framework-mcp 2.4.3 → 2.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +126 -195
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +118 -187
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -1974,19 +1974,17 @@ export class SafeguardManager {
|
|
|
1974
1974
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
1975
1975
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1976
1976
|
implementationGroup: "IG1",
|
|
1977
|
-
assetType: ["
|
|
1977
|
+
assetType: ["Docuemntation"],
|
|
1978
1978
|
securityFunction: ["Govern"],
|
|
1979
1979
|
governanceElements: [
|
|
1980
1980
|
"Establish",
|
|
1981
1981
|
"Maintain",
|
|
1982
|
-
"Documented Secure Configuration Process",
|
|
1983
1982
|
"Review and update documentation",
|
|
1984
1983
|
"Annually",
|
|
1985
1984
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
1986
1985
|
],
|
|
1987
1986
|
coreRequirements: [
|
|
1988
|
-
"documented secure configuration process
|
|
1989
|
-
"documented secure configuration process for software"
|
|
1987
|
+
"documented secure configuration process"
|
|
1990
1988
|
],
|
|
1991
1989
|
subTaxonomicalElements: [
|
|
1992
1990
|
"Enterprise assets",
|
|
@@ -1996,12 +1994,9 @@ export class SafeguardManager {
|
|
|
1996
1994
|
"Portable",
|
|
1997
1995
|
"Non-computing/IoT devices",
|
|
1998
1996
|
"Servers",
|
|
1999
|
-
"OS"
|
|
2000
|
-
"Software"
|
|
1997
|
+
"OS"
|
|
2001
1998
|
],
|
|
2002
|
-
implementationSuggestions: [
|
|
2003
|
-
"Secure Configuration Policy / Process",
|
|
2004
|
-
"Configuration Management Tool"
|
|
1999
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2005
2000
|
],
|
|
2006
2001
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2007
2002
|
systemPromptFull: {
|
|
@@ -2055,25 +2050,22 @@ export class SafeguardManager {
|
|
|
2055
2050
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
2056
2051
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2057
2052
|
implementationGroup: "IG1",
|
|
2058
|
-
assetType: ["
|
|
2053
|
+
assetType: ["Documentation"],
|
|
2059
2054
|
securityFunction: ["Govern"],
|
|
2060
2055
|
governanceElements: [
|
|
2061
2056
|
"Establish",
|
|
2062
2057
|
"Maintain",
|
|
2063
|
-
"Documented Secure Network Configuration Process",
|
|
2064
2058
|
"Review and update documentation",
|
|
2065
2059
|
"Annually",
|
|
2066
2060
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2067
2061
|
],
|
|
2068
2062
|
coreRequirements: [
|
|
2069
|
-
"documented secure configuration process
|
|
2063
|
+
"documented secure configuration process"
|
|
2070
2064
|
],
|
|
2071
2065
|
subTaxonomicalElements: [
|
|
2072
2066
|
"Network devices"
|
|
2073
2067
|
],
|
|
2074
|
-
implementationSuggestions: [
|
|
2075
|
-
"Secure Configuration Policy / Process",
|
|
2076
|
-
"Configuration Management Tool"
|
|
2068
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2077
2069
|
],
|
|
2078
2070
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
2079
2071
|
systemPromptFull: {
|
|
@@ -2127,7 +2119,7 @@ export class SafeguardManager {
|
|
|
2127
2119
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
2128
2120
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
2129
2121
|
implementationGroup: "IG1",
|
|
2130
|
-
assetType: ["
|
|
2122
|
+
assetType: ["Devices"],
|
|
2131
2123
|
securityFunction: ["Protect"],
|
|
2132
2124
|
governanceElements: [
|
|
2133
2125
|
"Configure",
|
|
@@ -2135,18 +2127,14 @@ export class SafeguardManager {
|
|
|
2135
2127
|
"Period must not exceed for 2 Minutes"
|
|
2136
2128
|
],
|
|
2137
2129
|
coreRequirements: [
|
|
2138
|
-
"automatic session locking on enterprise assets
|
|
2139
|
-
"general purpose operating systems",
|
|
2140
|
-
"mobile end-user devices"
|
|
2130
|
+
"automatic session locking on enterprise assets"
|
|
2141
2131
|
],
|
|
2142
2132
|
subTaxonomicalElements: [
|
|
2143
|
-
"Automatic Session Locking",
|
|
2144
2133
|
"Period of inactivity",
|
|
2145
2134
|
"General Purpose OSs",
|
|
2146
2135
|
"Mobile end-user devices"
|
|
2147
2136
|
],
|
|
2148
|
-
implementationSuggestions: [
|
|
2149
|
-
"Configuration Management Tool"
|
|
2137
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2150
2138
|
],
|
|
2151
2139
|
relatedSafeguards: ["4.1"],
|
|
2152
2140
|
systemPromptFull: {
|
|
@@ -2200,7 +2188,7 @@ export class SafeguardManager {
|
|
|
2200
2188
|
title: "Implement and Manage a Firewall on Servers",
|
|
2201
2189
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
2202
2190
|
implementationGroup: "IG1",
|
|
2203
|
-
assetType: ["
|
|
2191
|
+
assetType: ["Devices"],
|
|
2204
2192
|
securityFunction: ["Protect"],
|
|
2205
2193
|
governanceElements: [
|
|
2206
2194
|
"Implement",
|
|
@@ -2217,8 +2205,6 @@ export class SafeguardManager {
|
|
|
2217
2205
|
"Virtual Firewall",
|
|
2218
2206
|
"OS Firewall",
|
|
2219
2207
|
"Third Party Firewall",
|
|
2220
|
-
"Firewall",
|
|
2221
|
-
"Configuration Management Tool"
|
|
2222
2208
|
],
|
|
2223
2209
|
relatedSafeguards: ["4.1"],
|
|
2224
2210
|
systemPromptFull: {
|
|
@@ -2272,21 +2258,18 @@ export class SafeguardManager {
|
|
|
2272
2258
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
2273
2259
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
2274
2260
|
implementationGroup: "IG1",
|
|
2275
|
-
assetType: ["
|
|
2261
|
+
assetType: ["Devices"],
|
|
2276
2262
|
securityFunction: ["Protect"],
|
|
2277
2263
|
governanceElements: [
|
|
2278
2264
|
"Implement",
|
|
2279
|
-
"Manage"
|
|
2280
|
-
"Default deny rule that drops all traffic",
