framework-mcp 2.4.3 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -2895,19 +2895,17 @@ export class SafeguardManager {
2895
2895
  title: "Establish and Maintain a Secure Configuration Process",
2896
2896
  description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2897
2897
  implementationGroup: "IG1",
2898
- assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
2898
+ assetType: ["Docuemntation"],
2899
2899
  securityFunction: ["Govern"],
2900
2900
  governanceElements: [ // Orange - MUST be met
2901
2901
  "Establish",
2902
2902
  "Maintain",
2903
- "Documented Secure Configuration Process",
2904
2903
  "Review and update documentation",
2905
2904
  "Annually",
2906
2905
  "When significant enterprise changes occur that could impact this Safeguard"
2907
2906
  ],
2908
2907
  coreRequirements: [ // Green - The "what"
2909
- "documented secure configuration process for enterprise assets",
2910
- "documented secure configuration process for software"
2908
+ "documented secure configuration process"
2911
2909
  ],
2912
2910
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2913
2911
  "Enterprise assets",
@@ -2917,12 +2915,9 @@ export class SafeguardManager {
2917
2915
  "Portable",
2918
2916
  "Non-computing/IoT devices",
2919
2917
  "Servers",
2920
- "OS",
2921
- "Software"
2918
+ "OS"
2922
2919
  ],
2923
2920
  implementationSuggestions: [ // Gray - Implementation suggestions
2924
- "Secure Configuration Policy / Process",
2925
- "Configuration Management Tool"
2926
2921
  ],
2927
2922
  relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
2928
2923
  systemPromptFull: {
@@ -3010,25 +3005,22 @@ export class SafeguardManager {
3010
3005
  title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
3011
3006
  description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
3012
3007
  implementationGroup: "IG1",
3013
- assetType: ["network devices"],
3008
+ assetType: ["Documentation"],
3014
3009
  securityFunction: ["Govern"],
3015
3010
  governanceElements: [ // Orange - MUST be met
3016
3011
  "Establish",
3017
3012
  "Maintain",
3018
- "Documented Secure Network Configuration Process",
3019
3013
  "Review and update documentation",
3020
3014
  "Annually",
3021
3015
  "When significant enterprise changes occur that could impact this Safeguard"
3022
3016
  ],
3023
3017
  coreRequirements: [ // Green - The "what"
3024
- "documented secure configuration process for network devices"
3018
+ "documented secure configuration process"
3025
3019
  ],
3026
3020
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3027
3021
  "Network devices"
3028
3022
  ],
3029
3023
  implementationSuggestions: [ // Gray - Implementation suggestions
3030
- "Secure Configuration Policy / Process",
3031
- "Configuration Management Tool"
3032
3024
  ],
3033
3025
  relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
3034
3026
  systemPromptFull: {
@@ -3116,7 +3108,7 @@ export class SafeguardManager {
3116
3108
  title: "Configure Automatic Session Locking on Enterprise Assets",
3117
3109
  description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
3118
3110
  implementationGroup: "IG1",
3119
- assetType: ["devices"],
3111
+ assetType: ["Devices"],
3120
3112
  securityFunction: ["Protect"],
3121
3113
  governanceElements: [ // Orange - MUST be met
3122
3114
  "Configure",
@@ -3124,18 +3116,14 @@ export class SafeguardManager {
3124
3116
  "Period must not exceed for 2 Minutes"
3125
3117
  ],
3126
3118
  coreRequirements: [ // Green - The "what"
3127
- "automatic session locking on enterprise assets after a defined period of inactivity",
3128
- "general purpose operating systems",
3129
- "mobile end-user devices"
3119
+ "automatic session locking on enterprise assets"
3130
3120
  ],
3131
3121
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3132
- "Automatic Session Locking",
3133
3122
  "Period of inactivity",
3134
3123
  "General Purpose OSs",
3135
3124
  "Mobile end-user devices"
3136
3125
  ],
3137
3126
  implementationSuggestions: [ // Gray - Implementation suggestions
3138
- "Configuration Management Tool"
3139
3127
  ],
3140
3128
  relatedSafeguards: ["4.1"],
3141
3129
  systemPromptFull: {
@@ -3223,7 +3211,7 @@ export class SafeguardManager {
3223
3211
  title: "Implement and Manage a Firewall on Servers",
3224
3212
  description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
3225
3213
  implementationGroup: "IG1",
3226
- assetType: ["devices"],
3214
+ assetType: ["Devices"],
3227
3215
  securityFunction: ["Protect"],
3228
3216
  governanceElements: [ // Orange - MUST be met
3229
3217
  "Implement",
@@ -3240,8 +3228,6 @@ export class SafeguardManager {
3240
3228
  "Virtual Firewall",
3241
3229
  "OS Firewall",
3242
3230
  "Third Party Firewall",
3243
- "Firewall",
3244
- "Configuration Management Tool"
3245
3231
  ],
3246
3232
  relatedSafeguards: ["4.1"],
3247
3233
  systemPromptFull: {
@@ -3329,21 +3315,18 @@ export class SafeguardManager {
3329
3315
  title: "Implement and Manage a Firewall on End-User Devices",
3330
3316
  description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
3331
3317
  implementationGroup: "IG1",
3332
- assetType: ["devices"],
3318
+ assetType: ["Devices"],
3333
3319
  securityFunction: ["Protect"],
3334
3320
  governanceElements: [ // Orange - MUST be met
3335
3321
  "Implement",
3336
- "Manage",
3337
- "Default deny rule that drops all traffic",
3338
- "Except Explicitly Allowed"
3322
+ "Manage"
3339
3323
  ],
3340
3324
  coreRequirements: [ // Green - The "what"
3341
3325
  "host-based firewall or port-filtering tool on end-user devices"
3342
3326
  ],
3343
3327
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3344
- "Host-based Firewall",
3345
- "Port Filtering Tool",
3346
- "End User Devices",
3328
