framework-mcp 2.4.3 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +105 -140
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +102 -137
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -1974,19 +1974,17 @@ export class SafeguardManager {
|
|
|
1974
1974
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
1975
1975
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1976
1976
|
implementationGroup: "IG1",
|
|
1977
|
-
assetType: ["
|
|
1977
|
+
assetType: ["Docuemntation"],
|
|
1978
1978
|
securityFunction: ["Govern"],
|
|
1979
1979
|
governanceElements: [
|
|
1980
1980
|
"Establish",
|
|
1981
1981
|
"Maintain",
|
|
1982
|
-
"Documented Secure Configuration Process",
|
|
1983
1982
|
"Review and update documentation",
|
|
1984
1983
|
"Annually",
|
|
1985
1984
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1986
1985
|
],
|
|
1987
1986
|
coreRequirements: [
|
|
1988
|
-
"documented secure configuration process
|
|
1989
|
-
"documented secure configuration process for software"
|
|
1987
|
+
"documented secure configuration process"
|
|
1990
1988
|
],
|
|
1991
1989
|
subTaxonomicalElements: [
|
|
1992
1990
|
"Enterprise assets",
|
|
@@ -1996,12 +1994,9 @@ export class SafeguardManager {
|
|
|
1996
1994
|
"Portable",
|
|
1997
1995
|
"Non-computing/IoT devices",
|
|
1998
1996
|
"Servers",
|
|
1999
|
-
"OS"
|
|
2000
|
-
"Software"
|
|
1997
|
+
"OS"
|
|
2001
1998
|
],
|
|
2002
|
-
implementationSuggestions: [
|
|
2003
|
-
"Secure Configuration Policy / Process",
|
|
2004
|
-
"Configuration Management Tool"
|
|
1999
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2005
2000
|
],
|
|
2006
2001
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2007
2002
|
systemPromptFull: {
|
|
@@ -2055,25 +2050,22 @@ export class SafeguardManager {
|
|
|
2055
2050
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
2056
2051
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2057
2052
|
implementationGroup: "IG1",
|
|
2058
|
-
assetType: ["
|
|
2053
|
+
assetType: ["Documentation"],
|
|
2059
2054
|
securityFunction: ["Govern"],
|
|
2060
2055
|
governanceElements: [
|
|
2061
2056
|
"Establish",
|
|
2062
2057
|
"Maintain",
|
|
2063
|
-
"Documented Secure Network Configuration Process",
|
|
2064
2058
|
"Review and update documentation",
|
|
2065
2059
|
"Annually",
|
|
2066
2060
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2067
2061
|
],
|
|
2068
2062
|
coreRequirements: [
|
|
2069
|
-
"documented secure configuration process
|
|
2063
|
+
"documented secure configuration process"
|
|
2070
2064
|
],
|
|
2071
2065
|
subTaxonomicalElements: [
|
|
2072
2066
|
"Network devices"
|
|
2073
2067
|
],
|
|
2074
|
-
implementationSuggestions: [
|
|
2075
|
-
"Secure Configuration Policy / Process",
|
|
2076
|
-
"Configuration Management Tool"
|
|
2068
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2077
2069
|
],
|
|
2078
2070
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
2079
2071
|
systemPromptFull: {
|
|
@@ -2127,7 +2119,7 @@ export class SafeguardManager {
|
|
|
2127
2119
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
2128
2120
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
2129
2121
|
implementationGroup: "IG1",
|
|
2130
|
-
assetType: ["
|
|
2122
|
+
assetType: ["Devices"],
|
|
2131
2123
|
securityFunction: ["Protect"],
|
|
2132
2124
|
governanceElements: [
|
|
2133
2125
|
"Configure",
|
|
@@ -2135,18 +2127,14 @@ export class SafeguardManager {
|
|
|
2135
2127
|
"Period must not exceed for 2 Minutes"
|
|
2136
2128
|
],
|
|
2137
2129
|
coreRequirements: [
|
|
2138
|
-
"automatic session locking on enterprise assets
|
|
2139
|
-
"general purpose operating systems",
|
|
2140
|
-
"mobile end-user devices"
|
|
2130
|
+
"automatic session locking on enterprise assets"
|
|
2141
2131
|
],
|
|
2142
2132
|
subTaxonomicalElements: [
|
|
2143
|
-
"Automatic Session Locking",
|
|
2144
2133
|
"Period of inactivity",
|
|
2145
2134
|
"General Purpose OSs",
|
|
2146
2135
|
"Mobile end-user devices"
|
|
2147
2136
|
],
|
|
2148
|
-
implementationSuggestions: [
|
|
2149
|
-
"Configuration Management Tool"
|
|
2137
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2150
2138
|
],
|
|
2151
2139
|
relatedSafeguards: ["4.1"],
|
|
2152
2140
|
systemPromptFull: {
|
|
@@ -2200,7 +2188,7 @@ export class SafeguardManager {
|
|
|
2200
2188
|
title: "Implement and Manage a Firewall on Servers",
|
|
2201
2189
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
2202
2190
|
implementationGroup: "IG1",
|
|
2203
|
-
assetType: ["
|
|
2191
|
+
assetType: ["Devices"],
|
|
2204
2192
|
securityFunction: ["Protect"],
|
|
2205
2193
|
governanceElements: [
|
|
2206
2194
|
"Implement",
|
|
@@ -2217,8 +2205,6 @@ export class SafeguardManager {
|
|
|
2217
2205
|
"Virtual Firewall",
|
|
2218
2206
|
"OS Firewall",
|
|
2219
2207
|
"Third Party Firewall",
|
|
