framework-mcp 2.4.3 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +105 -140
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +102 -137
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -2895,19 +2895,17 @@ export class SafeguardManager {
|
|
|
2895
2895
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2896
2896
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2897
2897
|
implementationGroup: "IG1",
|
|
2898
|
-
assetType: ["
|
|
2898
|
+
assetType: ["Docuemntation"],
|
|
2899
2899
|
securityFunction: ["Govern"],
|
|
2900
2900
|
governanceElements: [ // Orange - MUST be met
|
|
2901
2901
|
"Establish",
|
|
2902
2902
|
"Maintain",
|
|
2903
|
-
"Documented Secure Configuration Process",
|
|
2904
2903
|
"Review and update documentation",
|
|
2905
2904
|
"Annually",
|
|
2906
2905
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2907
2906
|
],
|
|
2908
2907
|
coreRequirements: [ // Green - The "what"
|
|
2909
|
-
"documented secure configuration process
|
|
2910
|
-
"documented secure configuration process for software"
|
|
2908
|
+
"documented secure configuration process"
|
|
2911
2909
|
],
|
|
2912
2910
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2913
2911
|
"Enterprise assets",
|
|
@@ -2917,12 +2915,9 @@ export class SafeguardManager {
|
|
|
2917
2915
|
"Portable",
|
|
2918
2916
|
"Non-computing/IoT devices",
|
|
2919
2917
|
"Servers",
|
|
2920
|
-
"OS"
|
|
2921
|
-
"Software"
|
|
2918
|
+
"OS"
|
|
2922
2919
|
],
|
|
2923
2920
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2924
|
-
"Secure Configuration Policy / Process",
|
|
2925
|
-
"Configuration Management Tool"
|
|
2926
2921
|
],
|
|
2927
2922
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2928
2923
|
systemPromptFull: {
|
|
@@ -3010,25 +3005,22 @@ export class SafeguardManager {
|
|
|
3010
3005
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
3011
3006
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
3012
3007
|
implementationGroup: "IG1",
|
|
3013
|
-
assetType: ["
|
|
3008
|
+
assetType: ["Documentation"],
|
|
3014
3009
|
securityFunction: ["Govern"],
|
|
3015
3010
|
governanceElements: [ // Orange - MUST be met
|
|
3016
3011
|
"Establish",
|
|
3017
3012
|
"Maintain",
|
|
3018
|
-
"Documented Secure Network Configuration Process",
|
|
3019
3013
|
"Review and update documentation",
|
|
3020
3014
|
"Annually",
|
|
3021
3015
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
3022
3016
|
],
|
|
3023
3017
|
coreRequirements: [ // Green - The "what"
|
|
3024
|
-
"documented secure configuration process
|
|
3018
|
+
"documented secure configuration process"
|
|
3025
3019
|
],
|
|
3026
3020
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3027
3021
|
"Network devices"
|
|
3028
3022
|
],
|
|
3029
3023
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3030
|
-
"Secure Configuration Policy / Process",
|
|
3031
|
-
"Configuration Management Tool"
|
|
3032
3024
|
],
|
|
3033
3025
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
3034
3026
|
systemPromptFull: {
|
|
@@ -3116,7 +3108,7 @@ export class SafeguardManager {
|
|
|
3116
3108
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
3117
3109
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
3118
3110
|
implementationGroup: "IG1",
|
|
3119
|
-
assetType: ["
|
|
3111
|
+
assetType: ["Devices"],
|
|
3120
3112
|
securityFunction: ["Protect"],
|
|
3121
3113
|
governanceElements: [ // Orange - MUST be met
|
|
3122
3114
|
"Configure",
|
|
@@ -3124,18 +3116,14 @@ export class SafeguardManager {
|
|
|
3124
3116
|
"Period must not exceed for 2 Minutes"
|
|
3125
3117
|
],
|
|
3126
3118
|
coreRequirements: [ // Green - The "what"
|
|
3127
|
-
"automatic session locking on enterprise assets
|
|
3128
|
-
"general purpose operating systems",
|
|
3129
|
-
"mobile end-user devices"
|
|
3119
|
+
"automatic session locking on enterprise assets"
|
|
3130
3120
|
],
|
|
3131
3121
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3132
|
-
"Automatic Session Locking",
|
|
3133
3122
|
"Period of inactivity",
|
|
3134
3123
|
"General Purpose OSs",
|
|
3135
3124
|
"Mobile end-user devices"
|
|
3136
3125
|
],
|
|
3137
3126
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3138
|
-
"Configuration Management Tool"
|
|
3139
3127
|
],
|
|
3140
3128
|
relatedSafeguards: ["4.1"],
|
|
3141
3129
|
systemPromptFull: {
|
|
@@ -3223,7 +3211,7 @@ export class SafeguardManager {
|
|
|
3223
3211
|
title: "Implement and Manage a Firewall on Servers",
|
|
3224
3212
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
3225
3213
|
implementationGroup: "IG1",
|
|
3226
|
-
assetType: ["
|
|
3214
|
+
assetType: ["Devices"],
|
|
3227
3215
|
securityFunction: ["Protect"],
|
|
3228
3216
|
governanceElements: [ // Orange - MUST be met
|
|
3229
3217
|
"Implement",
|
|
@@ -3240,8 +3228,6 @@ export class SafeguardManager {
|
|
|
3240
3228
|
"Virtual Firewall",
|
|
3241
3229
|
"OS Firewall",
|
|
3242
3230
|
"Third Party Firewall",
|
|
3243
|
-
"Firewall",
|
|
3244
|
-
"Configuration Management Tool"
|
|
3245
3231
|
],
|
|
3246
3232
|
relatedSafeguards: ["4.1"],
|
|
3247
3233
|
systemPromptFull: {
|
|
