ // Orange - MUST be met
11572
11500
  "deploy host-based intrusion prevention solution",
@@ -12003,7 +11931,7 @@ export class SafeguardManager {
12003
11931
  title: "Tune Security Event Alerting Thresholds",
12004
11932
  description: "Tune security event alerting thresholds monthly, or more frequently",
12005
11933
  implementationGroup: "IG3",
12006
- assetType: ["network", "devices"],
11934
+ assetType: ["network", "Devices"],
12007
11935
  securityFunction: ["Detect"],
12008
11936
  governanceElements: [ // Orange - MUST be met
12009
11937
  "tune security event alerting thresholds",
@@ -12111,7 +12039,7 @@ export class SafeguardManager {
12111
12039
  title: "Establish and Maintain a Security Awareness Program",
12112
12040
  description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
12113
12041
  implementationGroup: "IG1",
12114
- assetType: ["users"],
12042
+ assetType: ["Users"],
12115
12043
  securityFunction: ["Govern"],
12116
12044
  governanceElements: [ // Orange - MUST be met
12117
12045
  "establish and maintain a security awareness program",
@@ -12227,7 +12155,7 @@ export class SafeguardManager {
12227
12155
  title: "Train Workforce Members to Recognize Social Engineering Attacks",
12228
12156
  description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
12229
12157
  implementationGroup: "IG1",
12230
- assetType: ["users"],
12158
+ assetType: ["Users"],
12231
12159
  securityFunction: ["Protect"],
12232
12160
  governanceElements: [ // Orange - MUST be met
12233
12161
  "train workforce members to recognize social engineering attacks",
@@ -12340,7 +12268,7 @@ export class SafeguardManager {
12340
12268
  title: "Train Workforce Members on Authentication Best Practices",
12341
12269
  description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
12342
12270
  implementationGroup: "IG1",
12343
- assetType: ["users"],
12271
+ assetType: ["Users"],
12344
12272
  securityFunction: ["Protect"],
12345
12273
  governanceElements: [ // Orange - MUST be met
12346
12274
  "train workforce members on authentication best practices",
@@ -12451,7 +12379,7 @@ export class SafeguardManager {
12451
12379
  title: "Train Workforce on Data Handling Best Practices",
12452
12380
  description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
12453
12381
  implementationGroup: "IG1",
12454
- assetType: ["users"],
12382
+ assetType: ["Users"],
12455
12383
  securityFunction: ["Protect"],
12456
12384
  governanceElements: [ // Orange - MUST be met
12457
12385
  "train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
@@ -12570,7 +12498,7 @@ export class SafeguardManager {
12570
12498
  title: "Train Workforce Members on Causes of Unintentional Data Exposure",
12571
12499
  description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
12572
12500
  implementationGroup: "IG1",
12573
- assetType: ["users"],
12501
+ assetType: ["Users"],
12574
12502
  securityFunction: ["Protect"],
12575
12503
  governanceElements: [ // Orange - MUST be met
12576
12504
  "train workforce members to be aware of causes for unintentional data exposure",
@@ -12681,7 +12609,7 @@ export class SafeguardManager {
12681
12609
  title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
12682
12610
  description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
12683
12611
  implementationGroup: "IG1",
12684
- assetType: ["users"],
12612
+ assetType: ["Users"],
12685
12613
  securityFunction: ["Protect"],
12686
12614
  governanceElements: [ // Orange - MUST be met
12687
12615
  "train workforce members to be able to recognize a potential incident",
@@ -12790,7 +12718,7 @@ export class SafeguardManager {
12790
12718
  title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
12791
12719
  description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
12792
12720
  implementationGroup: "IG1",
12793
- assetType: ["users"],
12721
+ assetType: ["Users"],
12794
12722
  securityFunction: ["Protect"],
12795
12723
  governanceElements: [ // Orange - MUST be met
12796
12724
  "train workforce to understand how to verify and report out-of-date software patches",
@@ -12905,7 +12833,7 @@ export class SafeguardManager {
12905
12833
  title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
12906
12834
  description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
12907
12835
  implementationGroup: "IG1",
12908
- assetType: ["users"],
12836
+ assetType: ["Users"],
12909
12837
  securityFunction: ["Protect"],
12910
12838
  governanceElements: [ // Orange - MUST be met