2220
|
-
"Firewall",
|
|
2221
|
-
"Configuration Management Tool"
|
|
2222
2208
|
],
|
|
2223
2209
|
relatedSafeguards: ["4.1"],
|
|
2224
2210
|
systemPromptFull: {
|
|
@@ -2272,21 +2258,18 @@ export class SafeguardManager {
|
|
|
2272
2258
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
2273
2259
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
2274
2260
|
implementationGroup: "IG1",
|
|
2275
|
-
assetType: ["
|
|
2261
|
+
assetType: ["Devices"],
|
|
2276
2262
|
securityFunction: ["Protect"],
|
|
2277
2263
|
governanceElements: [
|
|
2278
2264
|
"Implement",
|
|
2279
|
-
"Manage"
|
|
2280
|
-
"Default deny rule that drops all traffic",
|
|
2281
|
-
"Except Explicitly Allowed"
|
|
2265
|
+
"Manage"
|
|
2282
2266
|
],
|
|
2283
2267
|
coreRequirements: [
|
|
2284
2268
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
2285
2269
|
],
|
|
2286
2270
|
subTaxonomicalElements: [
|
|
2287
|
-
"
|
|
2288
|
-
"
|
|
2289
|
-
"End User Devices",
|
|
2271
|
+
"Default Deny Rule that drops all traffic",
|
|
2272
|
+
"Except Explicitly Allowed",
|
|
2290
2273
|
"Services",
|
|
2291
2274
|
"Ports"
|
|
2292
2275
|
],
|
|
@@ -2346,7 +2329,7 @@ export class SafeguardManager {
|
|
|
2346
2329
|
title: "Securely Manage Enterprise Assets and Software",
|
|
2347
2330
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
2348
2331
|
implementationGroup: "IG1",
|
|
2349
|
-
assetType: ["
|
|
2332
|
+
assetType: ["Devices"],
|
|
2350
2333
|
securityFunction: ["Protect"],
|
|
2351
2334
|
governanceElements: [
|
|
2352
2335
|
"Do not use insecure management protocols",
|
|
@@ -2356,16 +2339,14 @@ export class SafeguardManager {
|
|
|
2356
2339
|
"Securely manage enterprise assets and software"
|
|
2357
2340
|
],
|
|
2358
2341
|
subTaxonomicalElements: [
|
|
2359
|
-
"Securely manage enterprise assets and software"
|
|
2342
|
+
"Securely manage enterprise assets and software",
|
|
2343
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
2360
2344
|
],
|
|
2361
2345
|
implementationSuggestions: [
|
|
2362
2346
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
2363
2347
|
"Accessing administrative interfaces over secure network protocols",
|
|
2364
|
-
"SSH",
|
|
2365
|
-
"HTTPS",
|
|
2366
|
-
"Telnet (Teletype Network)",
|
|
2367
|
-
"HTTP",
|
|
2368
|
-
"Configuration Management Tool"
|
|
2348
|
+
"SSH instead of TELNET",
|
|
2349
|
+
"HTTPS instead of HTTP",
|
|
2369
2350
|
],
|
|
2370
2351
|
relatedSafeguards: ["4.1", "12.3"],
|
|
2371
2352
|
systemPromptFull: {
|
|
@@ -2419,26 +2400,22 @@ export class SafeguardManager {
|
|
|
2419
2400
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
2420
2401
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
2421
2402
|
implementationGroup: "IG1",
|
|
2422
|
-
assetType: ["
|
|
2403
|
+
assetType: ["Users"],
|
|
2423
2404
|
securityFunction: ["Protect"],
|
|
2424
2405
|
governanceElements: [
|
|
2425
2406
|
"Manage"
|
|
2426
2407
|
],
|
|
2427
2408
|
coreRequirements: [
|
|
2428
|
-
"default accounts
|
|
2409
|
+
"default accounts"
|
|
2429
2410
|
],
|
|
2430
2411
|
subTaxonomicalElements: [
|
|
2431
|
-
"Default accounts",
|
|
2432
2412
|
"Enterprise assets",
|
|
2433
|
-
"Software"
|
|
2434
|
-
"Root",
|
|
2435
|
-
"Administrator",
|
|
2436
|
-
"Other pre-configured vendor accounts"
|
|
2413
|
+
"Software"
|
|
2437
2414
|
],
|
|
2438
2415
|
implementationSuggestions: [
|
|
2439
|
-
"Disabling",
|
|
2440
|
-
"Unusable",
|
|
2441
|
-
"
|
|
2416
|
+
"Disabling them",
|
|
2417
|
+
"making them Unusable",
|
|
2418
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
2442
2419
|
],
|
|
2443
2420
|
relatedSafeguards: ["4.1"],
|
|
2444
2421
|
systemPromptFull: {
|
|
@@ -2492,25 +2469,23 @@ export class SafeguardManager {
|
|
|
2492
2469
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
2493
2470
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
2494
2471
|
implementationGroup: "IG2",
|
|
2495
|
-
assetType: ["
|
|
2472
|
+
assetType: ["Devices", "Software"],
|
|
2496
2473
|
securityFunction: ["Protect"],
|
|
2497
2474
|
governanceElements: [
|
|
2498
2475
|
"Uninstall",
|
|
2499
2476
|
"Disable"
|
|
2500
2477
|
],
|
|
2501
2478
|
coreRequirements: [
|
|
2502
|
-
"unnecessary services
|
|
2479
|
+
"unnecessary services"
|
|
2503
2480
|
],
|
|
2504
2481
|
subTaxonomicalElements: [
|
|
2505
|
-
"Unnecessary Services",
|
|
2506
2482
|
"Enterprise assets",
|
|
2507
|
-
"Software"
|
|
2508
|
-
"Unused file sharing service",
|
|
2509
|
-
"Web application module",
|
|
2510
|
-
"Service function"
|
|
2483
|
+
"Software"
|
|
2511
2484
|
],
|
|
2512
2485
|
implementationSuggestions: [
|
|
2513
|
-
"
|
|
2486
|
+
"Unused File Sharing Services",
|
|
2487
|
+
"Web Application Module",
|
|
2488
|
+
"Service Function"
|
|
2514
2489
|
],
|
|
2515
2490
|
relatedSafeguards: ["4.1"],
|
|
2516
2491
|
systemPromptFull: {
|
|