+ "Default Deny Rule that drops all traffic",
3329
+ "Except Explicitly Allowed",
3347
3330
  "Services",
3348
3331
  "Ports"
3349
3332
  ],
@@ -3437,7 +3420,7 @@ export class SafeguardManager {
3437
3420
  title: "Securely Manage Enterprise Assets and Software",
3438
3421
  description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
3439
3422
  implementationGroup: "IG1",
3440
- assetType: ["devices", "Software"],
3423
+ assetType: ["Devices"],
3441
3424
  securityFunction: ["Protect"],
3442
3425
  governanceElements: [ // Orange - MUST be met
3443
3426
  "Do not use insecure management protocols",
@@ -3447,16 +3430,14 @@ export class SafeguardManager {
3447
3430
  "Securely manage enterprise assets and software"
3448
3431
  ],
3449
3432
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3450
- "Securely manage enterprise assets and software"
3433
+ "Securely manage enterprise assets and software",
3434
+ "Do not use insecure management protocols unless operationally essential"
3451
3435
  ],
3452
3436
  implementationSuggestions: [ // Gray - Implementation suggestions
3453
3437
  "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
3454
3438
  "Accessing administrative interfaces over secure network protocols",
3455
- "SSH",
3456
- "HTTPS",
3457
- "Telnet (Teletype Network)",
3458
- "HTTP",
3459
- "Configuration Management Tool"
3439
+ "SSH instead of TELNET",
3440
+ "HTTPS instead of HTTP",
3460
3441
  ],
3461
3442
  relatedSafeguards: ["4.1", "12.3"],
3462
3443
  systemPromptFull: {
@@ -3544,26 +3525,22 @@ export class SafeguardManager {
3544
3525
  title: "Manage Default Accounts on Enterprise Assets and Software",
3545
3526
  description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
3546
3527
  implementationGroup: "IG1",
3547
- assetType: ["devices", "Software", "users"],
3528
+ assetType: ["Users"],
3548
3529
  securityFunction: ["Protect"],
3549
3530
  governanceElements: [ // Orange - MUST be met
3550
3531
  "Manage"
3551
3532
  ],
3552
3533
  coreRequirements: [ // Green - The "what"
3553
- "default accounts on enterprise assets and software"
3534
+ "default accounts"
3554
3535
  ],
3555
3536
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3556
- "Default accounts",
3557
3537
  "Enterprise assets",
3558
- "Software",
3559
- "Root",
3560
- "Administrator",
3561
- "Other pre-configured vendor accounts"
3538
+ "Software"
3562
3539
  ],
3563
3540
  implementationSuggestions: [ // Gray - Implementation suggestions
3564
- "Disabling",
3565
- "Unusable",
3566
- "Configuration Management Tool"
3541
+ "Disabling them",
3542
+ "making them Unusable",
3543
+ "Root, Administrator, or other pre-configured vendor accounts"
3567
3544
  ],
3568
3545
  relatedSafeguards: ["4.1"],
3569
3546
  systemPromptFull: {
@@ -3651,25 +3628,23 @@ export class SafeguardManager {
3651
3628
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
3652
3629
  description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
3653
3630
  implementationGroup: "IG2",
3654
- assetType: ["devices", "Software"],
3631
+ assetType: ["Devices", "Software"],
3655
3632
  securityFunction: ["Protect"],
3656
3633
  governanceElements: [ // Orange - MUST be met
3657
3634
  "Uninstall",
3658
3635
  "Disable"
3659
3636
  ],
3660
3637
  coreRequirements: [ // Green - The "what"
3661
- "unnecessary services on enterprise assets and software"
3638
+ "unnecessary services"
3662
3639
  ],
3663
3640
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3664
- "Unnecessary Services",
3665
3641
  "Enterprise assets",
3666
- "Software",
3667
- "Unused file sharing service",
3668
- "Web application module",
3669
- "Service function"
3642
+ "Software"
3670
3643
  ],
3671
3644
  implementationSuggestions: [ // Gray - Implementation suggestions
3672
- "Configuration Management Tool"
3645
+ "Unused File Sharing Services",
3646
+ "Web Application Module",
3647
+ "Service Function"
3673
3648
  ],
3674
3649
  relatedSafeguards: ["4.1"],
3675
3650
  systemPromptFull: {
@@ -3757,22 +3732,20 @@ export class SafeguardManager {
3757
3732
  title: "Configure Trusted DNS Servers on Enterprise Assets",
3758
3733
  description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
3759
3734
  implementationGroup: "IG2",
3760
- assetType: ["devices"],
3735
+ assetType: ["Devices"],
3761
3736
  securityFunction: ["Protect"],
3762
3737
  governanceElements: [ // Orange - MUST be met
3763
3738
  "Configure"
3764
3739
  ],
3765
3740
  coreRequirements: [ // Green - The "what"
3766
- "trusted DNS servers on enterprise assets"
3741
+ "trusted DNS servers"
3767
3742
  ],
3768
3743
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3769
- "Trusted DNS Servers",
3770
3744
  "Enterprise assets"
3771
3745
  ],
3772
3746
  implementationSuggestions: [ // Gray - Implementation suggestions
3773
3747
  "Configuring assets to use enterprise-controlled DNS servers",
3774
- "Reputable externally accessible DNS servers",
3775
- "Configuration Management Tool"
3748
+ "Reputable externally accessible DNS servers"
3776
3749
  ],
3777
3750
  relatedSafeguards: ["4.1", "8.6", "9.2"],
3778
3751
  systemPromptFull: {
@@ -3860,7 +3833,7 @@ export class SafeguardManager {
3860
3833
  title: "Enforce Automatic Device Lockout on Portable End-User Devices",
3861
3834
  description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
3862
3835
  implementationGroup: "IG2",
3863
- assetType: ["devices"],
3836
+ assetType: ["Devices"],
3864
3837
  securityFunction: ["Protect"],
3865
3838
  governanceElements: [ // Orange - MUST be met
3866
3839
  "Enforce",
@@ -3869,14 +3842,13 @@ export class SafeguardManager {
3869
3842
  "No more than 10 Failed Authentication Attempts"
3870
3843
  ],
3871
3844
  coreRequirements: [ // Green - The "what"
3872