@@ -3329,21 +3315,18 @@ export class SafeguardManager {
|
|
|
3329
3315
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
3330
3316
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
3331
3317
|
implementationGroup: "IG1",
|
|
3332
|
-
assetType: ["
|
|
3318
|
+
assetType: ["Devices"],
|
|
3333
3319
|
securityFunction: ["Protect"],
|
|
3334
3320
|
governanceElements: [ // Orange - MUST be met
|
|
3335
3321
|
"Implement",
|
|
3336
|
-
"Manage"
|
|
3337
|
-
"Default deny rule that drops all traffic",
|
|
3338
|
-
"Except Explicitly Allowed"
|
|
3322
|
+
"Manage"
|
|
3339
3323
|
],
|
|
3340
3324
|
coreRequirements: [ // Green - The "what"
|
|
3341
3325
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
3342
3326
|
],
|
|
3343
3327
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3344
|
-
"
|
|
3345
|
-
"
|
|
3346
|
-
"End User Devices",
|
|
3328
|
+
"Default Deny Rule that drops all traffic",
|
|
3329
|
+
"Except Explicitly Allowed",
|
|
3347
3330
|
"Services",
|
|
3348
3331
|
"Ports"
|
|
3349
3332
|
],
|
|
@@ -3437,7 +3420,7 @@ export class SafeguardManager {
|
|
|
3437
3420
|
title: "Securely Manage Enterprise Assets and Software",
|
|
3438
3421
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
3439
3422
|
implementationGroup: "IG1",
|
|
3440
|
-
assetType: ["
|
|
3423
|
+
assetType: ["Devices"],
|
|
3441
3424
|
securityFunction: ["Protect"],
|
|
3442
3425
|
governanceElements: [ // Orange - MUST be met
|
|
3443
3426
|
"Do not use insecure management protocols",
|
|
@@ -3447,16 +3430,14 @@ export class SafeguardManager {
|
|
|
3447
3430
|
"Securely manage enterprise assets and software"
|
|
3448
3431
|
],
|
|
3449
3432
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3450
|
-
"Securely manage enterprise assets and software"
|
|
3433
|
+
"Securely manage enterprise assets and software",
|
|
3434
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
3451
3435
|
],
|
|
3452
3436
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3453
3437
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
3454
3438
|
"Accessing administrative interfaces over secure network protocols",
|
|
3455
|
-
"SSH",
|
|
3456
|
-
"HTTPS",
|
|
3457
|
-
"Telnet (Teletype Network)",
|
|
3458
|
-
"HTTP",
|
|
3459
|
-
"Configuration Management Tool"
|
|
3439
|
+
"SSH instead of TELNET",
|
|
3440
|
+
"HTTPS instead of HTTP",
|
|
3460
3441
|
],
|
|
3461
3442
|
relatedSafeguards: ["4.1", "12.3"],
|
|
3462
3443
|
systemPromptFull: {
|
|
@@ -3544,26 +3525,22 @@ export class SafeguardManager {
|
|
|
3544
3525
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
3545
3526
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
3546
3527
|
implementationGroup: "IG1",
|
|
3547
|
-
assetType: ["
|
|
3528
|
+
assetType: ["Users"],
|
|
3548
3529
|
securityFunction: ["Protect"],
|
|
3549
3530
|
governanceElements: [ // Orange - MUST be met
|
|
3550
3531
|
"Manage"
|
|
3551
3532
|
],
|
|
3552
3533
|
coreRequirements: [ // Green - The "what"
|
|
3553
|
-
"default accounts
|
|
3534
|
+
"default accounts"
|
|
3554
3535
|
],
|
|
3555
3536
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3556
|
-
"Default accounts",
|
|
3557
3537
|
"Enterprise assets",
|
|
3558
|
-
"Software"
|
|
3559
|
-
"Root",
|
|
3560
|
-
"Administrator",
|
|
3561
|
-
"Other pre-configured vendor accounts"
|
|
3538
|
+
"Software"
|
|
3562
3539
|
],
|
|
3563
3540
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3564
|
-
"Disabling",
|
|
3565
|
-
"Unusable",
|
|
3566
|
-
"
|
|
3541
|
+
"Disabling them",
|
|
3542
|
+
"making them Unusable",
|
|
3543
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
3567
3544
|
],
|
|
3568
3545
|
relatedSafeguards: ["4.1"],
|
|
3569
3546
|
systemPromptFull: {
|
|
@@ -3651,25 +3628,23 @@ export class SafeguardManager {
|
|
|
3651
3628
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
3652
3629
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
3653
3630
|
implementationGroup: "IG2",
|
|
3654
|
-
assetType: ["
|
|
3631
|
+
assetType: ["Devices", "Software"],
|
|
3655
3632
|
securityFunction: ["Protect"],
|
|
3656
3633
|
governanceElements: [ // Orange - MUST be met
|
|
3657
3634
|
"Uninstall",
|
|
3658
3635
|
"Disable"
|
|
3659
3636
|
],
|
|
3660
3637
|
coreRequirements: [ // Green - The "what"
|
|
3661
|
-
"unnecessary services
|
|
3638
|
+
"unnecessary services"
|
|
3662
3639
|
],
|
|
3663
3640
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3664
|
-
"Unnecessary Services",
|
|
3665
3641
|
"Enterprise assets",
|
|
3666
|
-
"Software"
|
|
3667
|
-
"Unused file sharing service",
|
|
3668
|
-
"Web application module",
|
|
3669
|
-
"Service function"
|
|
3642
|
+
"Software"
|
|
3670
3643
|
],
|
|
3671
3644
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3672
|
-
"
|
|
3645
|
+
"Unused File Sharing Services",
|
|
3646
|
+
"Web Application Module",
|
|
3647
|
+
"Service Function"
|
|
3673
3648
|
],
|
|
3674
3649
|
relatedSafeguards: ["4.1"],
|
|
3675
3650
|
systemPromptFull: {
|
|
@@ -3757,22 +3732,20 @@ export class SafeguardManager {
|
|
|
3757
3732
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
3758
3733
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