@@ -2564,22 +2539,20 @@ export class SafeguardManager {
|
|
|
2564
2539
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
2565
2540
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
2566
2541
|
implementationGroup: "IG2",
|
|
2567
|
-
assetType: ["
|
|
2542
|
+
assetType: ["Devices"],
|
|
2568
2543
|
securityFunction: ["Protect"],
|
|
2569
2544
|
governanceElements: [
|
|
2570
2545
|
"Configure"
|
|
2571
2546
|
],
|
|
2572
2547
|
coreRequirements: [
|
|
2573
|
-
"trusted DNS servers
|
|
2548
|
+
"trusted DNS servers"
|
|
2574
2549
|
],
|
|
2575
2550
|
subTaxonomicalElements: [
|
|
2576
|
-
"Trusted DNS Servers",
|
|
2577
2551
|
"Enterprise assets"
|
|
2578
2552
|
],
|
|
2579
2553
|
implementationSuggestions: [
|
|
2580
2554
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
2581
|
-
"Reputable externally accessible DNS servers"
|
|
2582
|
-
"Configuration Management Tool"
|
|
2555
|
+
"Reputable externally accessible DNS servers"
|
|
2583
2556
|
],
|
|
2584
2557
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
2585
2558
|
systemPromptFull: {
|
|
@@ -2633,7 +2606,7 @@ export class SafeguardManager {
|
|
|
2633
2606
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
2634
2607
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
2635
2608
|
implementationGroup: "IG2",
|
|
2636
|
-
assetType: ["
|
|
2609
|
+
assetType: ["Devices"],
|
|
2637
2610
|
securityFunction: ["Protect"],
|
|
2638
2611
|
governanceElements: [
|
|
2639
2612
|
"Enforce",
|
|
@@ -2642,14 +2615,13 @@ export class SafeguardManager {
|
|
|
2642
2615
|
"No more than 10 Failed Authentication Attempts"
|
|
2643
2616
|
],
|
|
2644
2617
|
coreRequirements: [
|
|
2645
|
-
"automatic device lockout
|
|
2618
|
+
"automatic device lockout"
|
|
2646
2619
|
],
|
|
2647
2620
|
subTaxonomicalElements: [
|
|
2648
|
-
"
|
|
2649
|
-
"
|
|
2650
|
-
"
|
|
2651
|
-
"
|
|
2652
|
-
"Tablets and smartphones"
|
|
2621
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
2622
|
+
"On Portable end-user devices",
|
|
2623
|
+
"Such as Laptops",
|
|
2624
|
+
"Such as Tablets and smartphones"
|
|
2653
2625
|
],
|
|
2654
2626
|
implementationSuggestions: [
|
|
2655
2627
|
"Microsoft® InTune Device Lock",
|
|
@@ -2708,24 +2680,22 @@ export class SafeguardManager {
|
|
|
2708
2680
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
2709
2681
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
2710
2682
|
implementationGroup: "IG2",
|
|
2711
|
-
assetType: ["
|
|
2683
|
+
assetType: ["Devices"],
|
|
2712
2684
|
securityFunction: ["Protect"],
|
|
2713
2685
|
governanceElements: [
|
|
2714
2686
|
"When deemed appropriate"
|
|
2715
2687
|
],
|
|
2716
2688
|
coreRequirements: [
|
|
2717
|
-
"Remotely wipe enterprise data
|
|
2689
|
+
"Remotely wipe enterprise data"
|
|
2718
2690
|
],
|
|
2719
2691
|
subTaxonomicalElements: [
|
|
2720
|
-
"
|
|
2721
|
-
|
|
2692
|
+
"Portable end-user devices"
|
|
2693
|
+
],
|
|
2694
|
+
implementationSuggestions: [
|
|
2722
2695
|
"Lost devices",
|
|
2723
2696
|
"Stolen devices",
|
|
2724
2697
|
"When an individual no longer supports the enterprise"
|
|
2725
2698
|
],
|
|
2726
|
-
implementationSuggestions: [
|
|
2727
|
-
"Configuration Management Tool"
|
|
2728
|
-
],
|
|
2729
2699
|
relatedSafeguards: ["4.1"],
|
|
2730
2700
|
systemPromptFull: {
|
|
2731
2701
|
role: "Vendor Description Assistant and expert on CIS Controls",
|
|
@@ -2778,7 +2748,7 @@ export class SafeguardManager {
|
|
|
2778
2748
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
2779
2749
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
2780
2750
|
implementationGroup: "IG3",
|
|
2781
|
-
assetType: ["
|
|
2751
|
+
assetType: ["Data"],
|
|
2782
2752
|
securityFunction: ["Protect"],
|
|
2783
2753
|
governanceElements: [
|
|
2784
2754
|
"Ensure",
|
|
@@ -2788,17 +2758,12 @@ export class SafeguardManager {
|
|
|
2788
2758
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
2789
2759
|
],
|
|
2790
2760
|
subTaxonomicalElements: [
|
|
2791
|
-
"
|
|
2792
|
-
"
|
|
2793
|
-
"Enterprise Applications",
|
|
2794
|
-
"Enterprise Data",
|
|
2795
|
-
"Personal Applications",
|
|
2796
|
-
"Personal Data"
|
|
2761
|
+
"Enterprise Applications and Enterprise Data",
|
|
2762
|
+
"Seperate from Personal Applications and Personal Data"
|
|
2797
2763
|
],
|
|
2798
2764
|
implementationSuggestions: [
|
|
2799
2765
|
"Apple® Configuration Profile",
|
|
2800
|
-
"AndroidTM Work Profile"
|
|
2801
|
-
"Configuration Management Tool"
|
|
2766
|
+
"AndroidTM Work Profile"
|
|
2802
2767
|
],
|
|
2803
2768
|
relatedSafeguards: ["4.1"],
|
|
2804
2769
|
systemPromptFull: {
|
|
@@ -2852,7 +2817,7 @@ export class SafeguardManager {
|
|
|
2852
2817
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
2853
2818
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
2854
2819
|
implementationGroup: "IG1",
|
|
2855
