framework-mcp 2.4.3 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1974,19 +1974,17 @@ export class SafeguardManager {
1974
1974
  title: "Establish and Maintain a Secure Configuration Process",
1975
1975
  description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1976
1976
  implementationGroup: "IG1",
1977
- assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
1977
+ assetType: ["Docuemntation"],
1978
1978
  securityFunction: ["Govern"],
1979
1979
  governanceElements: [
1980
1980
  "Establish",
1981
1981
  "Maintain",
1982
- "Documented Secure Configuration Process",
1983
1982
  "Review and update documentation",
1984
1983
  "Annually",
1985
1984
  "When significant enterprise changes occur that could impact this Safeguard"
1986
1985
  ],
1987
1986
  coreRequirements: [
1988
- "documented secure configuration process for enterprise assets",
1989
- "documented secure configuration process for software"
1987
+ "documented secure configuration process"
1990
1988
  ],
1991
1989
  subTaxonomicalElements: [
1992
1990
  "Enterprise assets",
@@ -1996,12 +1994,9 @@ export class SafeguardManager {
1996
1994
  "Portable",
1997
1995
  "Non-computing/IoT devices",
1998
1996
  "Servers",
1999
- "OS",
2000
- "Software"
1997
+ "OS"
2001
1998
  ],
2002
- implementationSuggestions: [
2003
- "Secure Configuration Policy / Process",
2004
- "Configuration Management Tool"
1999
+ implementationSuggestions: [ // Gray - Implementation suggestions
2005
2000
  ],
2006
2001
  relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
2007
2002
  systemPromptFull: {
@@ -2055,25 +2050,22 @@ export class SafeguardManager {
2055
2050
  title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
2056
2051
  description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2057
2052
  implementationGroup: "IG1",
2058
- assetType: ["network devices"],
2053
+ assetType: ["Documentation"],
2059
2054
  securityFunction: ["Govern"],
2060
2055
  governanceElements: [
2061
2056
  "Establish",
2062
2057
  "Maintain",
2063
- "Documented Secure Network Configuration Process",
2064
2058
  "Review and update documentation",
2065
2059
  "Annually",
2066
2060
  "When significant enterprise changes occur that could impact this Safeguard"
2067
2061
  ],
2068
2062
  coreRequirements: [
2069
- "documented secure configuration process for network devices"
2063
+ "documented secure configuration process"
2070
2064
  ],
2071
2065
  subTaxonomicalElements: [
2072
2066
  "Network devices"
2073
2067
  ],
2074
- implementationSuggestions: [
2075
- "Secure Configuration Policy / Process",
2076
- "Configuration Management Tool"
2068
+ implementationSuggestions: [ // Gray - Implementation suggestions
2077
2069
  ],
2078
2070
  relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
2079
2071
  systemPromptFull: {
@@ -2127,7 +2119,7 @@ export class SafeguardManager {
2127
2119
  title: "Configure Automatic Session Locking on Enterprise Assets",
2128
2120
  description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
2129
2121
  implementationGroup: "IG1",
2130
- assetType: ["devices"],
2122
+ assetType: ["Devices"],
2131
2123
  securityFunction: ["Protect"],
2132
2124
  governanceElements: [
2133
2125
  "Configure",
@@ -2135,18 +2127,14 @@ export class SafeguardManager {
2135
2127
  "Period must not exceed for 2 Minutes"
2136
2128
  ],
2137
2129
  coreRequirements: [
2138
- "automatic session locking on enterprise assets after a defined period of inactivity",
2139
- "general purpose operating systems",
2140
- "mobile end-user devices"
2130
+ "automatic session locking on enterprise assets"
2141
2131
  ],
2142
2132
  subTaxonomicalElements: [
2143
- "Automatic Session Locking",
2144
2133
  "Period of inactivity",
2145
2134
  "General Purpose OSs",
2146
2135
  "Mobile end-user devices"
2147
2136
  ],
2148
- implementationSuggestions: [
2149
- "Configuration Management Tool"
2137
+ implementationSuggestions: [ // Gray - Implementation suggestions
2150
2138
  ],
2151
2139
  relatedSafeguards: ["4.1"],
2152
2140
  systemPromptFull: {
@@ -2200,7 +2188,7 @@ export class SafeguardManager {
2200
2188
  title: "Implement and Manage a Firewall on Servers",
2201
2189
  description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
2202
2190
  implementationGroup: "IG1",
2203
- assetType: ["devices"],
2191
+ assetType: ["Devices"],
2204
2192
  securityFunction: ["Protect"],
2205
2193
  governanceElements: [
2206
2194
  "Implement",
@@ -2217,8 +2205,6 @@ export class SafeguardManager {
2217
2205
  "Virtual Firewall",
2218
2206
  "OS Firewall",
2219
2207
  "Third Party Firewall",
2220
- "Firewall",
2221
- "Configuration Management Tool"
2222
2208
  ],
2223
2209
  relatedSafeguards: ["4.1"],
2224
2210
  systemPromptFull: {
@@ -2272,21 +2258,18 @@ export class SafeguardManager {
2272
2258
  title: "Implement and Manage a Firewall on End-User Devices",
2273
2259
  description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
2274
2260
  implementationGroup: "IG1",
2275
- assetType: ["devices"],
2261
+ assetType: ["Devices"],
2276
2262
  securityFunction: ["Protect"],
2277
2263
  governanceElements: [
2278
2264
  "Implement",
2279
- "Manage",
2280
- "Default deny rule that drops all traffic",
2281
- "Except Explicitly Allowed"
2265
+ "Manage"
2282
2266
  ],
2283
2267
  coreRequirements: [
2284
2268
  "host-based firewall or port-filtering tool on end-user devices"
2285
2269
  ],
2286
2270