3759
3734
|
implementationGroup: "IG2",
|
|
3760
|
-
assetType: ["
|
|
3735
|
+
assetType: ["Devices"],
|
|
3761
3736
|
securityFunction: ["Protect"],
|
|
3762
3737
|
governanceElements: [ // Orange - MUST be met
|
|
3763
3738
|
"Configure"
|
|
3764
3739
|
],
|
|
3765
3740
|
coreRequirements: [ // Green - The "what"
|
|
3766
|
-
"trusted DNS servers
|
|
3741
|
+
"trusted DNS servers"
|
|
3767
3742
|
],
|
|
3768
3743
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3769
|
-
"Trusted DNS Servers",
|
|
3770
3744
|
"Enterprise assets"
|
|
3771
3745
|
],
|
|
3772
3746
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3773
3747
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
3774
|
-
"Reputable externally accessible DNS servers"
|
|
3775
|
-
"Configuration Management Tool"
|
|
3748
|
+
"Reputable externally accessible DNS servers"
|
|
3776
3749
|
],
|
|
3777
3750
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
3778
3751
|
systemPromptFull: {
|
|
@@ -3860,7 +3833,7 @@ export class SafeguardManager {
|
|
|
3860
3833
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
3861
3834
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
3862
3835
|
implementationGroup: "IG2",
|
|
3863
|
-
assetType: ["
|
|
3836
|
+
assetType: ["Devices"],
|
|
3864
3837
|
securityFunction: ["Protect"],
|
|
3865
3838
|
governanceElements: [ // Orange - MUST be met
|
|
3866
3839
|
"Enforce",
|
|
@@ -3869,14 +3842,13 @@ export class SafeguardManager {
|
|
|
3869
3842
|
"No more than 10 Failed Authentication Attempts"
|
|
3870
3843
|
],
|
|
3871
3844
|
coreRequirements: [ // Green - The "what"
|
|
3872
|
-
"automatic device lockout
|
|
3845
|
+
"automatic device lockout"
|
|
3873
3846
|
],
|
|
3874
3847
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3875
|
-
"
|
|
3876
|
-
"
|
|
3877
|
-
"
|
|
3878
|
-
"
|
|
3879
|
-
"Tablets and smartphones"
|
|
3848
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
3849
|
+
"On Portable end-user devices",
|
|
3850
|
+
"Such as Laptops",
|
|
3851
|
+
"Such as Tablets and smartphones"
|
|
3880
3852
|
],
|
|
3881
3853
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3882
3854
|
"Microsoft® InTune Device Lock",
|
|
@@ -3969,24 +3941,22 @@ export class SafeguardManager {
|
|
|
3969
3941
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
3970
3942
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
3971
3943
|
implementationGroup: "IG2",
|
|
3972
|
-
assetType: ["
|
|
3944
|
+
assetType: ["Devices"],
|
|
3973
3945
|
securityFunction: ["Protect"],
|
|
3974
3946
|
governanceElements: [ // Orange - MUST be met
|
|
3975
3947
|
"When deemed appropriate"
|
|
3976
3948
|
],
|
|
3977
3949
|
coreRequirements: [ // Green - The "what"
|
|
3978
|
-
"Remotely wipe enterprise data
|
|
3950
|
+
"Remotely wipe enterprise data"
|
|
3979
3951
|
],
|
|
3980
3952
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3981
|
-
"
|
|
3982
|
-
|
|
3953
|
+
"Portable end-user devices"
|
|
3954
|
+
],
|
|
3955
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3983
3956
|
"Lost devices",
|
|
3984
3957
|
"Stolen devices",
|
|
3985
3958
|
"When an individual no longer supports the enterprise"
|
|
3986
3959
|
],
|
|
3987
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3988
|
-
"Configuration Management Tool"
|
|
3989
|
-
],
|
|
3990
3960
|
relatedSafeguards: ["4.1"],
|
|
3991
3961
|
systemPromptFull: {
|
|
3992
3962
|
|
|
@@ -4073,7 +4043,7 @@ export class SafeguardManager {
|
|
|
4073
4043
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
4074
4044
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
4075
4045
|
implementationGroup: "IG3",
|
|
4076
|
-
assetType: ["
|
|
4046
|
+
assetType: ["Data"],
|
|
4077
4047
|
securityFunction: ["Protect"],
|
|
4078
4048
|
governanceElements: [ // Orange - MUST be met
|
|
4079
4049
|
"Ensure",
|
|
@@ -4083,17 +4053,12 @@ export class SafeguardManager {
|
|
|
4083
4053
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
4084
4054
|
],
|
|
4085
4055
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4086
|
-
"
|
|
4087
|
-
"
|
|
4088
|
-
"Enterprise Applications",
|
|
4089
|
-
"Enterprise Data",
|
|
4090
|
-
"Personal Applications",
|
|
4091
|
-
"Personal Data"
|
|
4056
|
+
"Enterprise Applications and Enterprise Data",
|
|
4057
|
+
"Seperate from Personal Applications and Personal Data"
|
|
4092
4058
|
],
|
|
4093
4059
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4094
4060
|
"Apple® Configuration Profile",
|
|
4095
|
-
"AndroidTM Work Profile"
|
|
4096
|
-
"Configuration Management Tool"
|
|
4061
|
+
"AndroidTM Work Profile"
|
|
4097
4062
|
],
|
|
4098
4063
|
relatedSafeguards: ["4.1"],
|
|
4099
4064
|
systemPromptFull: {
|
|
@@ -4181,7 +4146,7 @@ export class SafeguardManager {
|
|
|
4181
4146
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
4182
4147
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4183
4148
|
implementationGroup: "IG1",
|
|
4184
|
-
assetType: ["
|
|
4149
|
+
assetType: ["Users"],
|
|
4185
4150
|
securityFunction: ["Identify"],
|
|
4186
4151
|
governanceElements: [ // Orange - MUST be met
|
|
4187
4152
|
"Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
@@ -4298,7 +4263,7 @@ export class SafeguardManager {
|
|
|
4298
4263
|
title: "Use Unique Passwords",
|
|
4299
4264
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
4300
4265
|
implementationGroup: "IG1",
|
|
4301
|
-
assetType: ["
|
|
4266
|
+
assetType: ["Users"],
|
|
4302
4267
|
securityFunction: ["Protect"],
|
|
4303
4268
|
governanceElements: [ // Orange - MUST be met
|
|
4304
4269
|
"Use unique passwords for all enterprise assets",
|
|
@@ -4404,7 +4369,7 @@ export class SafeguardManager {
|
|
|
4404
4369
|
title: "Disable Dormant Accounts",
|
|
4405
4370
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
4406
4371
|
implementationGroup: "IG1",
|
|
4407
|
-
assetType: ["
|
|
4372
|
+
assetType: ["Users"],
|
|
4408
4373
|
securityFunction: ["Protect"],
|
|
4409
4374
|
governanceElements: [ // Orange - MUST be met
|
|
4410
4375
|
"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
|
|
@@ -4508,7 +4473,7 @@ export class SafeguardManager {
|
|
|
4508
4473
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
4509
4474
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
4510
4475
|
implementationGroup: "IG1",
|
|
4511
|
-
assetType: ["
|
|
4476
|
+
assetType: ["Users"],
|
|
4512
4477
|
securityFunction: ["Protect"],
|
|
4513
4478
|
governanceElements: [ // Orange - MUST be met
|
|
4514
4479
|
"Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
|
|
@@ -4618,7 +4583,7 @@ export class SafeguardManager {
|
|
|
4618
4583
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
4619
4584
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4620
4585
|
implementationGroup: "IG2",
|
|
4621
|
-
assetType: ["
|
|
4586
|
+
assetType: ["Users"],
|
|
4622
4587
|
securityFunction: ["Identify"],
|
|
4623
4588
|
governanceElements: [ // Orange - MUST be met
|
|
4624
4589
|
"Establish and maintain an inventory of service accounts",
|
|
@@ -4731,7 +4696,7 @@ export class SafeguardManager {
|
|
|
4731
4696
|
title: "Centralize Account Management",
|
|
4732
4697
|
description: "Centralize account management through a directory or identity service.",
|
|
4733
4698
|
implementationGroup: "IG2",
|
|
4734
|
-
assetType: ["
|
|
4699
|
+
assetType: ["Users"],
|
|
4735
4700
|
securityFunction: ["Govern"],
|
|
4736
4701
|
governanceElements: [ // Orange - MUST be met
|
|
4737
4702
|
"Centralize account management through a directory or identity service"
|
|
@@ -4835,7 +4800,7 @@ export class SafeguardManager {
|
|
|
4835
4800
|
title: "Establish an Access Granting Process",
|
|
4836
4801
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
4837
4802
|
implementationGroup: "IG1",
|
|
4838
|
-
assetType: ["
|
|
4803
|
+
assetType: ["Users"],
|
|
4839
4804
|
securityFunction: ["Govern"],
|
|
4840
4805
|
governanceElements: [ // Orange - MUST be met
|
|
4841
4806
|
"Establish",
|
|
@@ -4946,7 +4911,7 @@ export class SafeguardManager {
|
|
|
4946
4911
|
title: "Establish an Access Revoking Process",
|
|
4947
4912
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
4948
4913
|
implementationGroup: "IG1",
|
|
4949
|
-
assetType: ["
|
|
4914
|
+
assetType: ["Users"],
|
|
4950
4915
|
securityFunction: ["Govern"],
|
|
4951
4916
|
governanceElements: [ // Orange - MUST be met
|
|
4952
4917
|
"Establish",
|
|
@@ -5062,7 +5027,7 @@ export class SafeguardManager {
|
|
|
5062
5027
|
title: "Require MFA for Externally-Exposed Applications",
|
|
5063
5028
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
5064
5029
|
implementationGroup: "IG1",
|
|
5065
|
-
assetType: ["
|
|
5030
|
+
assetType: ["Users"],
|
|
5066
5031
|
securityFunction: ["Protect"],
|
|
5067
5032
|
governanceElements: [ // Orange - MUST be met
|
|
5068
5033
|
"Require",
|
|
@@ -5171,7 +5136,7 @@ export class SafeguardManager {
|
|
|
5171
5136
|
title: "Require MFA for Remote Network Access",
|
|
5172
5137
|
description: "Require MFA for remote network access.",
|
|
5173
5138
|
implementationGroup: "IG1",
|
|
5174
|
-
assetType: ["
|
|
5139
|
+
assetType: ["Users"],
|
|
5175
5140
|
securityFunction: ["Protect"],
|
|
5176
5141
|
governanceElements: [ // Orange - MUST be met
|
|
5177
5142
|
"Require",
|
|
@@ -5275,7 +5240,7 @@ export class SafeguardManager {
|
|
|
5275
5240
|
title: "Require MFA for Administrative Access",
|
|
5276
5241
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
5277
5242
|
implementationGroup: "IG1",
|
|
5278
|
-
assetType: ["
|
|
5243
|
+
assetType: ["Users"],
|
|
5279
5244
|
securityFunction: ["Protect"],
|
|
5280
5245
|
governanceElements: [ // Orange - MUST be met
|
|
5281
5246
|
"Require",
|
|
@@ -5496,7 +5461,7 @@ export class SafeguardManager {
|
|
|
5496
5461
|
title: "Centralize Access Control",
|
|
5497
5462
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
5498
5463
|
implementationGroup: "IG2",
|
|
5499
|
-
assetType: ["
|
|
5464
|
+
assetType: ["Users"],
|
|
5500
5465
|
securityFunction: ["Protect"],
|
|
5501
5466
|
governanceElements: [ // Orange - MUST be met
|
|
5502
5467
|
"Centralize",
|
|
@@ -5608,7 +5573,7 @@ export class SafeguardManager {
|
|
|
5608
5573
|
title: "Define and Maintain Role-Based Access Control",