|
-
assetType: ["
|
|
2820
|
+
assetType: ["Users"],
|
|
2856
2821
|
securityFunction: ["Identify"],
|
|
2857
2822
|
governanceElements: [
|
|
2858
2823
|
"Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
@@ -2935,7 +2900,7 @@ export class SafeguardManager {
|
|
|
2935
2900
|
title: "Use Unique Passwords",
|
|
2936
2901
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
2937
2902
|
implementationGroup: "IG1",
|
|
2938
|
-
assetType: ["
|
|
2903
|
+
assetType: ["Users"],
|
|
2939
2904
|
securityFunction: ["Protect"],
|
|
2940
2905
|
governanceElements: [
|
|
2941
2906
|
"Use unique passwords for all enterprise assets",
|
|
@@ -3007,7 +2972,7 @@ export class SafeguardManager {
|
|
|
3007
2972
|
title: "Disable Dormant Accounts",
|
|
3008
2973
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
3009
2974
|
implementationGroup: "IG1",
|
|
3010
|
-
assetType: ["
|
|
2975
|
+
assetType: ["Users"],
|
|
3011
2976
|
securityFunction: ["Protect"],
|
|
3012
2977
|
governanceElements: [
|
|
3013
2978
|
"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
|
|
@@ -3077,7 +3042,7 @@ export class SafeguardManager {
|
|
|
3077
3042
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
3078
3043
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
3079
3044
|
implementationGroup: "IG1",
|
|
3080
|
-
assetType: ["
|
|
3045
|
+
assetType: ["Users"],
|
|
3081
3046
|
securityFunction: ["Protect"],
|
|
3082
3047
|
governanceElements: [
|
|
3083
3048
|
"Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
@@ -3153,7 +3118,7 @@ export class SafeguardManager {
|
|
|
3153
3118
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
3154
3119
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
3155
3120
|
implementationGroup: "IG2",
|
|
3156
|
-
assetType: ["
|
|
3121
|
+
assetType: ["Users"],
|
|
3157
3122
|
securityFunction: ["Identify"],
|
|
3158
3123
|
governanceElements: [
|
|
3159
3124
|
"Establish and maintain an inventory of service accounts",
|
|
@@ -3232,7 +3197,7 @@ export class SafeguardManager {
|
|
|
3232
3197
|
title: "Centralize Account Management",
|
|
3233
3198
|
description: "Centralize account management through a directory or identity service.",
|
|
3234
3199
|
implementationGroup: "IG2",
|
|
3235
|
-
assetType: ["
|
|
3200
|
+
assetType: ["Users"],
|
|
3236
3201
|
securityFunction: ["Govern"],
|
|
3237
3202
|
governanceElements: [
|
|
3238
3203
|
"Centralize account management through a directory or identity service"
|
|
@@ -3302,7 +3267,7 @@ export class SafeguardManager {
|
|
|
3302
3267
|
title: "Establish an Access Granting Process",
|
|
3303
3268
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
3304
3269
|
implementationGroup: "IG1",
|
|
3305
|
-
assetType: ["
|
|
3270
|
+
assetType: ["Users"],
|
|
3306
3271
|
securityFunction: ["Govern"],
|
|
3307
3272
|
governanceElements: [
|
|
3308
3273
|
"Establish",
|
|
@@ -3379,7 +3344,7 @@ export class SafeguardManager {
|
|
|
3379
3344
|
title: "Establish an Access Revoking Process",
|
|
3380
3345
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
3381
3346
|
implementationGroup: "IG1",
|
|
3382
|
-
assetType: ["
|
|
3347
|
+
assetType: ["Users"],
|
|
3383
3348
|
securityFunction: ["Govern"],
|
|
3384
3349
|
governanceElements: [
|
|
3385
3350
|
"Establish",
|
|
@@ -3461,7 +3426,7 @@ export class SafeguardManager {
|
|
|
3461
3426
|
title: "Require MFA for Externally-Exposed Applications",
|
|
3462
3427
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
3463
3428
|
implementationGroup: "IG1",
|
|
3464
|
-
assetType: ["
|
|
3429
|
+
assetType: ["Users"],
|
|
3465
3430
|
securityFunction: ["Protect"],
|
|
3466
3431
|
governanceElements: [
|
|
3467
3432
|
"Require",
|
|
@@ -3536,7 +3501,7 @@ export class SafeguardManager {
|
|
|
3536
3501
|
title: "Require MFA for Remote Network Access",
|
|
3537
3502
|
description: "Require MFA for remote network access.",
|
|
3538
3503
|
implementationGroup: "IG1",
|
|
3539
|
-
assetType: ["
|
|
3504
|
+
assetType: ["Users"],
|
|
3540
3505
|
securityFunction: ["Protect"],
|
|
3541
3506
|
governanceElements: [
|
|
3542
3507
|
"Require",
|
|
@@ -3606,7 +3571,7 @@ export class SafeguardManager {
|
|
|
3606
3571
|
title: "Require MFA for Administrative Access",
|
|
3607
3572
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
3608
3573
|
implementationGroup: "IG1",
|
|
3609
|
-
assetType: ["
|
|
3574
|
+
assetType: ["Users"],
|
|
3610
3575
|
securityFunction: ["Protect"],
|
|
3611
3576
|
governanceElements: [
|
|
3612
3577
|
"Require",
|
|
@@ -3759,7 +3724,7 @@ export class SafeguardManager {
|
|
|
3759
3724
|
title: "Centralize Access Control",
|
|
3760
3725
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
3761
3726
|
implementationGroup: "IG2",
|
|
3762
|
-
assetType: ["
|
|
3727
|
+
assetType: ["Users"],
|
|
3763
3728
|
securityFunction: ["Protect"],