  subTaxonomicalElements: [
2287
- "Host-based Firewall",
2288
- "Port Filtering Tool",
2289
- "End User Devices",
2271
+ "Default Deny Rule that drops all traffic",
2272
+ "Except Explicitly Allowed",
2290
2273
  "Services",
2291
2274
  "Ports"
2292
2275
  ],
@@ -2346,7 +2329,7 @@ export class SafeguardManager {
2346
2329
  title: "Securely Manage Enterprise Assets and Software",
2347
2330
  description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
2348
2331
  implementationGroup: "IG1",
2349
- assetType: ["devices", "Software"],
2332
+ assetType: ["Devices"],
2350
2333
  securityFunction: ["Protect"],
2351
2334
  governanceElements: [
2352
2335
  "Do not use insecure management protocols",
@@ -2356,16 +2339,14 @@ export class SafeguardManager {
2356
2339
  "Securely manage enterprise assets and software"
2357
2340
  ],
2358
2341
  subTaxonomicalElements: [
2359
- "Securely manage enterprise assets and software"
2342
+ "Securely manage enterprise assets and software",
2343
+ "Do not use insecure management protocols unless operationally essential"
2360
2344
  ],
2361
2345
  implementationSuggestions: [
2362
2346
  "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
2363
2347
  "Accessing administrative interfaces over secure network protocols",
2364
- "SSH",
2365
- "HTTPS",
2366
- "Telnet (Teletype Network)",
2367
- "HTTP",
2368
- "Configuration Management Tool"
2348
+ "SSH instead of TELNET",
2349
+ "HTTPS instead of HTTP",
2369
2350
  ],
2370
2351
  relatedSafeguards: ["4.1", "12.3"],
2371
2352
  systemPromptFull: {
@@ -2419,26 +2400,22 @@ export class SafeguardManager {
2419
2400
  title: "Manage Default Accounts on Enterprise Assets and Software",
2420
2401
  description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
2421
2402
  implementationGroup: "IG1",
2422
- assetType: ["devices", "Software", "users"],
2403
+ assetType: ["Users"],
2423
2404
  securityFunction: ["Protect"],
2424
2405
  governanceElements: [
2425
2406
  "Manage"
2426
2407
  ],
2427
2408
  coreRequirements: [
2428
- "default accounts on enterprise assets and software"
2409
+ "default accounts"
2429
2410
  ],
2430
2411
  subTaxonomicalElements: [
2431
- "Default accounts",
2432
2412
  "Enterprise assets",
2433
- "Software",
2434
- "Root",
2435
- "Administrator",
2436
- "Other pre-configured vendor accounts"
2413
+ "Software"
2437
2414
  ],
2438
2415
  implementationSuggestions: [
2439
- "Disabling",
2440
- "Unusable",
2441
- "Configuration Management Tool"
2416
+ "Disabling them",
2417
+ "making them Unusable",
2418
+ "Root, Administrator, or other pre-configured vendor accounts"
2442
2419
  ],
2443
2420
  relatedSafeguards: ["4.1"],
2444
2421
  systemPromptFull: {
@@ -2492,25 +2469,23 @@ export class SafeguardManager {
2492
2469
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
2493
2470
  description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
2494
2471
  implementationGroup: "IG2",
2495
- assetType: ["devices", "Software"],
2472
+ assetType: ["Devices", "Software"],
2496
2473
  securityFunction: ["Protect"],
2497
2474
  governanceElements: [
2498
2475
  "Uninstall",
2499
2476
  "Disable"
2500
2477
  ],
2501
2478
  coreRequirements: [
2502
- "unnecessary services on enterprise assets and software"
2479
+ "unnecessary services"
2503
2480
  ],
2504
2481
  subTaxonomicalElements: [
2505
- "Unnecessary Services",
2506
2482
  "Enterprise assets",
2507
- "Software",
2508
- "Unused file sharing service",
2509
- "Web application module",
2510
- "Service function"
2483
+ "Software"
2511
2484
  ],
2512
2485
  implementationSuggestions: [
2513
- "Configuration Management Tool"
2486
+ "Unused File Sharing Services",
2487
+ "Web Application Module",
2488
+ "Service Function"
2514
2489
  ],
2515
2490
  relatedSafeguards: ["4.1"],
2516
2491
  systemPromptFull: {
@@ -2564,22 +2539,20 @@ export class SafeguardManager {
2564
2539
  title: "Configure Trusted DNS Servers on Enterprise Assets",
2565
2540
  description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
2566
2541
  implementationGroup: "IG2",
2567
- assetType: ["devices"],
2542
+ assetType: ["Devices"],
2568
2543
  securityFunction: ["Protect"],
2569
2544
  governanceElements: [
2570
2545
  "Configure"
2571
2546
  ],
2572
2547
  coreRequirements: [
2573
- "trusted DNS servers on enterprise assets"
2548
+ "trusted DNS servers"
2574
2549
  ],
2575
2550
  subTaxonomicalElements: [
2576
- "Trusted DNS Servers",
2577
2551
  "Enterprise assets"
2578
2552
  ],
2579
2553
  implementationSuggestions: [
2580
2554
  "Configuring assets to use enterprise-controlled DNS servers",
2581
- "Reputable externally accessible DNS servers",
2582
- "Configuration Management Tool"
2555
+ "Reputable externally accessible DNS servers"
2583
2556
  ],
2584
2557
  relatedSafeguards: ["4.1", "8.6", "9.2"],
2585
2558
  systemPromptFull: {
@@ -2633,7 +2606,7 @@ export class SafeguardManager {
2633
2606
  title: "Enforce Automatic Device Lockout on Portable End-User Devices",
2634
2607
  description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
2635
2608
  implementationGroup: "IG2",
2636
- assetType: ["devices"],
2609
+ assetType: ["Devices"],
2637
2610
  securityFunction: ["Protect"],
2638
2611
  governanceElements: [
2639
2612
  "Enforce",
@@ -2642,14 +2615,13 @@ export class SafeguardManager {
2642
2615
  "No more than 10 Failed Authentication Attempts"
2643
2616
  ],
2644
2617
  coreRequirements: [
2645