|
|
2281
|
-
"Except Explicitly Allowed"
|
|
2265
|
+
"Manage"
|
|
2282
2266
|
],
|
|
2283
2267
|
coreRequirements: [
|
|
2284
2268
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
2285
2269
|
],
|
|
2286
2270
|
subTaxonomicalElements: [
|
|
2287
|
-
"
|
|
2288
|
-
"
|
|
2289
|
-
"End User Devices",
|
|
2271
|
+
"Default Deny Rule that drops all traffic",
|
|
2272
|
+
"Except Explicitly Allowed",
|
|
2290
2273
|
"Services",
|
|
2291
2274
|
"Ports"
|
|
2292
2275
|
],
|
|
@@ -2346,7 +2329,7 @@ export class SafeguardManager {
|
|
|
2346
2329
|
title: "Securely Manage Enterprise Assets and Software",
|
|
2347
2330
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
2348
2331
|
implementationGroup: "IG1",
|
|
2349
|
-
assetType: ["
|
|
2332
|
+
assetType: ["Devices"],
|
|
2350
2333
|
securityFunction: ["Protect"],
|
|
2351
2334
|
governanceElements: [
|
|
2352
2335
|
"Do not use insecure management protocols",
|
|
@@ -2356,16 +2339,14 @@ export class SafeguardManager {
|
|
|
2356
2339
|
"Securely manage enterprise assets and software"
|
|
2357
2340
|
],
|
|
2358
2341
|
subTaxonomicalElements: [
|
|
2359
|
-
"Securely manage enterprise assets and software"
|
|
2342
|
+
"Securely manage enterprise assets and software",
|
|
2343
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
2360
2344
|
],
|
|
2361
2345
|
implementationSuggestions: [
|
|
2362
2346
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
2363
2347
|
"Accessing administrative interfaces over secure network protocols",
|
|
2364
|
-
"SSH",
|
|
2365
|
-
"HTTPS",
|
|
2366
|
-
"Telnet (Teletype Network)",
|
|
2367
|
-
"HTTP",
|
|
2368
|
-
"Configuration Management Tool"
|
|
2348
|
+
"SSH instead of TELNET",
|
|
2349
|
+
"HTTPS instead of HTTP",
|
|
2369
2350
|
],
|
|
2370
2351
|
relatedSafeguards: ["4.1", "12.3"],
|
|
2371
2352
|
systemPromptFull: {
|
|
@@ -2419,26 +2400,22 @@ export class SafeguardManager {
|
|
|
2419
2400
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
2420
2401
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
2421
2402
|
implementationGroup: "IG1",
|
|
2422
|
-
assetType: ["
|
|
2403
|
+
assetType: ["Users"],
|
|
2423
2404
|
securityFunction: ["Protect"],
|
|
2424
2405
|
governanceElements: [
|
|
2425
2406
|
"Manage"
|
|
2426
2407
|
],
|
|
2427
2408
|
coreRequirements: [
|
|
2428
|
-
"default accounts
|
|
2409
|
+
"default accounts"
|
|
2429
2410
|
],
|
|
2430
2411
|
subTaxonomicalElements: [
|
|
2431
|
-
"Default accounts",
|
|
2432
2412
|
"Enterprise assets",
|
|
2433
|
-
"Software"
|
|
2434
|
-
"Root",
|
|
2435
|
-
"Administrator",
|
|
2436
|
-
"Other pre-configured vendor accounts"
|
|
2413
|
+
"Software"
|
|
2437
2414
|
],
|
|
2438
2415
|
implementationSuggestions: [
|
|
2439
|
-
"Disabling",
|
|
2440
|
-
"Unusable",
|
|
2441
|
-
"
|
|
2416
|
+
"Disabling them",
|
|
2417
|
+
"making them Unusable",
|
|
2418
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
2442
2419
|
],
|
|
2443
2420
|
relatedSafeguards: ["4.1"],
|
|
2444
2421
|
systemPromptFull: {
|
|
@@ -2492,25 +2469,23 @@ export class SafeguardManager {
|
|
|
2492
2469
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
2493
2470
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
2494
2471
|
implementationGroup: "IG2",
|
|
2495
|
-
assetType: ["
|
|
2472
|
+
assetType: ["Devices", "Software"],
|
|
2496
2473
|
securityFunction: ["Protect"],
|
|
2497
2474
|
governanceElements: [
|
|
2498
2475
|
"Uninstall",
|
|
2499
2476
|
"Disable"
|
|
2500
2477
|
],
|
|
2501
2478
|
coreRequirements: [
|
|
2502
|
-
"unnecessary services
|
|
2479
|
+
"unnecessary services"
|
|
2503
2480
|
],
|
|
2504
2481
|
subTaxonomicalElements: [
|
|
2505
|
-
"Unnecessary Services",
|
|
2506
2482
|
"Enterprise assets",
|
|
2507
|
-
"Software"
|
|
2508
|
-
"Unused file sharing service",
|
|
2509
|
-
"Web application module",
|
|
2510
|
-
"Service function"
|
|
2483
|
+
"Software"
|
|
2511
2484
|
],
|
|
2512
2485
|
implementationSuggestions: [
|
|
2513
|
-
"
|
|
2486
|
+
"Unused File Sharing Services",
|
|
2487
|
+
"Web Application Module",
|
|
2488
|
+
"Service Function"
|
|
2514
2489
|
],
|
|
2515
2490
|
relatedSafeguards: ["4.1"],
|
|
2516
2491
|
systemPromptFull: {
|
|
@@ -2564,22 +2539,20 @@ export class SafeguardManager {
|
|
|
2564
2539
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
2565
2540
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
2566
2541
|
implementationGroup: "IG2",
|
|
2567
|
-
assetType: ["
|
|
2542
|
+
assetType: ["Devices"],
|
|
2568
2543
|
securityFunction: ["Protect"],
|
|
2569
2544
|
governanceElements: [
|
|
2570
2545
|
"Configure"
|
|
2571
2546
|
],
|
|
2572
2547
|
coreRequirements: [
|
|
2573
|
-
"trusted DNS servers
|
|
2548
|
+
"trusted DNS servers"
|
|
2574
2549
|
],
|
|
2575
2550
|
subTaxonomicalElements: [
|
|
2576
|
-
"Trusted DNS Servers",
|
|
2577
2551
|
"Enterprise assets"
|
|
2578
2552
|
],
|
|
2579
2553
|
implementationSuggestions: [
|
|
2580
2554
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
2581
|
-
"Reputable externally accessible DNS servers"
|
|
2582
|
-
"Configuration Management Tool"
|
|
2555
|
+
"Reputable externally accessible DNS servers"
|
|
2583
2556
|
],
|
|
2584
2557
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
2585
2558
|
systemPromptFull: {
|
|
@@ -2633,7 +2606,7 @@ export class SafeguardManager {
|
|
|
2633
2606
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
2634
2607
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
2635
2608
|