12911
12839
  "train workforce members on dangers of connecting to and transmitting data over insecure networks",
@@ -13019,7 +12947,7 @@ export class SafeguardManager {
13019
12947
  title: "Conduct Role-Specific Security Awareness and Skills Training",
13020
12948
  description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
13021
12949
  implementationGroup: "IG2",
13022
- assetType: ["users"],
12950
+ assetType: ["Users"],
13023
12951
  securityFunction: ["Protect"],
13024
12952
  governanceElements: [ // Orange - MUST be met
13025
12953
  "conduct role-specific security awareness and skills training",
@@ -13131,7 +13059,7 @@ export class SafeguardManager {
13131
13059
  title: "Establish and Maintain an Inventory of Service Providers",
13132
13060
  description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
13133
13061
  implementationGroup: "IG1",
13134
- assetType: ["users"],
13062
+ assetType: ["Users"],
13135
13063
  securityFunction: ["Identify"],
13136
13064
  governanceElements: [ // Orange - MUST be met
13137
13065
  "establish and maintain an inventory of service providers",
@@ -13245,7 +13173,7 @@ export class SafeguardManager {
13245
13173
  title: "Establish and Maintain a Service Provider Management Policy",
13246
13174
  description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
13247
13175
  implementationGroup: "IG2",
13248
- assetType: ["users"],
13176
+ assetType: ["Users"],
13249
13177
  securityFunction: ["Govern"],
13250
13178
  governanceElements: [ // Orange - MUST be met
13251
13179
  "establish and maintain a service provider management policy",
@@ -13364,7 +13292,7 @@ export class SafeguardManager {
13364
13292
  title: "Classify Service Providers",
13365
13293
  description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
13366
13294
  implementationGroup: "IG2",
13367
- assetType: ["users"],
13295
+ assetType: ["Users"],
13368
13296
  securityFunction: ["Govern"],
13369
13297
  governanceElements: [ // Orange - MUST be met
13370
13298
  "classify service providers",
@@ -13481,7 +13409,7 @@ export class SafeguardManager {
13481
13409
  title: "Ensure Service Provider Contracts Include Security Requirements",
13482
13410
  description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
13483
13411
  implementationGroup: "IG2",
13484
- assetType: ["users"],
13412
+ assetType: ["Users"],
13485
13413
  securityFunction: ["Govern"],
13486
13414
  governanceElements: [ // Orange - MUST be met
13487
13415
  "ensure service provider contracts include security requirements",
@@ -13597,7 +13525,7 @@ export class SafeguardManager {
13597
13525
  title: "Assess Service Providers",
13598
13526
  description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
13599
13527
  implementationGroup: "IG3",
13600
- assetType: ["users"],
13528
+ assetType: ["Users"],
13601
13529
  securityFunction: ["Govern"],
13602
13530
  governanceElements: [ // Orange - MUST be met
13603
13531
  "assess service providers consistent with enterprise's service provider management policy",
@@ -13713,7 +13641,7 @@ export class SafeguardManager {
13713
13641
  title: "Monitor Service Providers",
13714
13642
  description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
13715
13643
  implementationGroup: "IG3",
13716
- assetType: ["data"],
13644
+ assetType: ["Data"],
13717
13645
  securityFunction: ["Govern"],
13718
13646
  governanceElements: [ // Orange - MUST be met
13719
13647
  "monitor service providers consistent with enterprise's service provider management policy",
@@ -13824,7 +13752,7 @@ export class SafeguardManager {
13824
13752
  title: "Securely Decommission Service Providers",
13825
13753
  description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
13826
13754
  implementationGroup: "IG3",
13827
- assetType: ["data"],
13755
+ assetType: ["Data"],
13828
13756
  securityFunction: ["Protect"],
13829
13757
  governanceElements: [ // Orange - MUST be met
13830
13758
  "securely decommission service providers",
@@ -14836,7 +14764,7 @@ export class SafeguardManager {
14836
14764
  title: "Train Developers in Application Security Concepts and Secure Coding",
14837
14765
  description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
14838
14766
  implementationGroup: "IG2",
14839
- assetType: ["users"],
14767
+ assetType: ["Users"],
14840
14768
  securityFunction: ["Protect"],
14841
14769
  governanceElements: [ // Orange - MUST be met
14842
14770
  "ensure that all software development personnel receive training in writing secure code",