- "automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
2618
+ "automatic device lockout"
2646
2619
  ],
2647
2620
  subTaxonomicalElements: [
2648
- "Automatic Device Lockout",
2649
- "Predetermined threshold of local failed authentication attempts",
2650
- "Portable end-user devices",
2651
- "Laptops",
2652
- "Tablets and smartphones"
2621
+ "After a Predetermined threshold of local failed authentication attempts",
2622
+ "On Portable end-user devices",
2623
+ "Such as Laptops",
2624
+ "Such as Tablets and smartphones"
2653
2625
  ],
2654
2626
  implementationSuggestions: [
2655
2627
  "Microsoft® InTune Device Lock",
@@ -2708,24 +2680,22 @@ export class SafeguardManager {
2708
2680
  title: "Enforce Remote Wipe Capability on Portable End-User Devices",
2709
2681
  description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
2710
2682
  implementationGroup: "IG2",
2711
- assetType: ["devices"],
2683
+ assetType: ["Devices"],
2712
2684
  securityFunction: ["Protect"],
2713
2685
  governanceElements: [
2714
2686
  "When deemed appropriate"
2715
2687
  ],
2716
2688
  coreRequirements: [
2717
- "Remotely wipe enterprise data from enterprise-owned portable end-user devices"
2689
+ "Remotely wipe enterprise data"
2718
2690
  ],
2719
2691
  subTaxonomicalElements: [
2720
- "Remotely Wipe enterprise data",
2721
- "Portable end-user devices",
2692
+ "Portable end-user devices"
2693
+ ],
2694
+ implementationSuggestions: [
2722
2695
  "Lost devices",
2723
2696
  "Stolen devices",
2724
2697
  "When an individual no longer supports the enterprise"
2725
2698
  ],
2726
- implementationSuggestions: [
2727
- "Configuration Management Tool"
2728
- ],
2729
2699
  relatedSafeguards: ["4.1"],
2730
2700
  systemPromptFull: {
2731
2701
  role: "Vendor Description Assistant and expert on CIS Controls",
@@ -2778,7 +2748,7 @@ export class SafeguardManager {
2778
2748
  title: "Separate Enterprise Workspaces on Mobile End-User Devices",
2779
2749
  description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
2780
2750
  implementationGroup: "IG3",
2781
- assetType: ["devices", "Data"],
2751
+ assetType: ["Data"],
2782
2752
  securityFunction: ["Protect"],
2783
2753
  governanceElements: [
2784
2754
  "Ensure",
@@ -2788,17 +2758,12 @@ export class SafeguardManager {
2788
2758
  "separate enterprise workspaces are used on mobile end-user devices"
2789
2759
  ],
2790
2760
  subTaxonomicalElements: [
2791
- "Separate enterprise workspaces",
2792
- "On Mobile Devices",
2793
- "Enterprise Applications",
2794
- "Enterprise Data",
2795
- "Personal Applications",
2796
- "Personal Data"
2761
+ "Enterprise Applications and Enterprise Data",
2762
+ "Seperate from Personal Applications and Personal Data"
2797
2763
  ],
2798
2764
  implementationSuggestions: [
2799
2765
  "Apple® Configuration Profile",
2800
- "AndroidTM Work Profile",
2801
- "Configuration Management Tool"
2766
+ "AndroidTM Work Profile"
2802
2767
  ],
2803
2768
  relatedSafeguards: ["4.1"],
2804
2769
  systemPromptFull: {
@@ -2852,36 +2817,26 @@ export class SafeguardManager {
2852
2817
  title: "Establish and Maintain an Inventory of Accounts",
2853
2818
  description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
2854
2819
  implementationGroup: "IG1",
2855
- assetType: ["users"],
2820
+ assetType: ["Users"],
2856
2821
  securityFunction: ["Identify"],
2857
2822
  governanceElements: [
2858
- "Establish and maintain an inventory of all accounts managed in the enterprise",
2859
- "The inventory must include both user and administrator accounts",
2860
- "At a minimum, should contain the person's name, username, start/stop dates, and department",
2823
+ "Establish and maintain",
2824
+ "Must include",
2861
2825
  "Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
2862
2826
  ],
2863
2827
  coreRequirements: [
2864
2828
  "Inventory of Accounts"
2865
2829
  ],
2866
2830
  subTaxonomicalElements: [
2867
- "Establish",
2868
- "Maintain",
2869
- "Validate that all active accounts are authorized",
2870
- "Recurring schedule",
2871
- "Must Include",
2872
- "At a minimum",
2873
- "Minimum Quarterly",
2874
- "More Frequently",
2875
2831
  "User Accounts",
2876
2832
  "Administrator Accounts",
2833
+ "Service Accounts",
2877
2834
  "Name",
2878
2835
  "Username",
2879
2836
  "Start Stop Dates",
2880
2837
  "Department"
2881
2838
  ],
2882
- implementationSuggestions: [
2883
- "Account and Access Control Management",
2884
- "Identity and Access Management Tool"
2839
+ implementationSuggestions: [ // Gray - Implementation suggestions
2885
2840
  ],
2886
2841
  relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
2887
2842
  systemPromptFull: {
@@ -2935,25 +2890,19 @@ export class SafeguardManager {
2935
2890
  title: "Use Unique Passwords",
2936
2891
  description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
2937
2892
  implementationGroup: "IG1",
2938
- assetType: ["users"],
2893
+ assetType: ["Users"],
2939
2894
  securityFunction: ["Protect"],
2940
2895
  governanceElements: [
2941
- "Use unique passwords for all enterprise assets",
2942
- "Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
2896
+ "Use",
2897
+ "At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
2943
2898
  ],
2944
2899
  coreRequirements: [
2945
2900
  "Unique Passwords"
2946
2901
  ],
2947
2902
  subTaxonomicalElements: [
2948
- "Use",
2949
- "At a minimum",
2950
- "All Enterprise Assets",
2951
- "8-character password for accounts using MFA",