|
|
3764
3729
|
governanceElements: [
|
|
3765
3730
|
"Centralize",
|
|
@@ -3837,7 +3802,7 @@ export class SafeguardManager {
|
|
|
3837
3802
|
title: "Define and Maintain Role-Based Access Control",
|
|
3838
3803
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
3839
3804
|
implementationGroup: "IG3",
|
|
3840
|
-
assetType: ["
|
|
3805
|
+
assetType: ["Users"],
|
|
3841
3806
|
securityFunction: ["Govern"],
|
|
3842
3807
|
governanceElements: [
|
|
3843
3808
|
"Define",
|
|
@@ -4087,7 +4052,7 @@ export class SafeguardManager {
|
|
|
4087
4052
|
title: "Perform Automated Operating System Patch Management",
|
|
4088
4053
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
4089
4054
|
implementationGroup: "IG1",
|
|
4090
|
-
assetType: ["
|
|
4055
|
+
assetType: ["Devices"],
|
|
4091
4056
|
securityFunction: ["Protect"],
|
|
4092
4057
|
governanceElements: [
|
|
4093
4058
|
"perform automated OS patch management",
|
|
@@ -4251,7 +4216,7 @@ export class SafeguardManager {
|
|
|
4251
4216
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
4252
4217
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
4253
4218
|
implementationGroup: "IG2",
|
|
4254
|
-
assetType: ["
|
|
4219
|
+
assetType: ["Devices", "Software"],
|
|
4255
4220
|
securityFunction: ["Detect"],
|
|
4256
4221
|
governanceElements: [
|
|
4257
4222
|
"perform automated vulnerability scans",
|
|
@@ -4333,7 +4298,7 @@ export class SafeguardManager {
|
|
|
4333
4298
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
4334
4299
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
4335
4300
|
implementationGroup: "IG2",
|
|
4336
|
-
assetType: ["
|
|
4301
|
+
assetType: ["Devices", "Software"],
|
|
4337
4302
|
securityFunction: ["Detect"],
|
|
4338
4303
|
governanceElements: [
|
|
4339
4304
|
"perform automated vulnerability scans",
|
|
@@ -5429,7 +5394,7 @@ export class SafeguardManager {
|
|
|
5429
5394
|
title: "Use DNS Filtering Services",
|
|
5430
5395
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
5431
5396
|
implementationGroup: "IG1",
|
|
5432
|
-
assetType: ["
|
|
5397
|
+
assetType: ["Devices", "network"],
|
|
5433
5398
|
securityFunction: ["Protect"],
|
|
5434
5399
|
governanceElements: [
|
|
5435
5400
|
"use DNS filtering services on all end-user devices",
|
|
@@ -5901,7 +5866,7 @@ export class SafeguardManager {
|
|
|
5901
5866
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
5902
5867
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
5903
5868
|
implementationGroup: "IG1",
|
|
5904
|
-
assetType: ["
|
|
5869
|
+
assetType: ["Devices"],
|
|
5905
5870
|
securityFunction: ["Detect"],
|
|
5906
5871
|
governanceElements: [
|
|
5907
5872
|
"deploy anti-malware software",
|
|
@@ -5980,7 +5945,7 @@ export class SafeguardManager {
|
|
|
5980
5945
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
5981
5946
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
5982
5947
|
implementationGroup: "IG1",
|
|
5983
|
-
assetType: ["
|
|
5948
|
+
assetType: ["Devices"],
|
|
5984
5949
|
securityFunction: ["Protect"],
|
|
5985
5950
|
governanceElements: [
|
|
5986
5951
|
"configure automatic updates",
|
|
@@ -6054,7 +6019,7 @@ export class SafeguardManager {
|
|
|
6054
6019
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
6055
6020
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
6056
6021
|
implementationGroup: "IG1",
|
|
6057
|
-
assetType: ["
|
|
6022
|
+
assetType: ["Devices"],
|
|
6058
6023
|
securityFunction: ["Protect"],
|
|
6059
6024
|
governanceElements: [
|
|
6060
6025
|
"disable autorun functionality",
|
|
@@ -6133,7 +6098,7 @@ export class SafeguardManager {
|
|
|
6133
6098
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
6134
6099
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
6135
6100
|
implementationGroup: "IG2",
|
|
6136
|
-
assetType: ["
|
|
6101
|
+
assetType: ["Devices"],
|
|
6137
6102
|
securityFunction: ["Detect"],
|
|
6138
6103
|
governanceElements: [
|
|
6139
6104
|
"configure anti-malware software",
|
|
@@ -6211,7 +6176,7 @@ export class SafeguardManager {
|
|
|
6211
6176
|
title: "Enable Anti-Exploitation Features",
|
|
6212
6177
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
6213
6178
|
implementationGroup: "IG2",
|
|
6214
|
-
assetType: ["
|
|
6179
|
+
assetType: ["Devices"],
|
|
6215
6180
|
securityFunction: ["Protect"],
|
|
6216
6181
|
governanceElements: [
|
|
6217
6182
|
"enable anti-exploitation features",
|
|
@@ -6291,7 +6256,7 @@ export class SafeguardManager {
|
|
|
6291
6256
|
title: "Centrally Manage Anti-Malware Software",
|
|
6292
6257
|
description: "Centrally manage anti-malware software",
|
|
6293
6258
|
implementationGroup: "IG2",
|
|
6294
|
-
assetType: ["
|
|
6259
|
+
assetType: ["Devices"],
|
|
6295
6260
|
securityFunction: ["Protect"],
|
|
6296
6261
|
governanceElements: [
|
|
6297