implementationGroup: "IG2",
|
|
2636
|
-
assetType: ["
|
|
2609
|
+
assetType: ["Devices"],
|
|
2637
2610
|
securityFunction: ["Protect"],
|
|
2638
2611
|
governanceElements: [
|
|
2639
2612
|
"Enforce",
|
|
@@ -2642,14 +2615,13 @@ export class SafeguardManager {
|
|
|
2642
2615
|
"No more than 10 Failed Authentication Attempts"
|
|
2643
2616
|
],
|
|
2644
2617
|
coreRequirements: [
|
|
2645
|
-
"automatic device lockout
|
|
2618
|
+
"automatic device lockout"
|
|
2646
2619
|
],
|
|
2647
2620
|
subTaxonomicalElements: [
|
|
2648
|
-
"
|
|
2649
|
-
"
|
|
2650
|
-
"
|
|
2651
|
-
"
|
|
2652
|
-
"Tablets and smartphones"
|
|
2621
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
2622
|
+
"On Portable end-user devices",
|
|
2623
|
+
"Such as Laptops",
|
|
2624
|
+
"Such as Tablets and smartphones"
|
|
2653
2625
|
],
|
|
2654
2626
|
implementationSuggestions: [
|
|
2655
2627
|
"Microsoft® InTune Device Lock",
|
|
@@ -2708,24 +2680,22 @@ export class SafeguardManager {
|
|
|
2708
2680
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
2709
2681
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
2710
2682
|
implementationGroup: "IG2",
|
|
2711
|
-
assetType: ["
|
|
2683
|
+
assetType: ["Devices"],
|
|
2712
2684
|
securityFunction: ["Protect"],
|
|
2713
2685
|
governanceElements: [
|
|
2714
2686
|
"When deemed appropriate"
|
|
2715
2687
|
],
|
|
2716
2688
|
coreRequirements: [
|
|
2717
|
-
"Remotely wipe enterprise data
|
|
2689
|
+
"Remotely wipe enterprise data"
|
|
2718
2690
|
],
|
|
2719
2691
|
subTaxonomicalElements: [
|
|
2720
|
-
"
|
|
2721
|
-
|
|
2692
|
+
"Portable end-user devices"
|
|
2693
|
+
],
|
|
2694
|
+
implementationSuggestions: [
|
|
2722
2695
|
"Lost devices",
|
|
2723
2696
|
"Stolen devices",
|
|
2724
2697
|
"When an individual no longer supports the enterprise"
|
|
2725
2698
|
],
|
|
2726
|
-
implementationSuggestions: [
|
|
2727
|
-
"Configuration Management Tool"
|
|
2728
|
-
],
|
|
2729
2699
|
relatedSafeguards: ["4.1"],
|
|
2730
2700
|
systemPromptFull: {
|
|
2731
2701
|
role: "Vendor Description Assistant and expert on CIS Controls",
|
|
@@ -2778,7 +2748,7 @@ export class SafeguardManager {
|
|
|
2778
2748
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
2779
2749
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
2780
2750
|
implementationGroup: "IG3",
|
|
2781
|
-
assetType: ["
|
|
2751
|
+
assetType: ["Data"],
|
|
2782
2752
|
securityFunction: ["Protect"],
|
|
2783
2753
|
governanceElements: [
|
|
2784
2754
|
"Ensure",
|
|
@@ -2788,17 +2758,12 @@ export class SafeguardManager {
|
|
|
2788
2758
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
2789
2759
|
],
|
|
2790
2760
|
subTaxonomicalElements: [
|
|
2791
|
-
"
|
|
2792
|
-
"
|
|
2793
|
-
"Enterprise Applications",
|
|
2794
|
-
"Enterprise Data",
|
|
2795
|
-
"Personal Applications",
|
|
2796
|
-
"Personal Data"
|
|
2761
|
+
"Enterprise Applications and Enterprise Data",
|
|
2762
|
+
"Seperate from Personal Applications and Personal Data"
|
|
2797
2763
|
],
|
|
2798
2764
|
implementationSuggestions: [
|
|
2799
2765
|
"Apple® Configuration Profile",
|
|
2800
|
-
"AndroidTM Work Profile"
|
|
2801
|
-
"Configuration Management Tool"
|
|
2766
|
+
"AndroidTM Work Profile"
|
|
2802
2767
|
],
|
|
2803
2768
|
relatedSafeguards: ["4.1"],
|
|
2804
2769
|
systemPromptFull: {
|
|
@@ -2852,36 +2817,26 @@ export class SafeguardManager {
|
|
|
2852
2817
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
2853
2818
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
2854
2819
|
implementationGroup: "IG1",
|
|
2855
|
-
assetType: ["
|
|
2820
|
+
assetType: ["Users"],
|
|
2856
2821
|
securityFunction: ["Identify"],
|
|
2857
2822
|
governanceElements: [
|
|
2858
|
-
"Establish and maintain
|
|
2859
|
-
"
|
|
2860
|
-
"At a minimum, should contain the person's name, username, start/stop dates, and department",
|
|
2823
|
+
"Establish and maintain",
|
|
2824
|
+
"Must include",
|
|
2861
2825
|
"Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
|
|
2862
2826
|
],
|
|
2863
2827
|
coreRequirements: [
|
|
2864
2828
|
"Inventory of Accounts"
|
|
2865
2829
|
],
|
|
2866
2830
|
subTaxonomicalElements: [
|
|
2867
|
-
"Establish",
|
|
2868
|
-
"Maintain",
|
|
2869
|
-
"Validate that all active accounts are authorized",
|
|
2870
|
-
"Recurring schedule",
|
|
2871
|
-
"Must Include",
|
|
2872
|
-
"At a minimum",
|
|
2873
|
-
"Minimum Quarterly",
|
|
2874
|
-
"More Frequently",
|
|
2875
2831
|
"User Accounts",
|
|
2876
2832
|
"Administrator Accounts",
|
|
2833
|
+
"Service Accounts",
|
|
2877
2834
|
"Name",
|
|
2878
2835
|
"Username",
|
|
2879
2836
|
"Start Stop Dates",
|
|
2880
2837
|
"Department"
|
|
2881
2838
|
],
|
|
2882
|
-
implementationSuggestions: [
|
|
2883
|
-
"Account and Access Control Management",
|
|
2884
|
-
"Identity and Access Management Tool"
|
|
2839
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2885
2840
|
],
|
|
2886
2841
|
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
|
|
2887
2842
|
systemPromptFull: {
|
|
@@ -2935,25 +2890,19 @@ export class SafeguardManager {
|
|
|
2935
2890
|
title: "Use Unique Passwords",
|
|
2936
2891
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
2937
2892
|
implementationGroup: "IG1",
|
|
2938
|
-
assetType: ["
|
|
2893
|
+
assetType: ["Users"],
|
|
2939
2894
|
securityFunction: ["Protect"],
|
|
2940
2895
|
governanceElements: [
|
|
2941
|
-
"Use
|
|
2942
|
-
"
|
|
2896
|
+
"Use",
|
|
2897
|
+
"At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