2952
- "14-character password for accounts not using MFA"
2903
+ "All Enterprise Assets"
2953
2904
  ],
2954
- implementationSuggestions: [
2955
- "Account and Access Control Management",
2956
- "Password Management Tool"
2905
+ implementationSuggestions: [ // Gray - Implementation suggestions
2957
2906
  ],
2958
2907
  relatedSafeguards: ["5.1"],
2959
2908
  systemPromptFull: {
@@ -3007,10 +2956,11 @@ export class SafeguardManager {
3007
2956
  title: "Disable Dormant Accounts",
3008
2957
  description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
3009
2958
  implementationGroup: "IG1",
3010
- assetType: ["users"],
2959
+ assetType: ["Users"],
3011
2960
  securityFunction: ["Protect"],
3012
2961
  governanceElements: [
3013
- "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
2962
+ "after a period of 45 days of inactivity",
2963
+ "where supported"
3014
2964
  ],
3015
2965
  coreRequirements: [
3016
2966
  "Dormant Accounts"
@@ -3021,9 +2971,7 @@ export class SafeguardManager {
3021
2971
  "Period of 45 days of inactivity",
3022
2972
  "Where Supported"
3023
2973
  ],
3024
- implementationSuggestions: [
3025
- "Account and Access Control Management",
3026
- "Identity and Access Management Tool"
2974
+ implementationSuggestions: [ // Gray - Implementation suggestions
3027
2975
  ],
3028
2976
  relatedSafeguards: ["5.1"],
3029
2977
  systemPromptFull: {
@@ -3077,25 +3025,21 @@ export class SafeguardManager {
3077
3025
  title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
3078
3026
  description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
3079
3027
  implementationGroup: "IG1",
3080
- assetType: ["users"],
3028
+ assetType: ["Users"],
3081
3029
  securityFunction: ["Protect"],
3082
3030
  governanceElements: [
3083
- "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
3084
- "Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
3031
+ "Restrict"
3085
3032
  ],
3086
3033
  coreRequirements: [
3087
3034
  "Administrator Privileges",
3088
3035
  "Dedicated Admin Accounts"
3089
3036
  ],
3090
3037
  subTaxonomicalElements: [
3091
- "Restrict",
3092
3038
  "Enterprise assets",
3093
3039
  "User's primary, non-privileged account",
3094
3040
  "General Computing Activities"
3095
3041
  ],
3096
3042
  implementationSuggestions: [
3097
- "Account and Access Control Management",
3098
- "Identity and Access Management Tool",
3099
3043
  "Such as",
3100
3044
  "Internet browsing",
3101
3045
  "Email",
@@ -3153,32 +3097,23 @@ export class SafeguardManager {
3153
3097
  title: "Establish and Maintain an Inventory of Service Accounts",
3154
3098
  description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
3155
3099
  implementationGroup: "IG2",
3156
- assetType: ["users"],
3100
+ assetType: ["Users"],
3157
3101
  securityFunction: ["Identify"],
3158
3102
  governanceElements: [
3159
- "Establish and maintain an inventory of service accounts",
3160
- "The inventory, at a minimum, must contain department owner, review date, and purpose",
3161
- "Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
3103
+ "Establish and maintain",
3104
+ "at a minimum, must contain",
3105
+ "Perform service account reviews to validate that all active accounts are authorized",
3106
+ "recurring schedule at a minimum quarterly, or more frequently"
3162
3107
  ],
3163
3108
  coreRequirements: [
3164
3109
  "Inventory of Service Accounts"
3165
3110
  ],
3166
3111
  subTaxonomicalElements: [
3167
- "Establish",
3168
- "Maintain",
3169
- "At a Minimum Must Contain",
3170
- "Perform service account reviews to validate that all active accounts are authorized",
3171
- "On a recurring schedule",
3172
3112
  "Department Owner",
3173
3113
  "Review date",
3174
- "Purpose",
3175
- "At a minimum quarterly",
3176
- "More frequently",
3177
- "Or"
3114
+ "Purpose"
3178
3115
  ],
3179
- implementationSuggestions: [
3180
- "Account and Access Control Management",
3181
- "Identity and Access Management Tool"
3116
+ implementationSuggestions: [ // Gray - Implementation suggestions
3182
3117
  ],
3183
3118
  relatedSafeguards: ["5.1"],
3184
3119
  systemPromptFull: {
@@ -3232,23 +3167,19 @@ export class SafeguardManager {
3232
3167
  title: "Centralize Account Management",
3233
3168
  description: "Centralize account management through a directory or identity service.",
3234
3169
  implementationGroup: "IG2",
3235
- assetType: ["users"],
3170
+ assetType: ["Users"],
3236
3171
  securityFunction: ["Govern"],
3237
3172
  governanceElements: [
3238
- "Centralize account management through a directory or identity service"
3173
+ "Centralize"
3239
3174
  ],
3240
3175
  coreRequirements: [
3241
3176
  "Account Management"
3242
3177
  ],
3243
3178
  subTaxonomicalElements: [
3244
- "Centralize",
3245
3179
  "Directory Service",
3246
- "Identity Service",
3247
- "Or"
3180
+ "Identity Service"
3248
3181
  ],
3249
- implementationSuggestions: [
3250
- "Account and Access Control Management",
3251
- "Identity and Access Management Tool"
3182
+ implementationSuggestions: [ // Gray - Implementation suggestions
3252
3183
  ],
3253
3184
  relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
3254
3185
  systemPromptFull: {
@@ -3302,7 +3233,7 @@ export class SafeguardManager {
3302
3233
  title: "Establish an Access Granting Process",
3303
3234
  description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
3304
3235
  implementationGroup: "IG1",