6262
|
"centrally manage anti-malware",
|
|
@@ -6367,7 +6332,7 @@ export class SafeguardManager {
|
|
|
6367
6332
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
6368
6333
|
description: "Use behavior-based anti-malware software",
|
|
6369
6334
|
implementationGroup: "IG2",
|
|
6370
|
-
assetType: ["
|
|
6335
|
+
assetType: ["Devices"],
|
|
6371
6336
|
securityFunction: ["Detect"],
|
|
6372
6337
|
governanceElements: [
|
|
6373
6338
|
"use behavior-based anti-malware",
|
|
@@ -7335,7 +7300,7 @@ export class SafeguardManager {
|
|
|
7335
7300
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
7336
7301
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
7337
7302
|
implementationGroup: "IG2",
|
|
7338
|
-
assetType: ["
|
|
7303
|
+
assetType: ["Devices"],
|
|
7339
7304
|
securityFunction: ["Protect"],
|
|
7340
7305
|
governanceElements: [
|
|
7341
7306
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -7415,7 +7380,7 @@ export class SafeguardManager {
|
|
|
7415
7380
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
7416
7381
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
7417
7382
|
implementationGroup: "IG3",
|
|
7418
|
-
assetType: ["
|
|
7383
|
+
assetType: ["Devices"],
|
|
7419
7384
|
securityFunction: ["Protect"],
|
|
7420
7385
|
governanceElements: [
|
|
7421
7386
|
"establish dedicated computing resources for administrative work",
|
|
@@ -7497,7 +7462,7 @@ export class SafeguardManager {
|
|
|
7497
7462
|
title: "Centralize Security Event Alerting",
|
|
7498
7463
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
7499
7464
|
implementationGroup: "IG2",
|
|
7500
|
-
assetType: ["network", "
|
|
7465
|
+
assetType: ["network", "Devices"],
|
|
7501
7466
|
securityFunction: ["Detect"],
|
|
7502
7467
|
governanceElements: [
|
|
7503
7468
|
"centralize security event alerting across enterprise assets",
|
|
@@ -7576,7 +7541,7 @@ export class SafeguardManager {
|
|
|
7576
7541
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
7577
7542
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
7578
7543
|
implementationGroup: "IG2",
|
|
7579
|
-
assetType: ["
|
|
7544
|
+
assetType: ["Devices"],
|
|
7580
7545
|
securityFunction: ["Detect"],
|
|
7581
7546
|
governanceElements: [
|
|
7582
7547
|
"deploy host-based intrusion detection solution",
|
|
@@ -7802,7 +7767,7 @@ export class SafeguardManager {
|
|
|
7802
7767
|
title: "Manage Access Control for Remote Assets",
|
|
7803
7768
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
7804
7769
|
implementationGroup: "IG2",
|
|
7805
|
-
assetType: ["
|
|
7770
|
+
assetType: ["Devices", "network"],
|
|
7806
7771
|
securityFunction: ["Protect"],
|
|
7807
7772
|
governanceElements: [
|
|
7808
7773
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -7956,7 +7921,7 @@ export class SafeguardManager {
|
|
|
7956
7921
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
7957
7922
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
7958
7923
|
implementationGroup: "IG3",
|
|
7959
|
-
assetType: ["
|
|
7924
|
+
assetType: ["Devices"],
|
|
7960
7925
|
securityFunction: ["Respond"],
|
|
7961
7926
|
governanceElements: [
|
|
7962
7927
|
"deploy host-based intrusion prevention solution",
|
|
@@ -8257,7 +8222,7 @@ export class SafeguardManager {
|
|
|
8257
8222
|
title: "Tune Security Event Alerting Thresholds",
|
|
8258
8223
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
8259
8224
|
implementationGroup: "IG3",
|
|
8260
|
-
assetType: ["network", "
|
|
8225
|
+
assetType: ["network", "Devices"],
|
|
8261
8226
|
securityFunction: ["Detect"],
|
|
8262
8227
|
governanceElements: [
|
|
8263
8228
|
"tune security event alerting thresholds",
|
|
@@ -8331,7 +8296,7 @@ export class SafeguardManager {
|
|
|
8331
8296
|
title: "Establish and Maintain a Security Awareness Program",
|
|
8332
8297
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
8333
8298
|
implementationGroup: "IG1",
|
|
8334
|
-
assetType: ["
|
|
8299
|
+
assetType: ["Users"],
|
|
8335
8300
|
securityFunction: ["Govern"],
|
|
8336
8301
|
governanceElements: [
|
|
8337
8302
|
"establish and maintain a security awareness program",
|
|
@@ -8413,7 +8378,7 @@ export class SafeguardManager {
|
|
|
8413
8378
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
8414
8379
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
8415
8380
|
implementationGroup: "IG1",
|
|
8416
|
-
assetType: ["
|
|
8381
|
+
assetType: ["Users"],
|
|
8417
8382
|
securityFunction: ["Protect"],
|
|
8418
8383
|
governanceElements: [
|
|
8419
8384
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -8492,7 +8457,7 @@ export class SafeguardManager {
|
|
|
8492
8457
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
8493
8458
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
8494
8459
|
implementationGroup: "IG1",
|
|
8495
|
-
assetType: ["
|