|
|
2943
2898
|
],
|
|
2944
2899
|
coreRequirements: [
|
|
2945
2900
|
"Unique Passwords"
|
|
2946
2901
|
],
|
|
2947
2902
|
subTaxonomicalElements: [
|
|
2948
|
-
"
|
|
2949
|
-
"At a minimum",
|
|
2950
|
-
"All Enterprise Assets",
|
|
2951
|
-
"8-character password for accounts using MFA",
|
|
2952
|
-
"14-character password for accounts not using MFA"
|
|
2903
|
+
"All Enterprise Assets"
|
|
2953
2904
|
],
|
|
2954
|
-
implementationSuggestions: [
|
|
2955
|
-
"Account and Access Control Management",
|
|
2956
|
-
"Password Management Tool"
|
|
2905
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2957
2906
|
],
|
|
2958
2907
|
relatedSafeguards: ["5.1"],
|
|
2959
2908
|
systemPromptFull: {
|
|
@@ -3007,10 +2956,11 @@ export class SafeguardManager {
|
|
|
3007
2956
|
title: "Disable Dormant Accounts",
|
|
3008
2957
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
3009
2958
|
implementationGroup: "IG1",
|
|
3010
|
-
assetType: ["
|
|
2959
|
+
assetType: ["Users"],
|
|
3011
2960
|
securityFunction: ["Protect"],
|
|
3012
2961
|
governanceElements: [
|
|
3013
|
-
"
|
|
2962
|
+
"after a period of 45 days of inactivity",
|
|
2963
|
+
"where supported"
|
|
3014
2964
|
],
|
|
3015
2965
|
coreRequirements: [
|
|
3016
2966
|
"Dormant Accounts"
|
|
@@ -3021,9 +2971,7 @@ export class SafeguardManager {
|
|
|
3021
2971
|
"Period of 45 days of inactivity",
|
|
3022
2972
|
"Where Supported"
|
|
3023
2973
|
],
|
|
3024
|
-
implementationSuggestions: [
|
|
3025
|
-
"Account and Access Control Management",
|
|
3026
|
-
"Identity and Access Management Tool"
|
|
2974
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3027
2975
|
],
|
|
3028
2976
|
relatedSafeguards: ["5.1"],
|
|
3029
2977
|
systemPromptFull: {
|
|
@@ -3077,25 +3025,21 @@ export class SafeguardManager {
|
|
|
3077
3025
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
3078
3026
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
3079
3027
|
implementationGroup: "IG1",
|
|
3080
|
-
assetType: ["
|
|
3028
|
+
assetType: ["Users"],
|
|
3081
3029
|
securityFunction: ["Protect"],
|
|
3082
3030
|
governanceElements: [
|
|
3083
|
-
"Restrict
|
|
3084
|
-
"Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
|
|
3031
|
+
"Restrict"
|
|
3085
3032
|
],
|
|
3086
3033
|
coreRequirements: [
|
|
3087
3034
|
"Administrator Privileges",
|
|
3088
3035
|
"Dedicated Admin Accounts"
|
|
3089
3036
|
],
|
|
3090
3037
|
subTaxonomicalElements: [
|
|
3091
|
-
"Restrict",
|
|
3092
3038
|
"Enterprise assets",
|
|
3093
3039
|
"User's primary, non-privileged account",
|
|
3094
3040
|
"General Computing Activities"
|
|
3095
3041
|
],
|
|
3096
3042
|
implementationSuggestions: [
|
|
3097
|
-
"Account and Access Control Management",
|
|
3098
|
-
"Identity and Access Management Tool",
|
|
3099
3043
|
"Such as",
|
|
3100
3044
|
"Internet browsing",
|
|
3101
3045
|
"Email",
|
|
@@ -3153,32 +3097,23 @@ export class SafeguardManager {
|
|
|
3153
3097
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
3154
3098
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
3155
3099
|
implementationGroup: "IG2",
|
|
3156
|
-
assetType: ["
|
|
3100
|
+
assetType: ["Users"],
|
|
3157
3101
|
securityFunction: ["Identify"],
|
|
3158
3102
|
governanceElements: [
|
|
3159
|
-
"Establish and maintain
|
|
3160
|
-
"
|
|
3161
|
-
"Perform service account reviews to validate that all active accounts are authorized,
|
|
3103
|
+
"Establish and maintain",
|
|
3104
|
+
"at a minimum, must contain",
|
|
3105
|
+
"Perform service account reviews to validate that all active accounts are authorized",
|
|
3106
|
+
"recurring schedule at a minimum quarterly, or more frequently"
|
|
3162
3107
|
],
|
|
3163
3108
|
coreRequirements: [
|
|
3164
3109
|
"Inventory of Service Accounts"
|
|
3165
3110
|
],
|
|
3166
3111
|
subTaxonomicalElements: [
|
|
3167
|
-
"Establish",
|
|
3168
|
-
"Maintain",
|
|
3169
|
-
"At a Minimum Must Contain",
|
|
3170
|
-
"Perform service account reviews to validate that all active accounts are authorized",
|
|
3171
|
-
"On a recurring schedule",
|
|
3172
3112
|
"Department Owner",
|
|
3173
3113
|
"Review date",
|
|
3174
|
-
"Purpose"
|
|
3175
|
-
"At a minimum quarterly",
|
|
3176
|
-
"More frequently",
|
|
3177
|
-
"Or"
|
|
3114
|
+
"Purpose"
|
|
3178
3115
|
],
|
|
3179
|
-
implementationSuggestions: [
|
|
3180
|
-
"Account and Access Control Management",
|
|
3181
|
-
"Identity and Access Management Tool"
|
|
3116
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3182
3117
|
],
|
|
3183
3118
|
relatedSafeguards: ["5.1"],
|
|
3184
3119
|
systemPromptFull: {
|
|
@@ -3232,23 +3167,19 @@ export class SafeguardManager {
|
|
|
3232
3167
|
title: "Centralize Account Management",
|
|
3233
3168
|
description: "Centralize account management through a directory or identity service.",
|
|
3234
3169
|
implementationGroup: "IG2",
|
|
3235
|
-
assetType: ["
|
|
3170
|
+
assetType: ["Users"],
|
|
3236
3171
|
securityFunction: ["Govern"],
|
|
3237
3172
|
governanceElements: [
|
|
3238
|
-
"Centralize
|
|
3173
|
+
"Centralize"
|
|
3239
3174
|
],
|
|
3240
3175
|
coreRequirements: [
|
|
3241
3176
|
"Account Management"
|
|
3242
3177
|
],
|
|
3243
3178
|
subTaxonomicalElements: [
|
|
3244
|
-
"Centralize",
|
|
3245
3179
|
"Directory Service",
|
|
3246
|
-
"Identity Service"
|
|
3247
|
-
"Or"
|
|
3180
|
+
"Identity Service"
|
|
3248
3181
|
],
|
|
3249
|
-
implementationSuggestions: [
|
|
3250
|
-
"Account and Access Control Management",
|
|
3251
|
-