3305
- assetType: ["users"],
3236
+ assetType: ["Users"],
3306
3237
  securityFunction: ["Govern"],
3307
3238
  governanceElements: [
3308
3239
  "Establish",
@@ -3379,7 +3310,7 @@ export class SafeguardManager {
3379
3310
  title: "Establish an Access Revoking Process",
3380
3311
  description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
3381
3312
  implementationGroup: "IG1",
3382
- assetType: ["users"],
3313
+ assetType: ["Users"],
3383
3314
  securityFunction: ["Govern"],
3384
3315
  governanceElements: [
3385
3316
  "Establish",
@@ -3461,7 +3392,7 @@ export class SafeguardManager {
3461
3392
  title: "Require MFA for Externally-Exposed Applications",
3462
3393
  description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
3463
3394
  implementationGroup: "IG1",
3464
- assetType: ["users"],
3395
+ assetType: ["Users"],
3465
3396
  securityFunction: ["Protect"],
3466
3397
  governanceElements: [
3467
3398
  "Require",
@@ -3536,7 +3467,7 @@ export class SafeguardManager {
3536
3467
  title: "Require MFA for Remote Network Access",
3537
3468
  description: "Require MFA for remote network access.",
3538
3469
  implementationGroup: "IG1",
3539
- assetType: ["users"],
3470
+ assetType: ["Users"],
3540
3471
  securityFunction: ["Protect"],
3541
3472
  governanceElements: [
3542
3473
  "Require",
@@ -3606,7 +3537,7 @@ export class SafeguardManager {
3606
3537
  title: "Require MFA for Administrative Access",
3607
3538
  description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
3608
3539
  implementationGroup: "IG1",
3609
- assetType: ["users"],
3540
+ assetType: ["Users"],
3610
3541
  securityFunction: ["Protect"],
3611
3542
  governanceElements: [
3612
3543
  "Require",
@@ -3759,7 +3690,7 @@ export class SafeguardManager {
3759
3690
  title: "Centralize Access Control",
3760
3691
  description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
3761
3692
  implementationGroup: "IG2",
3762
- assetType: ["users"],
3693
+ assetType: ["Users"],
3763
3694
  securityFunction: ["Protect"],
3764
3695
  governanceElements: [
3765
3696
  "Centralize",
@@ -3837,7 +3768,7 @@ export class SafeguardManager {
3837
3768
  title: "Define and Maintain Role-Based Access Control",
3838
3769
  description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
3839
3770
  implementationGroup: "IG3",
3840
- assetType: ["users"],
3771
+ assetType: ["Users"],
3841
3772
  securityFunction: ["Govern"],
3842
3773
  governanceElements: [
3843
3774
  "Define",
@@ -4087,7 +4018,7 @@ export class SafeguardManager {
4087
4018
  title: "Perform Automated Operating System Patch Management",
4088
4019
  description: "Perform automated operating system patch management on enterprise assets",
4089
4020
  implementationGroup: "IG1",
4090
- assetType: ["devices"],
4021
+ assetType: ["Devices"],
4091
4022
  securityFunction: ["Protect"],
4092
4023
  governanceElements: [
4093
4024
  "perform automated OS patch management",
@@ -4251,7 +4182,7 @@ export class SafeguardManager {
4251
4182
  title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
4252
4183
  description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
4253
4184
  implementationGroup: "IG2",
4254
- assetType: ["devices", "Software"],
4185
+ assetType: ["Devices", "Software"],
4255
4186
  securityFunction: ["Detect"],
4256
4187
  governanceElements: [
4257
4188
  "perform automated vulnerability scans",
@@ -4333,7 +4264,7 @@ export class SafeguardManager {
4333
4264
  title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
4334
4265
  description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
4335
4266
  implementationGroup: "IG2",
4336
- assetType: ["devices", "Software"],
4267
+ assetType: ["Devices", "Software"],
4337
4268
  securityFunction: ["Detect"],
4338
4269
  governanceElements: [
4339
4270
  "perform automated vulnerability scans",
@@ -5429,7 +5360,7 @@ export class SafeguardManager {
5429
5360
  title: "Use DNS Filtering Services",
5430
5361
  description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
5431
5362
  implementationGroup: "IG1",
5432
- assetType: ["devices", "network"],
5363
+ assetType: ["Devices", "network"],
5433
5364
  securityFunction: ["Protect"],
5434
5365
  governanceElements: [
5435
5366
  "use DNS filtering services on all end-user devices",
@@ -5901,7 +5832,7 @@ export class SafeguardManager {
5901
5832
  title: "Deploy and Maintain Anti-Malware Software",
5902
5833
  description: "Deploy and maintain anti-malware software on all enterprise assets",
5903
5834
  implementationGroup: "IG1",
5904
- assetType: ["devices"],
5835
+ assetType: ["Devices"],
5905
5836
  securityFunction: ["Detect"],
5906
5837
  governanceElements: [
5907
5838
  "deploy anti-malware software",
@@ -5980,7 +5911,7 @@ export class SafeguardManager {
5980
5911
  title: "Configure Automatic Anti-Malware Signature Updates",
5981
5912
  description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
5982
5913
  implementationGroup: "IG1",
5983
- assetType: ["devices"],
5914
+ assetType: ["Devices"],
5984
5915
  securityFunction: ["Protect"],
5985
5916
  governanceElements: [
5986
5917
  "configure automatic updates",
@@ -6054,7 +5985,7 @@ export class SafeguardManager {
6054
5985
  title: "Disable Autorun and Autoplay for Removable Media",
6055
5986
  description: "Disable autorun and autoplay auto-execute functionality for removable media",
6056
5987
  implementationGroup: "IG1",