- "automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
3845
+ "automatic device lockout"
3873
3846
  ],
3874
3847
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3875
- "Automatic Device Lockout",
3876
- "Predetermined threshold of local failed authentication attempts",
3877
- "Portable end-user devices",
3878
- "Laptops",
3879
- "Tablets and smartphones"
3848
+ "After a Predetermined threshold of local failed authentication attempts",
3849
+ "On Portable end-user devices",
3850
+ "Such as Laptops",
3851
+ "Such as Tablets and smartphones"
3880
3852
  ],
3881
3853
  implementationSuggestions: [ // Gray - Implementation suggestions
3882
3854
  "Microsoft® InTune Device Lock",
@@ -3969,24 +3941,22 @@ export class SafeguardManager {
3969
3941
  title: "Enforce Remote Wipe Capability on Portable End-User Devices",
3970
3942
  description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
3971
3943
  implementationGroup: "IG2",
3972
- assetType: ["devices"],
3944
+ assetType: ["Devices"],
3973
3945
  securityFunction: ["Protect"],
3974
3946
  governanceElements: [ // Orange - MUST be met
3975
3947
  "When deemed appropriate"
3976
3948
  ],
3977
3949
  coreRequirements: [ // Green - The "what"
3978
- "Remotely wipe enterprise data from enterprise-owned portable end-user devices"
3950
+ "Remotely wipe enterprise data"
3979
3951
  ],
3980
3952
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3981
- "Remotely Wipe enterprise data",
3982
- "Portable end-user devices",
3953
+ "Portable end-user devices"
3954
+ ],
3955
+ implementationSuggestions: [ // Gray - Implementation suggestions
3983
3956
  "Lost devices",
3984
3957
  "Stolen devices",
3985
3958
  "When an individual no longer supports the enterprise"
3986
3959
  ],
3987
- implementationSuggestions: [ // Gray - Implementation suggestions
3988
- "Configuration Management Tool"
3989
- ],
3990
3960
  relatedSafeguards: ["4.1"],
3991
3961
  systemPromptFull: {
3992
3962
 
@@ -4073,7 +4043,7 @@ export class SafeguardManager {
4073
4043
  title: "Separate Enterprise Workspaces on Mobile End-User Devices",
4074
4044
  description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
4075
4045
  implementationGroup: "IG3",
4076
- assetType: ["devices", "Data"],
4046
+ assetType: ["Data"],
4077
4047
  securityFunction: ["Protect"],
4078
4048
  governanceElements: [ // Orange - MUST be met
4079
4049
  "Ensure",
@@ -4083,17 +4053,12 @@ export class SafeguardManager {
4083
4053
  "separate enterprise workspaces are used on mobile end-user devices"
4084
4054
  ],
4085
4055
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4086
- "Separate enterprise workspaces",
4087
- "On Mobile Devices",
4088
- "Enterprise Applications",
4089
- "Enterprise Data",
4090
- "Personal Applications",
4091
- "Personal Data"
4056
+ "Enterprise Applications and Enterprise Data",
4057
+ "Seperate from Personal Applications and Personal Data"
4092
4058
  ],
4093
4059
  implementationSuggestions: [ // Gray - Implementation suggestions
4094
4060
  "Apple® Configuration Profile",
4095
- "AndroidTM Work Profile",
4096
- "Configuration Management Tool"
4061
+ "AndroidTM Work Profile"
4097
4062
  ],
4098
4063
  relatedSafeguards: ["4.1"],
4099
4064
  systemPromptFull: {
@@ -4181,36 +4146,26 @@ export class SafeguardManager {
4181
4146
  title: "Establish and Maintain an Inventory of Accounts",
4182
4147
  description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
4183
4148
  implementationGroup: "IG1",
4184
- assetType: ["users"],
4149
+ assetType: ["Users"],
4185
4150
  securityFunction: ["Identify"],
4186
4151
  governanceElements: [ // Orange - MUST be met
4187
- "Establish and maintain an inventory of all accounts managed in the enterprise",
4188
- "The inventory must include both user and administrator accounts",
4189
- "At a minimum, should contain the person's name, username, start/stop dates, and department",
4152
+ "Establish and maintain",
4153
+ "Must include",
4190
4154
  "Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
4191
4155
  ],
4192
4156
  coreRequirements: [ // Green - The "what"
4193
4157
  "Inventory of Accounts"
4194
4158
  ],
4195
4159
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4196
- "Establish",
4197
- "Maintain",
4198
- "Validate that all active accounts are authorized",
4199
- "Recurring schedule",
4200
- "Must Include",
4201
- "At a minimum",
4202
- "Minimum Quarterly",
4203
- "More Frequently",
4204
4160
  "User Accounts",
4205
4161
  "Administrator Accounts",
4162
+ "Service Accounts",
4206
4163
  "Name",
4207
4164
  "Username",
4208
4165
  "Start Stop Dates",
4209
4166
  "Department"
4210
4167
  ],
4211
4168
  implementationSuggestions: [ // Gray - Implementation suggestions
4212
- "Account and Access Control Management",
4213
- "Identity and Access Management Tool"
4214
4169
  ],
4215
4170
  relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
4216
4171
  systemPromptFull: {
@@ -4298,25 +4253,19 @@ export class SafeguardManager {
4298
4253
  title: "Use Unique Passwords",
4299
4254
  description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
4300
4255
  implementationGroup: "IG1",
4301
- assetType: ["users"],
4256
+ assetType: ["Users"],
4302
4257
  securityFunction: ["Protect"],
4303
4258
  governanceElements: [ // Orange - MUST be met
4304
- "Use unique passwords for all enterprise assets",
4305
- "Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
4259
+ "Use",
4260
+ "At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
4306
4261
  ],
4307
4262
  coreRequirements: [ // Green - The "what"
4308
4263
  "Unique Passwords"
4309
4264
  ],
4310
4265
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4311
- "Use",
4312
- "At a minimum",
4313
- "All Enterprise Assets",
4314