"Identity and Access Management Tool"
|
|
3182
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3252
3183
|
],
|
|
3253
3184
|
relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
|
|
3254
3185
|
systemPromptFull: {
|
|
@@ -3302,7 +3233,7 @@ export class SafeguardManager {
|
|
|
3302
3233
|
title: "Establish an Access Granting Process",
|
|
3303
3234
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
3304
3235
|
implementationGroup: "IG1",
|
|
3305
|
-
assetType: ["
|
|
3236
|
+
assetType: ["Users"],
|
|
3306
3237
|
securityFunction: ["Govern"],
|
|
3307
3238
|
governanceElements: [
|
|
3308
3239
|
"Establish",
|
|
@@ -3379,7 +3310,7 @@ export class SafeguardManager {
|
|
|
3379
3310
|
title: "Establish an Access Revoking Process",
|
|
3380
3311
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
3381
3312
|
implementationGroup: "IG1",
|
|
3382
|
-
assetType: ["
|
|
3313
|
+
assetType: ["Users"],
|
|
3383
3314
|
securityFunction: ["Govern"],
|
|
3384
3315
|
governanceElements: [
|
|
3385
3316
|
"Establish",
|
|
@@ -3461,7 +3392,7 @@ export class SafeguardManager {
|
|
|
3461
3392
|
title: "Require MFA for Externally-Exposed Applications",
|
|
3462
3393
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
3463
3394
|
implementationGroup: "IG1",
|
|
3464
|
-
assetType: ["
|
|
3395
|
+
assetType: ["Users"],
|
|
3465
3396
|
securityFunction: ["Protect"],
|
|
3466
3397
|
governanceElements: [
|
|
3467
3398
|
"Require",
|
|
@@ -3536,7 +3467,7 @@ export class SafeguardManager {
|
|
|
3536
3467
|
title: "Require MFA for Remote Network Access",
|
|
3537
3468
|
description: "Require MFA for remote network access.",
|
|
3538
3469
|
implementationGroup: "IG1",
|
|
3539
|
-
assetType: ["
|
|
3470
|
+
assetType: ["Users"],
|
|
3540
3471
|
securityFunction: ["Protect"],
|
|
3541
3472
|
governanceElements: [
|
|
3542
3473
|
"Require",
|
|
@@ -3606,7 +3537,7 @@ export class SafeguardManager {
|
|
|
3606
3537
|
title: "Require MFA for Administrative Access",
|
|
3607
3538
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
3608
3539
|
implementationGroup: "IG1",
|
|
3609
|
-
assetType: ["
|
|
3540
|
+
assetType: ["Users"],
|
|
3610
3541
|
securityFunction: ["Protect"],
|
|
3611
3542
|
governanceElements: [
|
|
3612
3543
|
"Require",
|
|
@@ -3759,7 +3690,7 @@ export class SafeguardManager {
|
|
|
3759
3690
|
title: "Centralize Access Control",
|
|
3760
3691
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
3761
3692
|
implementationGroup: "IG2",
|
|
3762
|
-
assetType: ["
|
|
3693
|
+
assetType: ["Users"],
|
|
3763
3694
|
securityFunction: ["Protect"],
|
|
3764
3695
|
governanceElements: [
|
|
3765
3696
|
"Centralize",
|
|
@@ -3837,7 +3768,7 @@ export class SafeguardManager {
|
|
|
3837
3768
|
title: "Define and Maintain Role-Based Access Control",
|
|
3838
3769
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
3839
3770
|
implementationGroup: "IG3",
|
|
3840
|
-
assetType: ["
|
|
3771
|
+
assetType: ["Users"],
|
|
3841
3772
|
securityFunction: ["Govern"],
|
|
3842
3773
|
governanceElements: [
|
|
3843
3774
|
"Define",
|
|
@@ -4087,7 +4018,7 @@ export class SafeguardManager {
|
|
|
4087
4018
|
title: "Perform Automated Operating System Patch Management",
|
|
4088
4019
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
4089
4020
|
implementationGroup: "IG1",
|
|
4090
|
-
assetType: ["
|
|
4021
|
+
assetType: ["Devices"],
|
|
4091
4022
|
securityFunction: ["Protect"],
|
|
4092
4023
|
governanceElements: [
|
|
4093
4024
|
"perform automated OS patch management",
|
|
@@ -4251,7 +4182,7 @@ export class SafeguardManager {
|
|
|
4251
4182
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
4252
4183
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
4253
4184
|
implementationGroup: "IG2",
|
|
4254
|
-
assetType: ["
|
|
4185
|
+
assetType: ["Devices", "Software"],
|
|
4255
4186
|
securityFunction: ["Detect"],
|
|
4256
4187
|
governanceElements: [
|
|
4257
4188
|
"perform automated vulnerability scans",
|
|
@@ -4333,7 +4264,7 @@ export class SafeguardManager {
|
|
|
4333
4264
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
4334
4265
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
4335
4266
|
implementationGroup: "IG2",
|
|
4336
|
-
assetType: ["
|
|
4267
|
+
assetType: ["Devices", "Software"],
|
|
4337
4268
|
securityFunction: ["Detect"],
|
|
4338
4269
|
governanceElements: [
|
|
4339
4270
|
"perform automated vulnerability scans",
|
|
@@ -5429,7 +5360,7 @@ export class SafeguardManager {
|
|
|
5429
5360
|
title: "Use DNS Filtering Services",
|
|
5430
5361
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
5431
5362
|
implementationGroup: "IG1",
|
|
5432
|
-
assetType: ["
|
|
5363
|
+
assetType: ["Devices", "network"],
|
|
5433
5364
|
securityFunction: ["Protect"],
|
|
5434
5365
|
governanceElements: [
|
|
5435
5366
|
"use DNS filtering services on all end-user devices",
|
|
@@ -5901,7 +5832,7 @@ export class SafeguardManager {
|
|
|
5901
5832
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
5902
5833
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
5903
5834
|
implementationGroup: "IG1",
|
|
5904
|
-
assetType: ["
|
|
5835
|
+
assetType: ["Devices"],
|
|
5905
5836
|
securityFunction: ["Detect"],
|
|
5906
5837
|
governanceElements: [
|
|
5907
5838
|
"deploy anti-malware software",
|
|
@@ -5980,7 +5911,7 @@ export class SafeguardManager {
|
|
|
5980
5911
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
5981
5912
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