@@ -15516,7 +15444,7 @@ export class SafeguardManager {
15516
15444
  title: "Designate Personnel to Manage Incident Handling",
15517
15445
  description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15518
15446
  implementationGroup: "IG1",
15519
- assetType: ["users"],
15447
+ assetType: ["Users"],
15520
15448
  securityFunction: ["Respond"],
15521
15449
  governanceElements: [ // Orange - MUST be met
15522
15450
  "designate one key person and at least one backup who will manage the enterprise's incident handling process",
@@ -15628,7 +15556,7 @@ export class SafeguardManager {
15628
15556
  title: "Establish and Maintain Contact Information for Reporting Security Incidents",
15629
15557
  description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
15630
15558
  implementationGroup: "IG1",
15631
- assetType: ["users"],
15559
+ assetType: ["Users"],
15632
15560
  securityFunction: ["Respond"],
15633
15561
  governanceElements: [ // Orange - MUST be met
15634
15562
  "establish and maintain contact information for reporting security incidents",
@@ -15738,7 +15666,7 @@ export class SafeguardManager {
15738
15666
  title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
15739
15667
  description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15740
15668
  implementationGroup: "IG1",
15741
- assetType: ["users"],
15669
+ assetType: ["Users"],
15742
15670
  securityFunction: ["Govern"],
15743
15671
  governanceElements: [ // Orange - MUST be met
15744
15672
  "establish and maintain a documented enterprise process for the workforce to report security incidents",
@@ -15850,7 +15778,7 @@ export class SafeguardManager {
15850
15778
  title: "Establish and Maintain an Incident Response Process",
15851
15779
  description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15852
15780
  implementationGroup: "IG2",
15853
- assetType: ["users"],
15781
+ assetType: ["Users"],
15854
15782
  securityFunction: ["Govern"],
15855
15783
  governanceElements: [ // Orange - MUST be met
15856
15784
  "establish and maintain a documented incident response process",
@@ -15959,7 +15887,7 @@ export class SafeguardManager {
15959
15887
  title: "Assign Key Roles and Responsibilities",
15960
15888
  description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15961
15889
  implementationGroup: "IG2",
15962
- assetType: ["users"],
15890
+ assetType: ["Users"],
15963
15891
  securityFunction: ["Respond"],
15964
15892
  governanceElements: [ // Orange - MUST be met
15965
15893
  "assign key roles and responsibilities for incident response",
@@ -16071,7 +15999,7 @@ export class SafeguardManager {
16071
15999
  title: "Define Mechanisms for Communicating During Incident Response",
16072
16000
  description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
16073
16001
  implementationGroup: "IG2",
16074
- assetType: ["users"],
16002
+ assetType: ["Users"],
16075
16003
  securityFunction: ["Respond"],
16076
16004
  governanceElements: [ // Orange - MUST be met
16077
16005
  "determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
@@ -16182,7 +16110,7 @@ export class SafeguardManager {
16182
16110
  title: "Conduct Routine Incident Response Exercises",
16183
16111
  description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
16184
16112
  implementationGroup: "IG2",
16185
- assetType: ["users"],
16113
+ assetType: ["Users"],
16186
16114
  securityFunction: ["Recover"],
16187
16115
  governanceElements: [ // Orange - MUST be met
16188
16116
  "plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
@@ -16293,7 +16221,7 @@ export class SafeguardManager {
16293
16221
  title: "Conduct Post-Incident Reviews",
16294
16222
  description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
16295
16223
  implementationGroup: "IG2",
16296
- assetType: ["users"],
16224
+ assetType: ["Users"],
16297
16225
  securityFunction: ["Recover"],
16298
16226
  governanceElements: [ // Orange - MUST be met
16299
16227
  "conduct post-incident reviews"
@@ -16400,7 +16328,7 @@ export class SafeguardManager {
16400
16328
  title: "Establish and Maintain Security Incident Thresholds",
16401
16329
  description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
16402
16330
  implementationGroup: "IG3",
16403
- assetType: ["users"],
16331
+ assetType: ["Users"],
16404
16332
  securityFunction: ["Recover"],
16405
16333
  governanceElements: [ // Orange - MUST be met
16406
16334
  "establish and maintain security incident thresholds",