|
|
5609
5574
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
5610
5575
|
implementationGroup: "IG3",
|
|
5611
|
-
assetType: ["
|
|
5576
|
+
assetType: ["Users"],
|
|
5612
5577
|
securityFunction: ["Govern"],
|
|
5613
5578
|
governanceElements: [ // Orange - MUST be met
|
|
5614
5579
|
"Define",
|
|
@@ -5960,7 +5925,7 @@ export class SafeguardManager {
|
|
|
5960
5925
|
title: "Perform Automated Operating System Patch Management",
|
|
5961
5926
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
5962
5927
|
implementationGroup: "IG1",
|
|
5963
|
-
assetType: ["
|
|
5928
|
+
assetType: ["Devices"],
|
|
5964
5929
|
securityFunction: ["Protect"],
|
|
5965
5930
|
governanceElements: [ // Orange - MUST be met
|
|
5966
5931
|
"perform automated OS patch management",
|
|
@@ -6192,7 +6157,7 @@ export class SafeguardManager {
|
|
|
6192
6157
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
6193
6158
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
6194
6159
|
implementationGroup: "IG2",
|
|
6195
|
-
assetType: ["
|
|
6160
|
+
assetType: ["Devices", "Software"],
|
|
6196
6161
|
securityFunction: ["Detect"],
|
|
6197
6162
|
governanceElements: [ // Orange - MUST be met
|
|
6198
6163
|
"perform automated vulnerability scans",
|
|
@@ -6308,7 +6273,7 @@ export class SafeguardManager {
|
|
|
6308
6273
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
6309
6274
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
6310
6275
|
implementationGroup: "IG2",
|
|
6311
|
-
assetType: ["
|
|
6276
|
+
assetType: ["Devices", "Software"],
|
|
6312
6277
|
securityFunction: ["Detect"],
|
|
6313
6278
|
governanceElements: [ // Orange - MUST be met
|
|
6314
6279
|
"perform automated vulnerability scans",
|
|
@@ -7914,7 +7879,7 @@ export class SafeguardManager {
|
|
|
7914
7879
|
title: "Use DNS Filtering Services",
|
|
7915
7880
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
7916
7881
|
implementationGroup: "IG1",
|
|
7917
|
-
assetType: ["
|
|
7882
|
+
assetType: ["Devices", "network"],
|
|
7918
7883
|
securityFunction: ["Protect"],
|
|
7919
7884
|
governanceElements: [ // Orange - MUST be met
|
|
7920
7885
|
"use DNS filtering services on all end-user devices",
|
|
@@ -8590,7 +8555,7 @@ export class SafeguardManager {
|
|
|
8590
8555
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
8591
8556
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
8592
8557
|
implementationGroup: "IG1",
|
|
8593
|
-
assetType: ["
|
|
8558
|
+
assetType: ["Devices"],
|
|
8594
8559
|
securityFunction: ["Detect"],
|
|
8595
8560
|
governanceElements: [ // Orange - MUST be met
|
|
8596
8561
|
"deploy anti-malware software",
|
|
@@ -8703,7 +8668,7 @@ export class SafeguardManager {
|
|
|
8703
8668
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
8704
8669
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
8705
8670
|
implementationGroup: "IG1",
|
|
8706
|
-
assetType: ["
|
|
8671
|
+
assetType: ["Devices"],
|
|
8707
8672
|
securityFunction: ["Protect"],
|
|
8708
8673
|
governanceElements: [ // Orange - MUST be met
|
|
8709
8674
|
"configure automatic updates",
|
|
@@ -8811,7 +8776,7 @@ export class SafeguardManager {
|
|
|
8811
8776
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
8812
8777
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
8813
8778
|
implementationGroup: "IG1",
|
|
8814
|
-
assetType: ["
|
|
8779
|
+
assetType: ["Devices"],
|
|
8815
8780
|
securityFunction: ["Protect"],
|
|
8816
8781
|
governanceElements: [ // Orange - MUST be met
|
|
8817
8782
|
"disable autorun functionality",
|
|
@@ -8924,7 +8889,7 @@ export class SafeguardManager {
|
|
|
8924
8889
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
8925
8890
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
8926
8891
|
implementationGroup: "IG2",
|
|
8927
|
-
assetType: ["
|
|
8892
|
+
assetType: ["Devices"],
|
|
8928
8893
|
securityFunction: ["Detect"],
|
|
8929
8894
|
governanceElements: [ // Orange - MUST be met
|
|
8930
8895
|
"configure anti-malware software",
|
|
@@ -9036,7 +9001,7 @@ export class SafeguardManager {
|
|
|
9036
9001
|
title: "Enable Anti-Exploitation Features",
|
|
9037
9002
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
9038
9003
|
implementationGroup: "IG2",
|
|
9039
|
-
assetType: ["
|
|
9004
|
+
assetType: ["Devices"],
|
|
9040
9005
|
securityFunction: ["Protect"],
|
|
9041
9006
|
governanceElements: [ // Orange - MUST be met
|
|
9042
9007
|
"enable anti-exploitation features",
|
|
@@ -9150,7 +9115,7 @@ export class SafeguardManager {
|
|
|
9150
9115
|
title: "Centrally Manage Anti-Malware Software",
|
|
9151
9116
|
description: "Centrally manage anti-malware software",
|
|
9152
9117
|
implementationGroup: "IG2",
|
|
9153
|
-
assetType: ["
|
|
9118
|
+
assetType: ["Devices"],
|
|
9154
9119
|
securityFunction: ["Protect"],
|
|
9155
9120
|
governanceElements: [ // Orange - MUST be met
|
|
9156
9121
|
"centrally manage anti-malware",
|
|
@@ -9260,7 +9225,7 @@ export class SafeguardManager {
|
|
|
9260
9225
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
9261
9226
|
description: "Use behavior-based anti-malware software",