- "8-character password for accounts using MFA",
4315
- "14-character password for accounts not using MFA"
4266
+ "All Enterprise Assets"
4316
4267
  ],
4317
4268
  implementationSuggestions: [ // Gray - Implementation suggestions
4318
- "Account and Access Control Management",
4319
- "Password Management Tool"
4320
4269
  ],
4321
4270
  relatedSafeguards: ["5.1"],
4322
4271
  systemPromptFull: {
@@ -4404,10 +4353,11 @@ export class SafeguardManager {
4404
4353
  title: "Disable Dormant Accounts",
4405
4354
  description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
4406
4355
  implementationGroup: "IG1",
4407
- assetType: ["users"],
4356
+ assetType: ["Users"],
4408
4357
  securityFunction: ["Protect"],
4409
4358
  governanceElements: [ // Orange - MUST be met
4410
- "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
4359
+ "after a period of 45 days of inactivity",
4360
+ "where supported"
4411
4361
  ],
4412
4362
  coreRequirements: [ // Green - The "what"
4413
4363
  "Dormant Accounts"
@@ -4419,8 +4369,6 @@ export class SafeguardManager {
4419
4369
  "Where Supported"
4420
4370
  ],
4421
4371
  implementationSuggestions: [ // Gray - Implementation suggestions
4422
- "Account and Access Control Management",
4423
- "Identity and Access Management Tool"
4424
4372
  ],
4425
4373
  relatedSafeguards: ["5.1"],
4426
4374
  systemPromptFull: {
@@ -4508,25 +4456,21 @@ export class SafeguardManager {
4508
4456
  title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
4509
4457
  description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
4510
4458
  implementationGroup: "IG1",
4511
- assetType: ["users"],
4459
+ assetType: ["Users"],
4512
4460
  securityFunction: ["Protect"],
4513
4461
  governanceElements: [ // Orange - MUST be met
4514
- "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
4515
- "Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
4462
+ "Restrict"
4516
4463
  ],
4517
4464
  coreRequirements: [ // Green - The "what"
4518
4465
  "Administrator Privileges",
4519
4466
  "Dedicated Admin Accounts"
4520
4467
  ],
4521
4468
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4522
- "Restrict",
4523
4469
  "Enterprise assets",
4524
4470
  "User's primary, non-privileged account",
4525
4471
  "General Computing Activities"
4526
4472
  ],
4527
4473
  implementationSuggestions: [ // Gray - Implementation suggestions
4528
- "Account and Access Control Management",
4529
- "Identity and Access Management Tool",
4530
4474
  "Such as",
4531
4475
  "Internet browsing",
4532
4476
  "Email",
@@ -4618,32 +4562,23 @@ export class SafeguardManager {
4618
4562
  title: "Establish and Maintain an Inventory of Service Accounts",
4619
4563
  description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
4620
4564
  implementationGroup: "IG2",
4621
- assetType: ["users"],
4565
+ assetType: ["Users"],
4622
4566
  securityFunction: ["Identify"],
4623
4567
  governanceElements: [ // Orange - MUST be met
4624
- "Establish and maintain an inventory of service accounts",
4625
- "The inventory, at a minimum, must contain department owner, review date, and purpose",
4626
- "Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
4568
+ "Establish and maintain",
4569
+ "at a minimum, must contain",
4570
+ "Perform service account reviews to validate that all active accounts are authorized",
4571
+ "recurring schedule at a minimum quarterly, or more frequently"
4627
4572
  ],
4628
4573
  coreRequirements: [ // Green - The "what"
4629
4574
  "Inventory of Service Accounts"
4630
4575
  ],
4631
4576
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4632
- "Establish",
4633
- "Maintain",
4634
- "At a Minimum Must Contain",
4635
- "Perform service account reviews to validate that all active accounts are authorized",
4636
- "On a recurring schedule",
4637
4577
  "Department Owner",
4638
4578
  "Review date",
4639
- "Purpose",
4640
- "At a minimum quarterly",
4641
- "More frequently",
4642
- "Or"
4579
+ "Purpose"
4643
4580
  ],
4644
4581
  implementationSuggestions: [ // Gray - Implementation suggestions
4645
- "Account and Access Control Management",
4646
- "Identity and Access Management Tool"
4647
4582
  ],
4648
4583
  relatedSafeguards: ["5.1"],
4649
4584
  systemPromptFull: {
@@ -4731,23 +4666,19 @@ export class SafeguardManager {
4731
4666
  title: "Centralize Account Management",
4732
4667
  description: "Centralize account management through a directory or identity service.",
4733
4668
  implementationGroup: "IG2",
4734
- assetType: ["users"],
4669
+ assetType: ["Users"],
4735
4670
  securityFunction: ["Govern"],
4736
4671
  governanceElements: [ // Orange - MUST be met
4737
- "Centralize account management through a directory or identity service"
4672
+ "Centralize"
4738
4673
  ],
4739
4674
  coreRequirements: [ // Green - The "what"
4740
4675
  "Account Management"
4741
4676
  ],
4742
4677
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4743
- "Centralize",
4744
4678
  "Directory Service",
4745
- "Identity Service",
4746
- "Or"
4679
+ "Identity Service"
4747
4680
  ],
4748
4681
  implementationSuggestions: [ // Gray - Implementation suggestions
4749
- "Account and Access Control Management",
4750
- "Identity and Access Management Tool"
4751
4682
  ],
4752
4683
  relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
4753
4684
  systemPromptFull: {
@@ -4835,7 +4766,7 @@ export class SafeguardManager {
4835
4766
  title: "Establish an Access Granting Process",
4836
4767
  description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
4837
4768
  implementationGroup: "IG1",
4838
- assetType: ["users"],
4769
+ assetType: ["Users"],
4839
4770
  securityFunction: ["Govern"],
4840
4771
  governanceElements: [ // Orange - MUST be met
4841
4772
  "Establish",
