framework-mcp 2.4.3 → 2.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -14
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +126 -195
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +5 -5
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/package.json +2 -2
- package/src/core/safeguard-manager.ts +118 -187
- package/src/interfaces/http/http-server.ts +5 -5
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +2 -2
- package/swagger.json +5 -5
|
@@ -2895,19 +2895,17 @@ export class SafeguardManager {
|
|
|
2895
2895
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2896
2896
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2897
2897
|
implementationGroup: "IG1",
|
|
2898
|
-
assetType: ["
|
|
2898
|
+
assetType: ["Docuemntation"],
|
|
2899
2899
|
securityFunction: ["Govern"],
|
|
2900
2900
|
governanceElements: [ // Orange - MUST be met
|
|
2901
2901
|
"Establish",
|
|
2902
2902
|
"Maintain",
|
|
2903
|
-
"Documented Secure Configuration Process",
|
|
2904
2903
|
"Review and update documentation",
|
|
2905
2904
|
"Annually",
|
|
2906
2905
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
2907
2906
|
],
|
|
2908
2907
|
coreRequirements: [ // Green - The "what"
|
|
2909
|
-
"documented secure configuration process
|
|
2910
|
-
"documented secure configuration process for software"
|
|
2908
|
+
"documented secure configuration process"
|
|
2911
2909
|
],
|
|
2912
2910
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2913
2911
|
"Enterprise assets",
|
|
@@ -2917,12 +2915,9 @@ export class SafeguardManager {
|
|
|
2917
2915
|
"Portable",
|
|
2918
2916
|
"Non-computing/IoT devices",
|
|
2919
2917
|
"Servers",
|
|
2920
|
-
"OS"
|
|
2921
|
-
"Software"
|
|
2918
|
+
"OS"
|
|
2922
2919
|
],
|
|
2923
2920
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2924
|
-
"Secure Configuration Policy / Process",
|
|
2925
|
-
"Configuration Management Tool"
|
|
2926
2921
|
],
|
|
2927
2922
|
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
|
|
2928
2923
|
systemPromptFull: {
|
|
@@ -3010,25 +3005,22 @@ export class SafeguardManager {
|
|
|
3010
3005
|
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
3011
3006
|
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
3012
3007
|
implementationGroup: "IG1",
|
|
3013
|
-
assetType: ["
|
|
3008
|
+
assetType: ["Documentation"],
|
|
3014
3009
|
securityFunction: ["Govern"],
|
|
3015
3010
|
governanceElements: [ // Orange - MUST be met
|
|
3016
3011
|
"Establish",
|
|
3017
3012
|
"Maintain",
|
|
3018
|
-
"Documented Secure Network Configuration Process",
|
|
3019
3013
|
"Review and update documentation",
|
|
3020
3014
|
"Annually",
|
|
3021
3015
|
"When significant enterprise changes occur that could impact this Safeguard"
|
|
3022
3016
|
],
|
|
3023
3017
|
coreRequirements: [ // Green - The "what"
|
|
3024
|
-
"documented secure configuration process
|
|
3018
|
+
"documented secure configuration process"
|
|
3025
3019
|
],
|
|
3026
3020
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3027
3021
|
"Network devices"
|
|
3028
3022
|
],
|
|
3029
3023
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3030
|
-
"Secure Configuration Policy / Process",
|
|
3031
|
-
"Configuration Management Tool"
|
|
3032
3024
|
],
|
|
3033
3025
|
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
|
|
3034
3026
|
systemPromptFull: {
|
|
@@ -3116,7 +3108,7 @@ export class SafeguardManager {
|
|
|
3116
3108
|
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
3117
3109
|
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
3118
3110
|
implementationGroup: "IG1",
|
|
3119
|
-
assetType: ["
|
|
3111
|
+
assetType: ["Devices"],
|
|
3120
3112
|
securityFunction: ["Protect"],
|
|
3121
3113