|
|
9262
9227
|
implementationGroup: "IG2",
|
|
9263
|
-
assetType: ["
|
|
9228
|
+
assetType: ["Devices"],
|
|
9264
9229
|
securityFunction: ["Detect"],
|
|
9265
9230
|
governanceElements: [ // Orange - MUST be met
|
|
9266
9231
|
"use behavior-based anti-malware",
|
|
@@ -10636,7 +10601,7 @@ export class SafeguardManager {
|
|
|
10636
10601
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
10637
10602
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
10638
10603
|
implementationGroup: "IG2",
|
|
10639
|
-
assetType: ["
|
|
10604
|
+
assetType: ["Devices"],
|
|
10640
10605
|
securityFunction: ["Protect"],
|
|
10641
10606
|
governanceElements: [ // Orange - MUST be met
|
|
10642
10607
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -10750,7 +10715,7 @@ export class SafeguardManager {
|
|
|
10750
10715
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
10751
10716
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
10752
10717
|
implementationGroup: "IG3",
|
|
10753
|
-
assetType: ["
|
|
10718
|
+
assetType: ["Devices"],
|
|
10754
10719
|
securityFunction: ["Protect"],
|
|
10755
10720
|
governanceElements: [ // Orange - MUST be met
|
|
10756
10721
|
"establish dedicated computing resources for administrative work",
|
|
@@ -10866,7 +10831,7 @@ export class SafeguardManager {
|
|
|
10866
10831
|
title: "Centralize Security Event Alerting",
|
|
10867
10832
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
10868
10833
|
implementationGroup: "IG2",
|
|
10869
|
-
assetType: ["network", "
|
|
10834
|
+
assetType: ["network", "Devices"],
|
|
10870
10835
|
securityFunction: ["Detect"],
|
|
10871
10836
|
governanceElements: [ // Orange - MUST be met
|
|
10872
10837
|
"centralize security event alerting across enterprise assets",
|
|
@@ -10979,7 +10944,7 @@ export class SafeguardManager {
|
|
|
10979
10944
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
10980
10945
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
10981
10946
|
implementationGroup: "IG2",
|
|
10982
|
-
assetType: ["
|
|
10947
|
+
assetType: ["Devices"],
|
|
10983
10948
|
securityFunction: ["Detect"],
|
|
10984
10949
|
governanceElements: [ // Orange - MUST be met
|
|
10985
10950
|
"deploy host-based intrusion detection solution",
|
|
@@ -11307,7 +11272,7 @@ export class SafeguardManager {
|
|
|
11307
11272
|
title: "Manage Access Control for Remote Assets",
|
|
11308
11273
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
11309
11274
|
implementationGroup: "IG2",
|
|
11310
|
-
assetType: ["
|
|
11275
|
+
assetType: ["Devices", "network"],
|
|
11311
11276
|
securityFunction: ["Protect"],
|
|
11312
11277
|
governanceElements: [ // Orange - MUST be met
|
|
11313
11278
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -11529,7 +11494,7 @@ export class SafeguardManager {
|
|
|
11529
11494
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
11530
11495
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
11531
11496
|
implementationGroup: "IG3",
|
|
11532
|
-
assetType: ["
|
|
11497
|
+
assetType: ["Devices"],
|
|
11533
11498
|
securityFunction: ["Respond"],
|
|
11534
11499
|
governanceElements: [ // Orange - MUST be met
|
|
11535
11500
|
"deploy host-based intrusion prevention solution",
|
|
@@ -11966,7 +11931,7 @@ export class SafeguardManager {
|
|
|
11966
11931
|
title: "Tune Security Event Alerting Thresholds",
|
|
11967
11932
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
11968
11933
|
implementationGroup: "IG3",
|
|
11969
|
-
assetType: ["network", "
|
|
11934
|
+
assetType: ["network", "Devices"],
|
|
11970
11935
|
securityFunction: ["Detect"],
|
|
11971
11936
|
governanceElements: [ // Orange - MUST be met
|
|
11972
11937
|
"tune security event alerting thresholds",
|
|
@@ -12074,7 +12039,7 @@ export class SafeguardManager {
|
|
|
12074
12039
|
title: "Establish and Maintain a Security Awareness Program",
|
|
12075
12040
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
12076
12041
|
implementationGroup: "IG1",
|
|
12077
|
-
assetType: ["
|
|
12042
|
+
assetType: ["Users"],
|
|
12078
12043
|
securityFunction: ["Govern"],
|
|
12079
12044
|
governanceElements: [ // Orange - MUST be met
|
|
12080
12045
|
"establish and maintain a security awareness program",
|
|
@@ -12190,7 +12155,7 @@ export class SafeguardManager {
|
|
|
12190
12155
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
12191
12156
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
12192
12157
|
implementationGroup: "IG1",
|
|
12193
|
-
assetType: ["
|
|
12158
|
+
assetType: ["Users"],
|
|
12194
12159
|
securityFunction: ["Protect"],
|
|
12195
12160
|
governanceElements: [ // Orange - MUST be met
|
|
12196
12161
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -12303,7 +12268,7 @@ export class SafeguardManager {
|
|
|
12303
12268
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
12304
12269
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
12305
12270
|
implementationGroup: "IG1",
|
|
12306
|
-
assetType: ["
|
|
12271
|
+
assetType: ["Users"],
|
|
12307
12272
|
securityFunction: ["Protect"],
|
|
12308
12273
|
governanceElements: [ // Orange - MUST be met