@@ -4946,7 +4877,7 @@ export class SafeguardManager {
4946
4877
  title: "Establish an Access Revoking Process",
4947
4878
  description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
4948
4879
  implementationGroup: "IG1",
4949
- assetType: ["users"],
4880
+ assetType: ["Users"],
4950
4881
  securityFunction: ["Govern"],
4951
4882
  governanceElements: [ // Orange - MUST be met
4952
4883
  "Establish",
@@ -5062,7 +4993,7 @@ export class SafeguardManager {
5062
4993
  title: "Require MFA for Externally-Exposed Applications",
5063
4994
  description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
5064
4995
  implementationGroup: "IG1",
5065
- assetType: ["users"],
4996
+ assetType: ["Users"],
5066
4997
  securityFunction: ["Protect"],
5067
4998
  governanceElements: [ // Orange - MUST be met
5068
4999
  "Require",
@@ -5171,7 +5102,7 @@ export class SafeguardManager {
5171
5102
  title: "Require MFA for Remote Network Access",
5172
5103
  description: "Require MFA for remote network access.",
5173
5104
  implementationGroup: "IG1",
5174
- assetType: ["users"],
5105
+ assetType: ["Users"],
5175
5106
  securityFunction: ["Protect"],
5176
5107
  governanceElements: [ // Orange - MUST be met
5177
5108
  "Require",
@@ -5275,7 +5206,7 @@ export class SafeguardManager {
5275
5206
  title: "Require MFA for Administrative Access",
5276
5207
  description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
5277
5208
  implementationGroup: "IG1",
5278
- assetType: ["users"],
5209
+ assetType: ["Users"],
5279
5210
  securityFunction: ["Protect"],
5280
5211
  governanceElements: [ // Orange - MUST be met
5281
5212
  "Require",
@@ -5496,7 +5427,7 @@ export class SafeguardManager {
5496
5427
  title: "Centralize Access Control",
5497
5428
  description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
5498
5429
  implementationGroup: "IG2",
5499
- assetType: ["users"],
5430
+ assetType: ["Users"],
5500
5431
  securityFunction: ["Protect"],
5501
5432
  governanceElements: [ // Orange - MUST be met
5502
5433
  "Centralize",
@@ -5608,7 +5539,7 @@ export class SafeguardManager {
5608
5539
  title: "Define and Maintain Role-Based Access Control",
5609
5540
  description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
5610
5541
  implementationGroup: "IG3",
5611
- assetType: ["users"],
5542
+ assetType: ["Users"],
5612
5543
  securityFunction: ["Govern"],
5613
5544
  governanceElements: [ // Orange - MUST be met
5614
5545
  "Define",
@@ -5960,7 +5891,7 @@ export class SafeguardManager {
5960
5891
  title: "Perform Automated Operating System Patch Management",
5961
5892
  description: "Perform automated operating system patch management on enterprise assets",
5962
5893
  implementationGroup: "IG1",
5963
- assetType: ["devices"],
5894
+ assetType: ["Devices"],
5964
5895
  securityFunction: ["Protect"],
5965
5896
  governanceElements: [ // Orange - MUST be met
5966
5897
  "perform automated OS patch management",
@@ -6192,7 +6123,7 @@ export class SafeguardManager {
6192
6123
  title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
6193
6124
  description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
6194
6125
  implementationGroup: "IG2",
6195
- assetType: ["devices", "Software"],
6126
+ assetType: ["Devices", "Software"],
6196
6127
  securityFunction: ["Detect"],
6197
6128
  governanceElements: [ // Orange - MUST be met
6198
6129
  "perform automated vulnerability scans",
@@ -6308,7 +6239,7 @@ export class SafeguardManager {
6308
6239
  title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
6309
6240
  description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
6310
6241
  implementationGroup: "IG2",
6311
- assetType: ["devices", "Software"],
6242
+ assetType: ["Devices", "Software"],
6312
6243
  securityFunction: ["Detect"],
6313
6244
  governanceElements: [ // Orange - MUST be met
6314
6245
  "perform automated vulnerability scans",
@@ -7914,7 +7845,7 @@ export class SafeguardManager {
7914
7845
  title: "Use DNS Filtering Services",
7915
7846
  description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
7916
7847
  implementationGroup: "IG1",
7917
- assetType: ["devices", "network"],
7848
+ assetType: ["Devices", "network"],
7918
7849
  securityFunction: ["Protect"],
7919
7850
  governanceElements: [ // Orange - MUST be met
7920
7851
  "use DNS filtering services on all end-user devices",
@@ -8590,7 +8521,7 @@ export class SafeguardManager {
8590
8521
  title: "Deploy and Maintain Anti-Malware Software",
8591
8522
  description: "Deploy and maintain anti-malware software on all enterprise assets",
8592
8523
  implementationGroup: "IG1",
8593
- assetType: ["devices"],
8524
+ assetType: ["Devices"],
8594
8525
  securityFunction: ["Detect"],
8595
8526
  governanceElements: [ // Orange - MUST be met
8596
8527
  "deploy anti-malware software",
@@ -8703,7 +8634,7 @@ export class SafeguardManager {
8703
8634
  title: "Configure Automatic Anti-Malware Signature Updates",
8704
8635
  description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
8705
8636
  implementationGroup: "IG1",
8706
- assetType: ["devices"],
8637
+ assetType: ["Devices"],
8707
8638
  securityFunction: ["Protect"],
8708
8639
  governanceElements: [ // Orange - MUST be met
8709
8640
  "configure automatic updates",
@@ -8811,7 +8742,7 @@ export class SafeguardManager {
8811
8742
  title: "Disable Autorun and Autoplay for Removable Media",
8812
8743
  description: "Disable autorun and autoplay auto-execute functionality for removable media",
8813
8744
  implementationGroup: "IG1",
8814
- assetType: ["devices"],
8745
+ assetType: ["Devices"],
8815
8746
  securityFunction: ["Protect"],
8816
8747
  governanceElements: [ // Orange - MUST be met
8817
8748
  "disable autorun functionality",