5982
5913
|
implementationGroup: "IG1",
|
|
5983
|
-
assetType: ["
|
|
5914
|
+
assetType: ["Devices"],
|
|
5984
5915
|
securityFunction: ["Protect"],
|
|
5985
5916
|
governanceElements: [
|
|
5986
5917
|
"configure automatic updates",
|
|
@@ -6054,7 +5985,7 @@ export class SafeguardManager {
|
|
|
6054
5985
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
6055
5986
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
6056
5987
|
implementationGroup: "IG1",
|
|
6057
|
-
assetType: ["
|
|
5988
|
+
assetType: ["Devices"],
|
|
6058
5989
|
securityFunction: ["Protect"],
|
|
6059
5990
|
governanceElements: [
|
|
6060
5991
|
"disable autorun functionality",
|
|
@@ -6133,7 +6064,7 @@ export class SafeguardManager {
|
|
|
6133
6064
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
6134
6065
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
6135
6066
|
implementationGroup: "IG2",
|
|
6136
|
-
assetType: ["
|
|
6067
|
+
assetType: ["Devices"],
|
|
6137
6068
|
securityFunction: ["Detect"],
|
|
6138
6069
|
governanceElements: [
|
|
6139
6070
|
"configure anti-malware software",
|
|
@@ -6211,7 +6142,7 @@ export class SafeguardManager {
|
|
|
6211
6142
|
title: "Enable Anti-Exploitation Features",
|
|
6212
6143
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
6213
6144
|
implementationGroup: "IG2",
|
|
6214
|
-
assetType: ["
|
|
6145
|
+
assetType: ["Devices"],
|
|
6215
6146
|
securityFunction: ["Protect"],
|
|
6216
6147
|
governanceElements: [
|
|
6217
6148
|
"enable anti-exploitation features",
|
|
@@ -6291,7 +6222,7 @@ export class SafeguardManager {
|
|
|
6291
6222
|
title: "Centrally Manage Anti-Malware Software",
|
|
6292
6223
|
description: "Centrally manage anti-malware software",
|
|
6293
6224
|
implementationGroup: "IG2",
|
|
6294
|
-
assetType: ["
|
|
6225
|
+
assetType: ["Devices"],
|
|
6295
6226
|
securityFunction: ["Protect"],
|
|
6296
6227
|
governanceElements: [
|
|
6297
6228
|
"centrally manage anti-malware",
|
|
@@ -6367,7 +6298,7 @@ export class SafeguardManager {
|
|
|
6367
6298
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
6368
6299
|
description: "Use behavior-based anti-malware software",
|
|
6369
6300
|
implementationGroup: "IG2",
|
|
6370
|
-
assetType: ["
|
|
6301
|
+
assetType: ["Devices"],
|
|
6371
6302
|
securityFunction: ["Detect"],
|
|
6372
6303
|
governanceElements: [
|
|
6373
6304
|
"use behavior-based anti-malware",
|
|
@@ -7335,7 +7266,7 @@ export class SafeguardManager {
|
|
|
7335
7266
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
7336
7267
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
7337
7268
|
implementationGroup: "IG2",
|
|
7338
|
-
assetType: ["
|
|
7269
|
+
assetType: ["Devices"],
|
|
7339
7270
|
securityFunction: ["Protect"],
|
|
7340
7271
|
governanceElements: [
|
|
7341
7272
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -7415,7 +7346,7 @@ export class SafeguardManager {
|
|
|
7415
7346
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
7416
7347
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
7417
7348
|
implementationGroup: "IG3",
|
|
7418
|
-
assetType: ["
|
|
7349
|
+
assetType: ["Devices"],
|
|
7419
7350
|
securityFunction: ["Protect"],
|
|
7420
7351
|
governanceElements: [
|
|
7421
7352
|
"establish dedicated computing resources for administrative work",
|
|
@@ -7497,7 +7428,7 @@ export class SafeguardManager {
|
|
|
7497
7428
|
title: "Centralize Security Event Alerting",
|
|
7498
7429
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
7499
7430
|
implementationGroup: "IG2",
|
|
7500
|
-
assetType: ["network", "
|
|
7431
|
+
assetType: ["network", "Devices"],
|
|
7501
7432
|
securityFunction: ["Detect"],
|
|
7502
7433
|
governanceElements: [
|
|
7503
7434
|
"centralize security event alerting across enterprise assets",
|
|
@@ -7576,7 +7507,7 @@ export class SafeguardManager {
|
|
|
7576
7507
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
7577
7508
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
7578
7509
|
implementationGroup: "IG2",
|
|
7579
|
-
assetType: ["
|
|
7510
|
+
assetType: ["Devices"],
|
|
7580
7511
|
securityFunction: ["Detect"],
|
|
7581
7512
|
governanceElements: [
|
|
7582
7513
|
"deploy host-based intrusion detection solution",
|
|
@@ -7802,7 +7733,7 @@ export class SafeguardManager {
|
|
|
7802
7733
|
title: "Manage Access Control for Remote Assets",
|
|
7803
7734
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
7804
7735
|
implementationGroup: "IG2",
|
|
7805
|
-
assetType: ["
|
|
7736
|
+
assetType: ["Devices", "network"],
|
|
7806
7737
|
securityFunction: ["Protect"],
|
|
7807
7738
|
governanceElements: [
|
|
7808
7739
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -7956,7 +7887,7 @@ export class SafeguardManager {
|
|
|
7956
7887
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
7957
7888
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
7958
7889
|
implementationGroup: "IG3",
|
|
7959
|
-
assetType: ["
|
|
7890
|
+
assetType: ["Devices"],
|
|
7960
7891
|
securityFunction: ["Respond"],
|
|
7961
7892
|
governanceElements: [
|
|
7962
7893
|
"deploy host-based intrusion prevention solution",
|
|
@@ -8257,7 +8188,7 @@ export class SafeguardManager {
|
|
|
8257
8188
|
title: "Tune Security Event Alerting Thresholds",
|
|
8258
8189
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
8259
8190
|
implementationGroup: "IG3",
|
|
8260
|
-
assetType: ["network", "
|
|
8191
|
+
assetType: ["network", "Devices"],
|
|
8261
8192
|