|
8460
|
+
assetType: ["Users"],
|
|
8496
8461
|
securityFunction: ["Protect"],
|
|
8497
8462
|
governanceElements: [
|
|
8498
8463
|
"train workforce members on authentication best practices",
|
|
@@ -8569,7 +8534,7 @@ export class SafeguardManager {
|
|
|
8569
8534
|
title: "Train Workforce on Data Handling Best Practices",
|
|
8570
8535
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
8571
8536
|
implementationGroup: "IG1",
|
|
8572
|
-
assetType: ["
|
|
8537
|
+
assetType: ["Users"],
|
|
8573
8538
|
securityFunction: ["Protect"],
|
|
8574
8539
|
governanceElements: [
|
|
8575
8540
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -8654,7 +8619,7 @@ export class SafeguardManager {
|
|
|
8654
8619
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
8655
8620
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
8656
8621
|
implementationGroup: "IG1",
|
|
8657
|
-
assetType: ["
|
|
8622
|
+
assetType: ["Users"],
|
|
8658
8623
|
securityFunction: ["Protect"],
|
|
8659
8624
|
governanceElements: [
|
|
8660
8625
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -8731,7 +8696,7 @@ export class SafeguardManager {
|
|
|
8731
8696
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
8732
8697
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
8733
8698
|
implementationGroup: "IG1",
|
|
8734
|
-
assetType: ["
|
|
8699
|
+
assetType: ["Users"],
|
|
8735
8700
|
securityFunction: ["Protect"],
|
|
8736
8701
|
governanceElements: [
|
|
8737
8702
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -8806,7 +8771,7 @@ export class SafeguardManager {
|
|
|
8806
8771
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
8807
8772
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
8808
8773
|
implementationGroup: "IG1",
|
|
8809
|
-
assetType: ["
|
|
8774
|
+
assetType: ["Users"],
|
|
8810
8775
|
securityFunction: ["Protect"],
|
|
8811
8776
|
governanceElements: [
|
|
8812
8777
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -8887,7 +8852,7 @@ export class SafeguardManager {
|
|
|
8887
8852
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
8888
8853
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
8889
8854
|
implementationGroup: "IG1",
|
|
8890
|
-
assetType: ["
|
|
8855
|
+
assetType: ["Users"],
|
|
8891
8856
|
securityFunction: ["Protect"],
|
|
8892
8857
|
governanceElements: [
|
|
8893
8858
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -8967,7 +8932,7 @@ export class SafeguardManager {
|
|
|
8967
8932
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
8968
8933
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
8969
8934
|
implementationGroup: "IG2",
|
|
8970
|
-
assetType: ["
|
|
8935
|
+
assetType: ["Users"],
|
|
8971
8936
|
securityFunction: ["Protect"],
|
|
8972
8937
|
governanceElements: [
|
|
8973
8938
|
"conduct role-specific security awareness and skills training",
|
|
@@ -9045,7 +9010,7 @@ export class SafeguardManager {
|
|
|
9045
9010
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
9046
9011
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9047
9012
|
implementationGroup: "IG1",
|
|
9048
|
-
assetType: ["
|
|
9013
|
+
assetType: ["Users"],
|
|
9049
9014
|
securityFunction: ["Identify"],
|
|
9050
9015
|
governanceElements: [
|
|
9051
9016
|
"establish and maintain an inventory of service providers",
|
|
@@ -9125,7 +9090,7 @@ export class SafeguardManager {
|
|
|
9125
9090
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
9126
9091
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9127
9092
|
implementationGroup: "IG2",
|
|
9128
|
-
assetType: ["
|
|
9093
|
+
assetType: ["Users"],
|
|
9129
9094
|
securityFunction: ["Govern"],
|
|
9130
9095
|
governanceElements: [
|
|
9131
9096
|
"establish and maintain a service provider management policy",
|
|
@@ -9210,7 +9175,7 @@ export class SafeguardManager {
|
|
|
9210
9175
|
title: "Classify Service Providers",
|
|
9211
9176
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9212
9177
|
implementationGroup: "IG2",
|
|
9213
|
-
assetType: ["
|
|
9178
|
+
assetType: ["Users"],
|
|
9214
9179
|
securityFunction: ["Govern"],
|
|
9215
9180
|
governanceElements: [
|
|
9216
9181
|
"classify service providers",
|
|
@@ -9293,7 +9258,7 @@ export class SafeguardManager {
|
|
|
9293
9258
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
9294
9259
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
9295
9260
|
implementationGroup: "IG2",
|
|
9296
|
-
assetType: ["
|
|
9261
|
+
assetType: ["Users"],
|
|
9297
9262
|
securityFunction: ["Govern"],
|
|
9298
9263
|
governanceElements: [
|
|
9299
9264
|
"ensure service provider contracts include security requirements",
|
|
@@ -9375,7 +9340,7 @@ export class SafeguardManager {
|
|
|
9375
9340
|
title: "Assess Service Providers",
|
|
9376
9341
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
9377
9342
|