@@ -8924,7 +8855,7 @@ export class SafeguardManager {
8924
8855
  title: "Configure Automatic Anti-Malware Scanning of Removable Media",
8925
8856
  description: "Configure anti-malware software to automatically scan removable media",
8926
8857
  implementationGroup: "IG2",
8927
- assetType: ["devices"],
8858
+ assetType: ["Devices"],
8928
8859
  securityFunction: ["Detect"],
8929
8860
  governanceElements: [ // Orange - MUST be met
8930
8861
  "configure anti-malware software",
@@ -9036,7 +8967,7 @@ export class SafeguardManager {
9036
8967
  title: "Enable Anti-Exploitation Features",
9037
8968
  description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
9038
8969
  implementationGroup: "IG2",
9039
- assetType: ["devices"],
8970
+ assetType: ["Devices"],
9040
8971
  securityFunction: ["Protect"],
9041
8972
  governanceElements: [ // Orange - MUST be met
9042
8973
  "enable anti-exploitation features",
@@ -9150,7 +9081,7 @@ export class SafeguardManager {
9150
9081
  title: "Centrally Manage Anti-Malware Software",
9151
9082
  description: "Centrally manage anti-malware software",
9152
9083
  implementationGroup: "IG2",
9153
- assetType: ["devices"],
9084
+ assetType: ["Devices"],
9154
9085
  securityFunction: ["Protect"],
9155
9086
  governanceElements: [ // Orange - MUST be met
9156
9087
  "centrally manage anti-malware",
@@ -9260,7 +9191,7 @@ export class SafeguardManager {
9260
9191
  title: "Use Behavior-Based Anti-Malware Software",
9261
9192
  description: "Use behavior-based anti-malware software",
9262
9193
  implementationGroup: "IG2",
9263
- assetType: ["devices"],
9194
+ assetType: ["Devices"],
9264
9195
  securityFunction: ["Detect"],
9265
9196
  governanceElements: [ // Orange - MUST be met
9266
9197
  "use behavior-based anti-malware",
@@ -10636,7 +10567,7 @@ export class SafeguardManager {
10636
10567
  title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
10637
10568
  description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
10638
10569
  implementationGroup: "IG2",
10639
- assetType: ["devices"],
10570
+ assetType: ["Devices"],
10640
10571
  securityFunction: ["Protect"],
10641
10572
  governanceElements: [ // Orange - MUST be met
10642
10573
  "require users to authenticate to enterprise-managed VPN",
@@ -10750,7 +10681,7 @@ export class SafeguardManager {
10750
10681
  title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
10751
10682
  description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
10752
10683
  implementationGroup: "IG3",
10753
- assetType: ["devices"],
10684
+ assetType: ["Devices"],
10754
10685
  securityFunction: ["Protect"],
10755
10686
  governanceElements: [ // Orange - MUST be met
10756
10687
  "establish dedicated computing resources for administrative work",
@@ -10866,7 +10797,7 @@ export class SafeguardManager {
10866
10797
  title: "Centralize Security Event Alerting",
10867
10798
  description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
10868
10799
  implementationGroup: "IG2",
10869
- assetType: ["network", "devices"],
10800
+ assetType: ["network", "Devices"],
10870
10801
  securityFunction: ["Detect"],
10871
10802
  governanceElements: [ // Orange - MUST be met
10872
10803
  "centralize security event alerting across enterprise assets",
@@ -10979,7 +10910,7 @@ export class SafeguardManager {
10979
10910
  title: "Deploy a Host-Based Intrusion Detection Solution",
10980
10911
  description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
10981
10912
  implementationGroup: "IG2",
10982
- assetType: ["devices"],
10913
+ assetType: ["Devices"],
10983
10914
  securityFunction: ["Detect"],
10984
10915
  governanceElements: [ // Orange - MUST be met
10985
10916
  "deploy host-based intrusion detection solution",
@@ -11307,7 +11238,7 @@ export class SafeguardManager {
11307
11238
  title: "Manage Access Control for Remote Assets",
11308
11239
  description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
11309
11240
  implementationGroup: "IG2",
11310
- assetType: ["devices", "network"],
11241
+ assetType: ["Devices", "network"],
11311
11242
  securityFunction: ["Protect"],
11312
11243
  governanceElements: [ // Orange - MUST be met
11313
11244
  "manage access control for assets remotely connecting to enterprise networks",
@@ -11529,7 +11460,7 @@ export class SafeguardManager {
11529
11460
  title: "Deploy a Host-Based Intrusion Prevention Solution",
11530
11461
  description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
11531
11462
  implementationGroup: "IG3",
11532
- assetType: ["devices"],
11463
+ assetType: ["Devices"],
11533
11464
  securityFunction: ["Respond"],
11534
11465
  governanceElements: [ // Orange - MUST be met
11535
11466
  "deploy host-based intrusion prevention solution",
@@ -11966,7 +11897,7 @@ export class SafeguardManager {
11966
11897
  title: "Tune Security Event Alerting Thresholds",
11967
11898
  description: "Tune security event alerting thresholds monthly, or more frequently",
11968
11899
  implementationGroup: "IG3",
11969
- assetType: ["network", "devices"],
11900
+ assetType: ["network", "Devices"],
11970
11901
  securityFunction: ["Detect"],
11971
11902
  governanceElements: [ // Orange - MUST be met
11972
11903
  "tune security event alerting thresholds",
@@ -12074,7 +12005,7 @@ export class SafeguardManager {
12074
12005
  title: "Establish and Maintain a Security Awareness Program",
12075
12006
  description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
12076
12007
  implementationGroup: "IG1",
12077
- assetType: ["users"],
12008
+ assetType: ["Users"],
12078
12009
  securityFunction: ["Govern"],
12079
12010
  governanceElements: [ // Orange - MUST be met
12080
12011
  "establish and maintain a security awareness program",