securityFunction: ["Detect"],
|
|
8262
8193
|
governanceElements: [
|
|
8263
8194
|
"tune security event alerting thresholds",
|
|
@@ -8331,7 +8262,7 @@ export class SafeguardManager {
|
|
|
8331
8262
|
title: "Establish and Maintain a Security Awareness Program",
|
|
8332
8263
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
8333
8264
|
implementationGroup: "IG1",
|
|
8334
|
-
assetType: ["
|
|
8265
|
+
assetType: ["Users"],
|
|
8335
8266
|
securityFunction: ["Govern"],
|
|
8336
8267
|
governanceElements: [
|
|
8337
8268
|
"establish and maintain a security awareness program",
|
|
@@ -8413,7 +8344,7 @@ export class SafeguardManager {
|
|
|
8413
8344
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
8414
8345
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
8415
8346
|
implementationGroup: "IG1",
|
|
8416
|
-
assetType: ["
|
|
8347
|
+
assetType: ["Users"],
|
|
8417
8348
|
securityFunction: ["Protect"],
|
|
8418
8349
|
governanceElements: [
|
|
8419
8350
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -8492,7 +8423,7 @@ export class SafeguardManager {
|
|
|
8492
8423
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
8493
8424
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
8494
8425
|
implementationGroup: "IG1",
|
|
8495
|
-
assetType: ["
|
|
8426
|
+
assetType: ["Users"],
|
|
8496
8427
|
securityFunction: ["Protect"],
|
|
8497
8428
|
governanceElements: [
|
|
8498
8429
|
"train workforce members on authentication best practices",
|
|
@@ -8569,7 +8500,7 @@ export class SafeguardManager {
|
|
|
8569
8500
|
title: "Train Workforce on Data Handling Best Practices",
|
|
8570
8501
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
8571
8502
|
implementationGroup: "IG1",
|
|
8572
|
-
assetType: ["
|
|
8503
|
+
assetType: ["Users"],
|
|
8573
8504
|
securityFunction: ["Protect"],
|
|
8574
8505
|
governanceElements: [
|
|
8575
8506
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -8654,7 +8585,7 @@ export class SafeguardManager {
|
|
|
8654
8585
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
8655
8586
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
8656
8587
|
implementationGroup: "IG1",
|
|
8657
|
-
assetType: ["
|
|
8588
|
+
assetType: ["Users"],
|
|
8658
8589
|
securityFunction: ["Protect"],
|
|
8659
8590
|
governanceElements: [
|
|
8660
8591
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -8731,7 +8662,7 @@ export class SafeguardManager {
|
|
|
8731
8662
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
8732
8663
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
8733
8664
|
implementationGroup: "IG1",
|
|
8734
|
-
assetType: ["
|
|
8665
|
+
assetType: ["Users"],
|
|
8735
8666
|
securityFunction: ["Protect"],
|
|
8736
8667
|
governanceElements: [
|
|
8737
8668
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -8806,7 +8737,7 @@ export class SafeguardManager {
|
|
|
8806
8737
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
8807
8738
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
8808
8739
|
implementationGroup: "IG1",
|
|
8809
|
-
assetType: ["
|
|
8740
|
+
assetType: ["Users"],
|
|
8810
8741
|
securityFunction: ["Protect"],
|
|
8811
8742
|
governanceElements: [
|
|
8812
8743
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -8887,7 +8818,7 @@ export class SafeguardManager {
|
|
|
8887
8818
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
8888
8819
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
8889
8820
|
implementationGroup: "IG1",
|
|
8890
|
-
assetType: ["
|
|
8821
|
+
assetType: ["Users"],
|
|
8891
8822
|
securityFunction: ["Protect"],
|
|
8892
8823
|
governanceElements: [
|
|
8893
8824
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -8967,7 +8898,7 @@ export class SafeguardManager {
|
|
|
8967
8898
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
8968
8899
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
8969
8900
|
implementationGroup: "IG2",
|
|
8970
|
-
assetType: ["
|
|
8901
|
+
assetType: ["Users"],
|
|
8971
8902
|
securityFunction: ["Protect"],
|
|
8972
8903
|
governanceElements: [
|
|
8973
8904
|
"conduct role-specific security awareness and skills training",
|
|
@@ -9045,7 +8976,7 @@ export class SafeguardManager {
|
|
|
9045
8976
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
9046
8977
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9047
8978
|
implementationGroup: "IG1",
|
|
9048
|
-
assetType: ["
|
|
8979
|
+
assetType: ["Users"],
|
|
9049
8980
|
securityFunction: ["Identify"],
|
|
9050
8981
|
governanceElements: [
|
|
9051
8982
|
"establish and maintain an inventory of service providers",
|
|
@@ -9125,7 +9056,7 @@ export class SafeguardManager {
|
|
|
9125
9056
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
9126
9057
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9127
9058
|
implementationGroup: "IG2",
|
|
9128
|
-
assetType: ["
|
|
9059
|
+
assetType: ["Users"],
|
|
9129
9060
|
securityFunction: ["Govern"],
|
|
9130
9061
|
governanceElements: [
|
|
9131
9062
|
"establish and maintain a service provider management policy",
|
|
@@ -9210,7 +9141,7 @@ export class SafeguardManager {
|
|
|
9210
9141
|
title: "Classify Service Providers",
|
|
9211
9142
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9212
9143
|
implementationGroup: "IG2",
|
|
9213
|
-
assetType: ["
|
|
9144
|
+
assetType: ["Users"],
|
|
9214
9145
|
securityFunction: ["Govern"],
|
|
9215
9146
|
governanceElements: [
|
|
9216
9147
|
"classify service providers",
|
|