implementationGroup: "IG3",
|
|
9378
|
-
assetType: ["
|
|
9343
|
+
assetType: ["Users"],
|
|
9379
9344
|
securityFunction: ["Govern"],
|
|
9380
9345
|
governanceElements: [
|
|
9381
9346
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -10240,7 +10205,7 @@ export class SafeguardManager {
|
|
|
10240
10205
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
10241
10206
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
10242
10207
|
implementationGroup: "IG2",
|
|
10243
|
-
assetType: ["
|
|
10208
|
+
assetType: ["Users"],
|
|
10244
10209
|
securityFunction: ["Protect"],
|
|
10245
10210
|
governanceElements: [
|
|
10246
10211
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -10716,7 +10681,7 @@ export class SafeguardManager {
|
|
|
10716
10681
|
title: "Designate Personnel to Manage Incident Handling",
|
|
10717
10682
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10718
10683
|
implementationGroup: "IG1",
|
|
10719
|
-
assetType: ["
|
|
10684
|
+
assetType: ["Users"],
|
|
10720
10685
|
securityFunction: ["Respond"],
|
|
10721
10686
|
governanceElements: [
|
|
10722
10687
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -10794,7 +10759,7 @@ export class SafeguardManager {
|
|
|
10794
10759
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
10795
10760
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
10796
10761
|
implementationGroup: "IG1",
|
|
10797
|
-
assetType: ["
|
|
10762
|
+
assetType: ["Users"],
|
|
10798
10763
|
securityFunction: ["Respond"],
|
|
10799
10764
|
governanceElements: [
|
|
10800
10765
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -10870,7 +10835,7 @@ export class SafeguardManager {
|
|
|
10870
10835
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
10871
10836
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10872
10837
|
implementationGroup: "IG1",
|
|
10873
|
-
assetType: ["
|
|
10838
|
+
assetType: ["Users"],
|
|
10874
10839
|
securityFunction: ["Govern"],
|
|
10875
10840
|
governanceElements: [
|
|
10876
10841
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -10948,7 +10913,7 @@ export class SafeguardManager {
|
|
|
10948
10913
|
title: "Establish and Maintain an Incident Response Process",
|
|
10949
10914
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10950
10915
|
implementationGroup: "IG2",
|
|
10951
|
-
assetType: ["
|
|
10916
|
+
assetType: ["Users"],
|
|
10952
10917
|
securityFunction: ["Govern"],
|
|
10953
10918
|
governanceElements: [
|
|
10954
10919
|
"establish and maintain a documented incident response process",
|
|
@@ -11023,7 +10988,7 @@ export class SafeguardManager {
|
|
|
11023
10988
|
title: "Assign Key Roles and Responsibilities",
|
|
11024
10989
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11025
10990
|
implementationGroup: "IG2",
|
|
11026
|
-
assetType: ["
|
|
10991
|
+
assetType: ["Users"],
|
|
11027
10992
|
securityFunction: ["Respond"],
|
|
11028
10993
|
governanceElements: [
|
|
11029
10994
|
"assign key roles and responsibilities for incident response",
|
|
@@ -11101,7 +11066,7 @@ export class SafeguardManager {
|
|
|
11101
11066
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
11102
11067
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11103
11068
|
implementationGroup: "IG2",
|
|
11104
|
-
assetType: ["
|
|
11069
|
+
assetType: ["Users"],
|
|
11105
11070
|
securityFunction: ["Respond"],
|
|
11106
11071
|
governanceElements: [
|
|
11107
11072
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -11178,7 +11143,7 @@ export class SafeguardManager {
|
|
|
11178
11143
|
title: "Conduct Routine Incident Response Exercises",
|
|
11179
11144
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
11180
11145
|
implementationGroup: "IG2",
|
|
11181
|
-
assetType: ["
|
|
11146
|
+
assetType: ["Users"],
|
|
11182
11147
|
securityFunction: ["Recover"],
|
|
11183
11148
|
governanceElements: [
|
|
11184
11149
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -11255,7 +11220,7 @@ export class SafeguardManager {
|
|
|
11255
11220
|
title: "Conduct Post-Incident Reviews",
|
|
11256
11221
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
11257
11222
|
implementationGroup: "IG2",
|
|
11258
|
-
assetType: ["
|
|
11223
|
+
assetType: ["Users"],
|
|
11259
11224
|
securityFunction: ["Recover"],
|
|
11260
11225
|
governanceElements: [
|
|
11261
11226
|
"conduct post-incident reviews"
|
|
@@ -11328,7 +11293,7 @@ export class SafeguardManager {
|
|
|
11328
11293
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
11329
11294
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11330
11295
|
implementationGroup: "IG3",
|
|
11331
|
-
assetType: ["
|
|
11296
|
+
assetType: ["Users"],
|
|
11332
11297
|
securityFunction: ["Recover"],
|
|
11333
11298
|
governanceElements: [
|
|
11334
11299
|
"establish and maintain security incident thresholds",
|