@@ -12190,7 +12121,7 @@ export class SafeguardManager {
12190
12121
  title: "Train Workforce Members to Recognize Social Engineering Attacks",
12191
12122
  description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
12192
12123
  implementationGroup: "IG1",
12193
- assetType: ["users"],
12124
+ assetType: ["Users"],
12194
12125
  securityFunction: ["Protect"],
12195
12126
  governanceElements: [ // Orange - MUST be met
12196
12127
  "train workforce members to recognize social engineering attacks",
@@ -12303,7 +12234,7 @@ export class SafeguardManager {
12303
12234
  title: "Train Workforce Members on Authentication Best Practices",
12304
12235
  description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
12305
12236
  implementationGroup: "IG1",
12306
- assetType: ["users"],
12237
+ assetType: ["Users"],
12307
12238
  securityFunction: ["Protect"],
12308
12239
  governanceElements: [ // Orange - MUST be met
12309
12240
  "train workforce members on authentication best practices",
@@ -12414,7 +12345,7 @@ export class SafeguardManager {
12414
12345
  title: "Train Workforce on Data Handling Best Practices",
12415
12346
  description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
12416
12347
  implementationGroup: "IG1",
12417
- assetType: ["users"],
12348
+ assetType: ["Users"],
12418
12349
  securityFunction: ["Protect"],
12419
12350
  governanceElements: [ // Orange - MUST be met
12420
12351
  "train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
@@ -12533,7 +12464,7 @@ export class SafeguardManager {
12533
12464
  title: "Train Workforce Members on Causes of Unintentional Data Exposure",
12534
12465
  description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
12535
12466
  implementationGroup: "IG1",
12536
- assetType: ["users"],
12467
+ assetType: ["Users"],
12537
12468
  securityFunction: ["Protect"],
12538
12469
  governanceElements: [ // Orange - MUST be met
12539
12470
  "train workforce members to be aware of causes for unintentional data exposure",
@@ -12644,7 +12575,7 @@ export class SafeguardManager {
12644
12575
  title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
12645
12576
  description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
12646
12577
  implementationGroup: "IG1",
12647
- assetType: ["users"],
12578
+ assetType: ["Users"],
12648
12579
  securityFunction: ["Protect"],
12649
12580
  governanceElements: [ // Orange - MUST be met
12650
12581
  "train workforce members to be able to recognize a potential incident",
@@ -12753,7 +12684,7 @@ export class SafeguardManager {
12753
12684
  title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
12754
12685
  description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
12755
12686
  implementationGroup: "IG1",
12756
- assetType: ["users"],
12687
+ assetType: ["Users"],
12757
12688
  securityFunction: ["Protect"],
12758
12689
  governanceElements: [ // Orange - MUST be met
12759
12690
  "train workforce to understand how to verify and report out-of-date software patches",
@@ -12868,7 +12799,7 @@ export class SafeguardManager {
12868
12799
  title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
12869
12800
  description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
12870
12801
  implementationGroup: "IG1",
12871
- assetType: ["users"],
12802
+ assetType: ["Users"],
12872
12803
  securityFunction: ["Protect"],
12873
12804
  governanceElements: [ // Orange - MUST be met
12874
12805
  "train workforce members on dangers of connecting to and transmitting data over insecure networks",
@@ -12982,7 +12913,7 @@ export class SafeguardManager {
12982
12913
  title: "Conduct Role-Specific Security Awareness and Skills Training",
12983
12914
  description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
12984
12915
  implementationGroup: "IG2",
12985
- assetType: ["users"],
12916
+ assetType: ["Users"],
12986
12917
  securityFunction: ["Protect"],
12987
12918
  governanceElements: [ // Orange - MUST be met
12988
12919
  "conduct role-specific security awareness and skills training",
@@ -13094,7 +13025,7 @@ export class SafeguardManager {
13094
13025
  title: "Establish and Maintain an Inventory of Service Providers",
13095
13026
  description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
13096
13027
  implementationGroup: "IG1",
13097
- assetType: ["users"],
13028
+ assetType: ["Users"],
13098
13029
  securityFunction: ["Identify"],
13099
13030
  governanceElements: [ // Orange - MUST be met
13100
13031
  "establish and maintain an inventory of service providers",
@@ -13208,7 +13139,7 @@ export class SafeguardManager {
13208
13139
  title: "Establish and Maintain a Service Provider Management Policy",
13209
13140
  description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
13210
13141
  implementationGroup: "IG2",
13211
- assetType: ["users"],
13142
+ assetType: ["Users"],
13212
13143
  securityFunction: ["Govern"],
13213
13144
  governanceElements: [ // Orange - MUST be met
13214
13145
  "establish and maintain a service provider management policy",
@@ -13327,7 +13258,7 @@ export class SafeguardManager {
13327
13258
  title: "Classify Service Providers",
13328
13259
  description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
13329
13260
  implementationGroup: "IG2",
13330
- assetType: ["users"],
13261
+ assetType: ["Users"],
13331
13262
  securityFunction: ["Govern"],
13332
13263
  governanceElements: [ // Orange - MUST be met
13333
13264
  "classify service providers",
@@ -13444,7 +13375,7 @@ export class SafeguardManager {
13444
13375
  title: "Ensure Service Provider Contracts Include Security Requirements",
13445
13376
  description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
13446
13377
  implementationGroup: "IG2",