|
|
12309
12274
|
"train workforce members on authentication best practices",
|
|
@@ -12414,7 +12379,7 @@ export class SafeguardManager {
|
|
|
12414
12379
|
title: "Train Workforce on Data Handling Best Practices",
|
|
12415
12380
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
12416
12381
|
implementationGroup: "IG1",
|
|
12417
|
-
assetType: ["
|
|
12382
|
+
assetType: ["Users"],
|
|
12418
12383
|
securityFunction: ["Protect"],
|
|
12419
12384
|
governanceElements: [ // Orange - MUST be met
|
|
12420
12385
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -12533,7 +12498,7 @@ export class SafeguardManager {
|
|
|
12533
12498
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
12534
12499
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
12535
12500
|
implementationGroup: "IG1",
|
|
12536
|
-
assetType: ["
|
|
12501
|
+
assetType: ["Users"],
|
|
12537
12502
|
securityFunction: ["Protect"],
|
|
12538
12503
|
governanceElements: [ // Orange - MUST be met
|
|
12539
12504
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -12644,7 +12609,7 @@ export class SafeguardManager {
|
|
|
12644
12609
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
12645
12610
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
12646
12611
|
implementationGroup: "IG1",
|
|
12647
|
-
assetType: ["
|
|
12612
|
+
assetType: ["Users"],
|
|
12648
12613
|
securityFunction: ["Protect"],
|
|
12649
12614
|
governanceElements: [ // Orange - MUST be met
|
|
12650
12615
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -12753,7 +12718,7 @@ export class SafeguardManager {
|
|
|
12753
12718
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
12754
12719
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
12755
12720
|
implementationGroup: "IG1",
|
|
12756
|
-
assetType: ["
|
|
12721
|
+
assetType: ["Users"],
|
|
12757
12722
|
securityFunction: ["Protect"],
|
|
12758
12723
|
governanceElements: [ // Orange - MUST be met
|
|
12759
12724
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -12868,7 +12833,7 @@ export class SafeguardManager {
|
|
|
12868
12833
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
12869
12834
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
12870
12835
|
implementationGroup: "IG1",
|
|
12871
|
-
assetType: ["
|
|
12836
|
+
assetType: ["Users"],
|
|
12872
12837
|
securityFunction: ["Protect"],
|
|
12873
12838
|
governanceElements: [ // Orange - MUST be met
|
|
12874
12839
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -12982,7 +12947,7 @@ export class SafeguardManager {
|
|
|
12982
12947
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
12983
12948
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
12984
12949
|
implementationGroup: "IG2",
|
|
12985
|
-
assetType: ["
|
|
12950
|
+
assetType: ["Users"],
|
|
12986
12951
|
securityFunction: ["Protect"],
|
|
12987
12952
|
governanceElements: [ // Orange - MUST be met
|
|
12988
12953
|
"conduct role-specific security awareness and skills training",
|
|
@@ -13094,7 +13059,7 @@ export class SafeguardManager {
|
|
|
13094
13059
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
13095
13060
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13096
13061
|
implementationGroup: "IG1",
|
|
13097
|
-
assetType: ["
|
|
13062
|
+
assetType: ["Users"],
|
|
13098
13063
|
securityFunction: ["Identify"],
|
|
13099
13064
|
governanceElements: [ // Orange - MUST be met
|
|
13100
13065
|
"establish and maintain an inventory of service providers",
|
|
@@ -13208,7 +13173,7 @@ export class SafeguardManager {
|
|
|
13208
13173
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
13209
13174
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13210
13175
|
implementationGroup: "IG2",
|
|
13211
|
-
assetType: ["
|
|
13176
|
+
assetType: ["Users"],
|
|
13212
13177
|
securityFunction: ["Govern"],
|
|
13213
13178
|
governanceElements: [ // Orange - MUST be met
|
|
13214
13179
|
"establish and maintain a service provider management policy",
|
|
@@ -13327,7 +13292,7 @@ export class SafeguardManager {
|
|
|
13327
13292
|
title: "Classify Service Providers",
|
|
13328
13293
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13329
13294
|
implementationGroup: "IG2",
|
|
13330
|
-
assetType: ["
|
|
13295
|
+
assetType: ["Users"],
|
|
13331
13296
|
securityFunction: ["Govern"],
|
|
13332
13297
|
governanceElements: [ // Orange - MUST be met
|
|
13333
13298
|
"classify service providers",
|
|
@@ -13444,7 +13409,7 @@ export class SafeguardManager {
|
|
|
13444
13409
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
13445
13410
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
13446
13411
|
implementationGroup: "IG2",
|
|
13447
|
-
assetType: ["
|
|
13412
|
+
assetType: ["Users"],
|
|
13448
13413
|
securityFunction: ["Govern"],
|
|
13449
13414
|
governanceElements: [ // Orange - MUST be met
|
|
13450
13415
|
"ensure service provider contracts include security requirements",
|
|
@@ -13560,7 +13525,7 @@ export class SafeguardManager {
|
|
|
13560
13525
|
title: "Assess Service Providers",
|
|
13561
13526
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