6057
- assetType: ["devices"],
5988
+ assetType: ["Devices"],
6058
5989
  securityFunction: ["Protect"],
6059
5990
  governanceElements: [
6060
5991
  "disable autorun functionality",
@@ -6133,7 +6064,7 @@ export class SafeguardManager {
6133
6064
  title: "Configure Automatic Anti-Malware Scanning of Removable Media",
6134
6065
  description: "Configure anti-malware software to automatically scan removable media",
6135
6066
  implementationGroup: "IG2",
6136
- assetType: ["devices"],
6067
+ assetType: ["Devices"],
6137
6068
  securityFunction: ["Detect"],
6138
6069
  governanceElements: [
6139
6070
  "configure anti-malware software",
@@ -6211,7 +6142,7 @@ export class SafeguardManager {
6211
6142
  title: "Enable Anti-Exploitation Features",
6212
6143
  description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
6213
6144
  implementationGroup: "IG2",
6214
- assetType: ["devices"],
6145
+ assetType: ["Devices"],
6215
6146
  securityFunction: ["Protect"],
6216
6147
  governanceElements: [
6217
6148
  "enable anti-exploitation features",
@@ -6291,7 +6222,7 @@ export class SafeguardManager {
6291
6222
  title: "Centrally Manage Anti-Malware Software",
6292
6223
  description: "Centrally manage anti-malware software",
6293
6224
  implementationGroup: "IG2",
6294
- assetType: ["devices"],
6225
+ assetType: ["Devices"],
6295
6226
  securityFunction: ["Protect"],
6296
6227
  governanceElements: [
6297
6228
  "centrally manage anti-malware",
@@ -6367,7 +6298,7 @@ export class SafeguardManager {
6367
6298
  title: "Use Behavior-Based Anti-Malware Software",
6368
6299
  description: "Use behavior-based anti-malware software",
6369
6300
  implementationGroup: "IG2",
6370
- assetType: ["devices"],
6301
+ assetType: ["Devices"],
6371
6302
  securityFunction: ["Detect"],
6372
6303
  governanceElements: [
6373
6304
  "use behavior-based anti-malware",
@@ -7335,7 +7266,7 @@ export class SafeguardManager {
7335
7266
  title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
7336
7267
  description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
7337
7268
  implementationGroup: "IG2",
7338
- assetType: ["devices"],
7269
+ assetType: ["Devices"],
7339
7270
  securityFunction: ["Protect"],
7340
7271
  governanceElements: [
7341
7272
  "require users to authenticate to enterprise-managed VPN",
@@ -7415,7 +7346,7 @@ export class SafeguardManager {
7415
7346
  title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
7416
7347
  description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
7417
7348
  implementationGroup: "IG3",
7418
- assetType: ["devices"],
7349
+ assetType: ["Devices"],
7419
7350
  securityFunction: ["Protect"],
7420
7351
  governanceElements: [
7421
7352
  "establish dedicated computing resources for administrative work",
@@ -7497,7 +7428,7 @@ export class SafeguardManager {
7497
7428
  title: "Centralize Security Event Alerting",
7498
7429
  description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
7499
7430
  implementationGroup: "IG2",
7500
- assetType: ["network", "devices"],
7431
+ assetType: ["network", "Devices"],
7501
7432
  securityFunction: ["Detect"],
7502
7433
  governanceElements: [
7503
7434
  "centralize security event alerting across enterprise assets",
@@ -7576,7 +7507,7 @@ export class SafeguardManager {
7576
7507
  title: "Deploy a Host-Based Intrusion Detection Solution",
7577
7508
  description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
7578
7509
  implementationGroup: "IG2",
7579
- assetType: ["devices"],
7510
+ assetType: ["Devices"],
7580
7511
  securityFunction: ["Detect"],
7581
7512
  governanceElements: [
7582
7513
  "deploy host-based intrusion detection solution",
@@ -7802,7 +7733,7 @@ export class SafeguardManager {
7802
7733
  title: "Manage Access Control for Remote Assets",
7803
7734
  description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
7804
7735
  implementationGroup: "IG2",
7805
- assetType: ["devices", "network"],
7736
+ assetType: ["Devices", "network"],
7806
7737
  securityFunction: ["Protect"],
7807
7738
  governanceElements: [
7808
7739
  "manage access control for assets remotely connecting to enterprise networks",
@@ -7956,7 +7887,7 @@ export class SafeguardManager {
7956
7887
  title: "Deploy a Host-Based Intrusion Prevention Solution",
7957
7888
  description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
7958
7889
  implementationGroup: "IG3",
7959
- assetType: ["devices"],
7890
+ assetType: ["Devices"],
7960
7891
  securityFunction: ["Respond"],
7961
7892
  governanceElements: [
7962
7893
  "deploy host-based intrusion prevention solution",
@@ -8257,7 +8188,7 @@ export class SafeguardManager {
8257
8188
  title: "Tune Security Event Alerting Thresholds",
8258
8189
  description: "Tune security event alerting thresholds monthly, or more frequently",
8259
8190
  implementationGroup: "IG3",
8260
- assetType: ["network", "devices"],
8191
+ assetType: ["network", "Devices"],
8261
8192
  securityFunction: ["Detect"],
8262
8193
  governanceElements: [
8263
8194
  "tune security event alerting thresholds",
@@ -8331,7 +8262,7 @@ export class SafeguardManager {
8331
8262
  title: "Establish and Maintain a Security Awareness Program",
8332
8263
  description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
8333
8264
  implementationGroup: "IG1",
8334
- assetType: ["users"],
8265
+ assetType: ["Users"],
8335
8266
  securityFunction: ["Govern"],
8336