@@ -9293,7 +9224,7 @@ export class SafeguardManager {
|
|
|
9293
9224
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
9294
9225
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
9295
9226
|
implementationGroup: "IG2",
|
|
9296
|
-
assetType: ["
|
|
9227
|
+
assetType: ["Users"],
|
|
9297
9228
|
securityFunction: ["Govern"],
|
|
9298
9229
|
governanceElements: [
|
|
9299
9230
|
"ensure service provider contracts include security requirements",
|
|
@@ -9375,7 +9306,7 @@ export class SafeguardManager {
|
|
|
9375
9306
|
title: "Assess Service Providers",
|
|
9376
9307
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
9377
9308
|
implementationGroup: "IG3",
|
|
9378
|
-
assetType: ["
|
|
9309
|
+
assetType: ["Users"],
|
|
9379
9310
|
securityFunction: ["Govern"],
|
|
9380
9311
|
governanceElements: [
|
|
9381
9312
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -10240,7 +10171,7 @@ export class SafeguardManager {
|
|
|
10240
10171
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
10241
10172
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
10242
10173
|
implementationGroup: "IG2",
|
|
10243
|
-
assetType: ["
|
|
10174
|
+
assetType: ["Users"],
|
|
10244
10175
|
securityFunction: ["Protect"],
|
|
10245
10176
|
governanceElements: [
|
|
10246
10177
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -10716,7 +10647,7 @@ export class SafeguardManager {
|
|
|
10716
10647
|
title: "Designate Personnel to Manage Incident Handling",
|
|
10717
10648
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10718
10649
|
implementationGroup: "IG1",
|
|
10719
|
-
assetType: ["
|
|
10650
|
+
assetType: ["Users"],
|
|
10720
10651
|
securityFunction: ["Respond"],
|
|
10721
10652
|
governanceElements: [
|
|
10722
10653
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -10794,7 +10725,7 @@ export class SafeguardManager {
|
|
|
10794
10725
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
10795
10726
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
10796
10727
|
implementationGroup: "IG1",
|
|
10797
|
-
assetType: ["
|
|
10728
|
+
assetType: ["Users"],
|
|
10798
10729
|
securityFunction: ["Respond"],
|
|
10799
10730
|
governanceElements: [
|
|
10800
10731
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -10870,7 +10801,7 @@ export class SafeguardManager {
|
|
|
10870
10801
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
10871
10802
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10872
10803
|
implementationGroup: "IG1",
|
|
10873
|
-
assetType: ["
|
|
10804
|
+
assetType: ["Users"],
|
|
10874
10805
|
securityFunction: ["Govern"],
|
|
10875
10806
|
governanceElements: [
|
|
10876
10807
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -10948,7 +10879,7 @@ export class SafeguardManager {
|
|
|
10948
10879
|
title: "Establish and Maintain an Incident Response Process",
|
|
10949
10880
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
10950
10881
|
implementationGroup: "IG2",
|
|
10951
|
-
assetType: ["
|
|
10882
|
+
assetType: ["Users"],
|
|
10952
10883
|
securityFunction: ["Govern"],
|
|
10953
10884
|
governanceElements: [
|
|
10954
10885
|
"establish and maintain a documented incident response process",
|
|
@@ -11023,7 +10954,7 @@ export class SafeguardManager {
|
|
|
11023
10954
|
title: "Assign Key Roles and Responsibilities",
|
|
11024
10955
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11025
10956
|
implementationGroup: "IG2",
|
|
11026
|
-
assetType: ["
|
|
10957
|
+
assetType: ["Users"],
|
|
11027
10958
|
securityFunction: ["Respond"],
|
|
11028
10959
|
governanceElements: [
|
|
11029
10960
|
"assign key roles and responsibilities for incident response",
|
|
@@ -11101,7 +11032,7 @@ export class SafeguardManager {
|
|
|
11101
11032
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
11102
11033
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11103
11034
|
implementationGroup: "IG2",
|
|
11104
|
-
assetType: ["
|
|
11035
|
+
assetType: ["Users"],
|
|
11105
11036
|
securityFunction: ["Respond"],
|
|
11106
11037
|
governanceElements: [
|
|
11107
11038
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -11178,7 +11109,7 @@ export class SafeguardManager {
|
|
|
11178
11109
|
title: "Conduct Routine Incident Response Exercises",
|
|
11179
11110
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
11180
11111
|
implementationGroup: "IG2",
|
|
11181
|
-
assetType: ["
|
|
11112
|
+
assetType: ["Users"],
|
|
11182
11113
|
securityFunction: ["Recover"],
|
|
11183
11114
|
governanceElements: [
|
|
11184
11115
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -11255,7 +11186,7 @@ export class SafeguardManager {
|
|
|
11255
11186
|
title: "Conduct Post-Incident Reviews",
|
|
11256
11187
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
11257
11188
|
implementationGroup: "IG2",
|
|
11258
|
-
assetType: ["
|
|
11189
|
+
assetType: ["Users"],
|
|
11259
11190
|
securityFunction: ["Recover"],
|
|
11260
11191
|
governanceElements: [
|
|
11261
11192
|
"conduct post-incident reviews"
|
|
@@ -11328,7 +11259,7 @@ export class SafeguardManager {
|
|
|
11328
11259
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
11329
11260
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
11330
11261
|
implementationGroup: "IG3",
|
|
11331
|
-
assetType: ["
|
|
11262
|
+
assetType: ["Users"],
|
|
11332
11263
|
securityFunction: ["Recover"],
|
|
11333
11264
|
governanceElements: [
|
|
11334
11265
|
"establish and maintain security incident thresholds",
|