13447
- assetType: ["users"],
13378
+ assetType: ["Users"],
13448
13379
  securityFunction: ["Govern"],
13449
13380
  governanceElements: [ // Orange - MUST be met
13450
13381
  "ensure service provider contracts include security requirements",
@@ -13560,7 +13491,7 @@ export class SafeguardManager {
13560
13491
  title: "Assess Service Providers",
13561
13492
  description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
13562
13493
  implementationGroup: "IG3",
13563
- assetType: ["users"],
13494
+ assetType: ["Users"],
13564
13495
  securityFunction: ["Govern"],
13565
13496
  governanceElements: [ // Orange - MUST be met
13566
13497
  "assess service providers consistent with enterprise's service provider management policy",
@@ -14799,7 +14730,7 @@ export class SafeguardManager {
14799
14730
  title: "Train Developers in Application Security Concepts and Secure Coding",
14800
14731
  description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
14801
14732
  implementationGroup: "IG2",
14802
- assetType: ["users"],
14733
+ assetType: ["Users"],
14803
14734
  securityFunction: ["Protect"],
14804
14735
  governanceElements: [ // Orange - MUST be met
14805
14736
  "ensure that all software development personnel receive training in writing secure code",
@@ -15479,7 +15410,7 @@ export class SafeguardManager {
15479
15410
  title: "Designate Personnel to Manage Incident Handling",
15480
15411
  description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15481
15412
  implementationGroup: "IG1",
15482
- assetType: ["users"],
15413
+ assetType: ["Users"],
15483
15414
  securityFunction: ["Respond"],
15484
15415
  governanceElements: [ // Orange - MUST be met
15485
15416
  "designate one key person and at least one backup who will manage the enterprise's incident handling process",
@@ -15591,7 +15522,7 @@ export class SafeguardManager {
15591
15522
  title: "Establish and Maintain Contact Information for Reporting Security Incidents",
15592
15523
  description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
15593
15524
  implementationGroup: "IG1",
15594
- assetType: ["users"],
15525
+ assetType: ["Users"],
15595
15526
  securityFunction: ["Respond"],
15596
15527
  governanceElements: [ // Orange - MUST be met
15597
15528
  "establish and maintain contact information for reporting security incidents",
@@ -15701,7 +15632,7 @@ export class SafeguardManager {
15701
15632
  title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
15702
15633
  description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15703
15634
  implementationGroup: "IG1",
15704
- assetType: ["users"],
15635
+ assetType: ["Users"],
15705
15636
  securityFunction: ["Govern"],
15706
15637
  governanceElements: [ // Orange - MUST be met
15707
15638
  "establish and maintain a documented enterprise process for the workforce to report security incidents",
@@ -15813,7 +15744,7 @@ export class SafeguardManager {
15813
15744
  title: "Establish and Maintain an Incident Response Process",
15814
15745
  description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15815
15746
  implementationGroup: "IG2",
15816
- assetType: ["users"],
15747
+ assetType: ["Users"],
15817
15748
  securityFunction: ["Govern"],
15818
15749
  governanceElements: [ // Orange - MUST be met
15819
15750
  "establish and maintain a documented incident response process",
@@ -15922,7 +15853,7 @@ export class SafeguardManager {
15922
15853
  title: "Assign Key Roles and Responsibilities",
15923
15854
  description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
15924
15855
  implementationGroup: "IG2",
15925
- assetType: ["users"],
15856
+ assetType: ["Users"],
15926
15857
  securityFunction: ["Respond"],
15927
15858
  governanceElements: [ // Orange - MUST be met
15928
15859
  "assign key roles and responsibilities for incident response",
@@ -16034,7 +15965,7 @@ export class SafeguardManager {
16034
15965
  title: "Define Mechanisms for Communicating During Incident Response",
16035
15966
  description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
16036
15967
  implementationGroup: "IG2",
16037
- assetType: ["users"],
15968
+ assetType: ["Users"],
16038
15969
  securityFunction: ["Respond"],
16039
15970
  governanceElements: [ // Orange - MUST be met
16040
15971
  "determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
@@ -16145,7 +16076,7 @@ export class SafeguardManager {
16145
16076
  title: "Conduct Routine Incident Response Exercises",
16146
16077
  description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
16147
16078
  implementationGroup: "IG2",
16148
- assetType: ["users"],
16079
+ assetType: ["Users"],
16149
16080
  securityFunction: ["Recover"],
16150
16081
  governanceElements: [ // Orange - MUST be met
16151
16082
  "plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
@@ -16256,7 +16187,7 @@ export class SafeguardManager {
16256
16187
  title: "Conduct Post-Incident Reviews",
16257
16188
  description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
16258
16189
  implementationGroup: "IG2",
16259
- assetType: ["users"],
16190
+ assetType: ["Users"],
16260
16191
  securityFunction: ["Recover"],
16261
16192
  governanceElements: [ // Orange - MUST be met
16262
16193
  "conduct post-incident reviews"
@@ -16363,7 +16294,7 @@ export class SafeguardManager {
16363
16294
  title: "Establish and Maintain Security Incident Thresholds",
16364
16295
  description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
16365
16296
  implementationGroup: "IG3",
16366
- assetType: ["users"],
16297
+ assetType: ["Users"],
16367
16298
  securityFunction: ["Recover"],
16368
16299
  governanceElements: [ // Orange - MUST be met
16369
16300
  "establish and maintain security incident thresholds",