8267
  governanceElements: [
8337
8268
  "establish and maintain a security awareness program",
@@ -8413,7 +8344,7 @@ export class SafeguardManager {
8413
8344
  title: "Train Workforce Members to Recognize Social Engineering Attacks",
8414
8345
  description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
8415
8346
  implementationGroup: "IG1",
8416
- assetType: ["users"],
8347
+ assetType: ["Users"],
8417
8348
  securityFunction: ["Protect"],
8418
8349
  governanceElements: [
8419
8350
  "train workforce members to recognize social engineering attacks",
@@ -8492,7 +8423,7 @@ export class SafeguardManager {
8492
8423
  title: "Train Workforce Members on Authentication Best Practices",
8493
8424
  description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
8494
8425
  implementationGroup: "IG1",
8495
- assetType: ["users"],
8426
+ assetType: ["Users"],
8496
8427
  securityFunction: ["Protect"],
8497
8428
  governanceElements: [
8498
8429
  "train workforce members on authentication best practices",
@@ -8569,7 +8500,7 @@ export class SafeguardManager {
8569
8500
  title: "Train Workforce on Data Handling Best Practices",
8570
8501
  description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
8571
8502
  implementationGroup: "IG1",
8572
- assetType: ["users"],
8503
+ assetType: ["Users"],
8573
8504
  securityFunction: ["Protect"],
8574
8505
  governanceElements: [
8575
8506
  "train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
@@ -8654,7 +8585,7 @@ export class SafeguardManager {
8654
8585
  title: "Train Workforce Members on Causes of Unintentional Data Exposure",
8655
8586
  description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
8656
8587
  implementationGroup: "IG1",
8657
- assetType: ["users"],
8588
+ assetType: ["Users"],
8658
8589
  securityFunction: ["Protect"],
8659
8590
  governanceElements: [
8660
8591
  "train workforce members to be aware of causes for unintentional data exposure",
@@ -8731,7 +8662,7 @@ export class SafeguardManager {
8731
8662
  title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
8732
8663
  description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
8733
8664
  implementationGroup: "IG1",
8734
- assetType: ["users"],
8665
+ assetType: ["Users"],
8735
8666
  securityFunction: ["Protect"],
8736
8667
  governanceElements: [
8737
8668
  "train workforce members to be able to recognize a potential incident",
@@ -8806,7 +8737,7 @@ export class SafeguardManager {
8806
8737
  title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
8807
8738
  description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
8808
8739
  implementationGroup: "IG1",
8809
- assetType: ["users"],
8740
+ assetType: ["Users"],
8810
8741
  securityFunction: ["Protect"],
8811
8742
  governanceElements: [
8812
8743
  "train workforce to understand how to verify and report out-of-date software patches",
@@ -8887,7 +8818,7 @@ export class SafeguardManager {
8887
8818
  title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
8888
8819
  description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
8889
8820
  implementationGroup: "IG1",
8890
- assetType: ["users"],
8821
+ assetType: ["Users"],
8891
8822
  securityFunction: ["Protect"],
8892
8823
  governanceElements: [
8893
8824
  "train workforce members on dangers of connecting to and transmitting data over insecure networks",
@@ -8967,7 +8898,7 @@ export class SafeguardManager {
8967
8898
  title: "Conduct Role-Specific Security Awareness and Skills Training",
8968
8899
  description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
8969
8900
  implementationGroup: "IG2",
8970
- assetType: ["users"],
8901
+ assetType: ["Users"],
8971
8902
  securityFunction: ["Protect"],
8972
8903
  governanceElements: [
8973
8904
  "conduct role-specific security awareness and skills training",
@@ -9045,7 +8976,7 @@ export class SafeguardManager {
9045
8976
  title: "Establish and Maintain an Inventory of Service Providers",
9046
8977
  description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
9047
8978
  implementationGroup: "IG1",
9048
- assetType: ["users"],
8979
+ assetType: ["Users"],
9049
8980
  securityFunction: ["Identify"],
9050
8981
  governanceElements: [
9051
8982
  "establish and maintain an inventory of service providers",
@@ -9125,7 +9056,7 @@ export class SafeguardManager {
9125
9056
  title: "Establish and Maintain a Service Provider Management Policy",
9126
9057
  description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
9127
9058
  implementationGroup: "IG2",
9128
- assetType: ["users"],
9059
+ assetType: ["Users"],
9129
9060
  securityFunction: ["Govern"],
9130
9061
  governanceElements: [
9131
9062
  "establish and maintain a service provider management policy",
@@ -9210,7 +9141,7 @@ export class SafeguardManager {
9210
9141
  title: "Classify Service Providers",
9211
9142
  description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
9212
9143
  implementationGroup: "IG2",
9213
- assetType: ["users"],
9144
+ assetType: ["Users"],
9214
9145
  securityFunction: ["Govern"],
9215
9146
  governanceElements: [
9216
9147
  "classify service providers",
@@ -9293,7 +9224,7 @@ export class SafeguardManager {
9293
9224
  title: "Ensure Service Provider Contracts Include Security Requirements",
9294
9225
  description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
9295
9226
  implementationGroup: "IG2",
9296
- assetType: ["users"],