13562
13527
|
implementationGroup: "IG3",
|
|
13563
|
-
assetType: ["
|
|
13528
|
+
assetType: ["Users"],
|
|
13564
13529
|
securityFunction: ["Govern"],
|
|
13565
13530
|
governanceElements: [ // Orange - MUST be met
|
|
13566
13531
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -14799,7 +14764,7 @@ export class SafeguardManager {
|
|
|
14799
14764
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
14800
14765
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
14801
14766
|
implementationGroup: "IG2",
|
|
14802
|
-
assetType: ["
|
|
14767
|
+
assetType: ["Users"],
|
|
14803
14768
|
securityFunction: ["Protect"],
|
|
14804
14769
|
governanceElements: [ // Orange - MUST be met
|
|
14805
14770
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -15479,7 +15444,7 @@ export class SafeguardManager {
|
|
|
15479
15444
|
title: "Designate Personnel to Manage Incident Handling",
|
|
15480
15445
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15481
15446
|
implementationGroup: "IG1",
|
|
15482
|
-
assetType: ["
|
|
15447
|
+
assetType: ["Users"],
|
|
15483
15448
|
securityFunction: ["Respond"],
|
|
15484
15449
|
governanceElements: [ // Orange - MUST be met
|
|
15485
15450
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -15591,7 +15556,7 @@ export class SafeguardManager {
|
|
|
15591
15556
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
15592
15557
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
15593
15558
|
implementationGroup: "IG1",
|
|
15594
|
-
assetType: ["
|
|
15559
|
+
assetType: ["Users"],
|
|
15595
15560
|
securityFunction: ["Respond"],
|
|
15596
15561
|
governanceElements: [ // Orange - MUST be met
|
|
15597
15562
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -15701,7 +15666,7 @@ export class SafeguardManager {
|
|
|
15701
15666
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
15702
15667
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15703
15668
|
implementationGroup: "IG1",
|
|
15704
|
-
assetType: ["
|
|
15669
|
+
assetType: ["Users"],
|
|
15705
15670
|
securityFunction: ["Govern"],
|
|
15706
15671
|
governanceElements: [ // Orange - MUST be met
|
|
15707
15672
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -15813,7 +15778,7 @@ export class SafeguardManager {
|
|
|
15813
15778
|
title: "Establish and Maintain an Incident Response Process",
|
|
15814
15779
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15815
15780
|
implementationGroup: "IG2",
|
|
15816
|
-
assetType: ["
|
|
15781
|
+
assetType: ["Users"],
|
|
15817
15782
|
securityFunction: ["Govern"],
|
|
15818
15783
|
governanceElements: [ // Orange - MUST be met
|
|
15819
15784
|
"establish and maintain a documented incident response process",
|
|
@@ -15922,7 +15887,7 @@ export class SafeguardManager {
|
|
|
15922
15887
|
title: "Assign Key Roles and Responsibilities",
|
|
15923
15888
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15924
15889
|
implementationGroup: "IG2",
|
|
15925
|
-
assetType: ["
|
|
15890
|
+
assetType: ["Users"],
|
|
15926
15891
|
securityFunction: ["Respond"],
|
|
15927
15892
|
governanceElements: [ // Orange - MUST be met
|
|
15928
15893
|
"assign key roles and responsibilities for incident response",
|
|
@@ -16034,7 +15999,7 @@ export class SafeguardManager {
|
|
|
16034
15999
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
16035
16000
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16036
16001
|
implementationGroup: "IG2",
|
|
16037
|
-
assetType: ["
|
|
16002
|
+
assetType: ["Users"],
|
|
16038
16003
|
securityFunction: ["Respond"],
|
|
16039
16004
|
governanceElements: [ // Orange - MUST be met
|
|
16040
16005
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -16145,7 +16110,7 @@ export class SafeguardManager {
|
|
|
16145
16110
|
title: "Conduct Routine Incident Response Exercises",
|
|
16146
16111
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
16147
16112
|
implementationGroup: "IG2",
|
|
16148
|
-
assetType: ["
|
|
16113
|
+
assetType: ["Users"],
|
|
16149
16114
|
securityFunction: ["Recover"],
|
|
16150
16115
|
governanceElements: [ // Orange - MUST be met
|
|
16151
16116
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -16256,7 +16221,7 @@ export class SafeguardManager {
|
|
|
16256
16221
|
title: "Conduct Post-Incident Reviews",
|
|
16257
16222
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
16258
16223
|
implementationGroup: "IG2",
|
|
16259
|
-
assetType: ["
|
|
16224
|
+
assetType: ["Users"],
|
|
16260
16225
|
securityFunction: ["Recover"],
|
|
16261
16226
|
governanceElements: [ // Orange - MUST be met
|
|
16262
16227
|
"conduct post-incident reviews"
|
|
@@ -16363,7 +16328,7 @@ export class SafeguardManager {
|
|
|
16363
16328
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
16364
16329
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16365
16330
|
implementationGroup: "IG3",
|
|
16366
|
-
assetType: ["
|
|
16331
|
+
assetType: ["Users"],
|
|
16367
16332
|
securityFunction: ["Recover"],
|
|
16368
16333
|
governanceElements: [ // Orange - MUST be met
|
|
16369
16334
|
"establish and maintain security incident thresholds",
|