9227
+ assetType: ["Users"],
9297
9228
  securityFunction: ["Govern"],
9298
9229
  governanceElements: [
9299
9230
  "ensure service provider contracts include security requirements",
@@ -9375,7 +9306,7 @@ export class SafeguardManager {
9375
9306
  title: "Assess Service Providers",
9376
9307
  description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
9377
9308
  implementationGroup: "IG3",
9378
- assetType: ["users"],
9309
+ assetType: ["Users"],
9379
9310
  securityFunction: ["Govern"],
9380
9311
  governanceElements: [
9381
9312
  "assess service providers consistent with enterprise's service provider management policy",
@@ -10240,7 +10171,7 @@ export class SafeguardManager {
10240
10171
  title: "Train Developers in Application Security Concepts and Secure Coding",
10241
10172
  description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
10242
10173
  implementationGroup: "IG2",
10243
- assetType: ["users"],
10174
+ assetType: ["Users"],
10244
10175
  securityFunction: ["Protect"],
10245
10176
  governanceElements: [
10246
10177
  "ensure that all software development personnel receive training in writing secure code",
@@ -10716,7 +10647,7 @@ export class SafeguardManager {
10716
10647
  title: "Designate Personnel to Manage Incident Handling",
10717
10648
  description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
10718
10649
  implementationGroup: "IG1",
10719
- assetType: ["users"],
10650
+ assetType: ["Users"],
10720
10651
  securityFunction: ["Respond"],
10721
10652
  governanceElements: [
10722
10653
  "designate one key person and at least one backup who will manage the enterprise's incident handling process",
@@ -10794,7 +10725,7 @@ export class SafeguardManager {
10794
10725
  title: "Establish and Maintain Contact Information for Reporting Security Incidents",
10795
10726
  description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
10796
10727
  implementationGroup: "IG1",
10797
- assetType: ["users"],
10728
+ assetType: ["Users"],
10798
10729
  securityFunction: ["Respond"],
10799
10730
  governanceElements: [
10800
10731
  "establish and maintain contact information for reporting security incidents",
@@ -10870,7 +10801,7 @@ export class SafeguardManager {
10870
10801
  title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
10871
10802
  description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
10872
10803
  implementationGroup: "IG1",
10873
- assetType: ["users"],
10804
+ assetType: ["Users"],
10874
10805
  securityFunction: ["Govern"],
10875
10806
  governanceElements: [
10876
10807
  "establish and maintain a documented enterprise process for the workforce to report security incidents",
@@ -10948,7 +10879,7 @@ export class SafeguardManager {
10948
10879
  title: "Establish and Maintain an Incident Response Process",
10949
10880
  description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
10950
10881
  implementationGroup: "IG2",
10951
- assetType: ["users"],
10882
+ assetType: ["Users"],
10952
10883
  securityFunction: ["Govern"],
10953
10884
  governanceElements: [
10954
10885
  "establish and maintain a documented incident response process",
@@ -11023,7 +10954,7 @@ export class SafeguardManager {
11023
10954
  title: "Assign Key Roles and Responsibilities",
11024
10955
  description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
11025
10956
  implementationGroup: "IG2",
11026
- assetType: ["users"],
10957
+ assetType: ["Users"],
11027
10958
  securityFunction: ["Respond"],
11028
10959
  governanceElements: [
11029
10960
  "assign key roles and responsibilities for incident response",
@@ -11101,7 +11032,7 @@ export class SafeguardManager {
11101
11032
  title: "Define Mechanisms for Communicating During Incident Response",
11102
11033
  description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
11103
11034
  implementationGroup: "IG2",
11104
- assetType: ["users"],
11035
+ assetType: ["Users"],
11105
11036
  securityFunction: ["Respond"],
11106
11037
  governanceElements: [
11107
11038
  "determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
@@ -11178,7 +11109,7 @@ export class SafeguardManager {
11178
11109
  title: "Conduct Routine Incident Response Exercises",
11179
11110
  description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
11180
11111
  implementationGroup: "IG2",
11181
- assetType: ["users"],
11112
+ assetType: ["Users"],
11182
11113
  securityFunction: ["Recover"],
11183
11114
  governanceElements: [
11184
11115
  "plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
@@ -11255,7 +11186,7 @@ export class SafeguardManager {
11255
11186
  title: "Conduct Post-Incident Reviews",
11256
11187
  description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
11257
11188
  implementationGroup: "IG2",
11258
- assetType: ["users"],
11189
+ assetType: ["Users"],
11259
11190
  securityFunction: ["Recover"],
11260
11191
  governanceElements: [
11261
11192
  "conduct post-incident reviews"
@@ -11328,7 +11259,7 @@ export class SafeguardManager {
11328
11259
  title: "Establish and Maintain Security Incident Thresholds",
11329
11260
  description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
11330
11261
  implementationGroup: "IG3",
11331
- assetType: ["users"],
11262
+ assetType: ["Users"],
11332
11263
  securityFunction: ["Recover"],
11333
11264
  governanceElements: [
11334
11265
  "establish and maintain security incident thresholds",