|
governanceElements: [ // Orange - MUST be met
|
|
3122
3114
|
"Configure",
|
|
@@ -3124,18 +3116,14 @@ export class SafeguardManager {
|
|
|
3124
3116
|
"Period must not exceed for 2 Minutes"
|
|
3125
3117
|
],
|
|
3126
3118
|
coreRequirements: [ // Green - The "what"
|
|
3127
|
-
"automatic session locking on enterprise assets
|
|
3128
|
-
"general purpose operating systems",
|
|
3129
|
-
"mobile end-user devices"
|
|
3119
|
+
"automatic session locking on enterprise assets"
|
|
3130
3120
|
],
|
|
3131
3121
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3132
|
-
"Automatic Session Locking",
|
|
3133
3122
|
"Period of inactivity",
|
|
3134
3123
|
"General Purpose OSs",
|
|
3135
3124
|
"Mobile end-user devices"
|
|
3136
3125
|
],
|
|
3137
3126
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3138
|
-
"Configuration Management Tool"
|
|
3139
3127
|
],
|
|
3140
3128
|
relatedSafeguards: ["4.1"],
|
|
3141
3129
|
systemPromptFull: {
|
|
@@ -3223,7 +3211,7 @@ export class SafeguardManager {
|
|
|
3223
3211
|
title: "Implement and Manage a Firewall on Servers",
|
|
3224
3212
|
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
3225
3213
|
implementationGroup: "IG1",
|
|
3226
|
-
assetType: ["
|
|
3214
|
+
assetType: ["Devices"],
|
|
3227
3215
|
securityFunction: ["Protect"],
|
|
3228
3216
|
governanceElements: [ // Orange - MUST be met
|
|
3229
3217
|
"Implement",
|
|
@@ -3240,8 +3228,6 @@ export class SafeguardManager {
|
|
|
3240
3228
|
"Virtual Firewall",
|
|
3241
3229
|
"OS Firewall",
|
|
3242
3230
|
"Third Party Firewall",
|
|
3243
|
-
"Firewall",
|
|
3244
|
-
"Configuration Management Tool"
|
|
3245
3231
|
],
|
|
3246
3232
|
relatedSafeguards: ["4.1"],
|
|
3247
3233
|
systemPromptFull: {
|
|
@@ -3329,21 +3315,18 @@ export class SafeguardManager {
|
|
|
3329
3315
|
title: "Implement and Manage a Firewall on End-User Devices",
|
|
3330
3316
|
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
3331
3317
|
implementationGroup: "IG1",
|
|
3332
|
-
assetType: ["
|
|
3318
|
+
assetType: ["Devices"],
|
|
3333
3319
|
securityFunction: ["Protect"],
|
|
3334
3320
|
governanceElements: [ // Orange - MUST be met
|
|
3335
3321
|
"Implement",
|
|
3336
|
-
"Manage"
|
|
3337
|
-
"Default deny rule that drops all traffic",
|
|
3338
|
-
"Except Explicitly Allowed"
|
|
3322
|
+
"Manage"
|
|
3339
3323
|
],
|
|
3340
3324
|
coreRequirements: [ // Green - The "what"
|
|
3341
3325
|
"host-based firewall or port-filtering tool on end-user devices"
|
|
3342
3326
|
],
|
|
3343
3327
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3344
|
-
"
|
|
3345
|
-
"
|
|
3346
|
-
"End User Devices",
|
|
3328
|
+
"Default Deny Rule that drops all traffic",
|
|
3329
|
+
"Except Explicitly Allowed",
|
|
3347
3330
|
"Services",
|
|
3348
3331
|
"Ports"
|
|
3349
3332
|
],
|
|
@@ -3437,7 +3420,7 @@ export class SafeguardManager {
|
|
|
3437
3420
|
title: "Securely Manage Enterprise Assets and Software",
|
|
3438
3421
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
3439
3422
|
implementationGroup: "IG1",
|
|
3440
|
-
assetType: ["
|
|
3423
|
+
assetType: ["Devices"],
|
|
3441
3424
|
securityFunction: ["Protect"],
|
|
3442
3425
|
governanceElements: [ // Orange - MUST be met
|
|
3443
3426
|
"Do not use insecure management protocols",
|
|
@@ -3447,16 +3430,14 @@ export class SafeguardManager {
|
|
|
3447
3430
|
"Securely manage enterprise assets and software"
|
|
3448
3431
|
],
|
|
3449
3432
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3450
|
-
"Securely manage enterprise assets and software"
|
|
3433
|
+
"Securely manage enterprise assets and software",
|
|
3434
|
+
"Do not use insecure management protocols unless operationally essential"
|
|
3451
3435
|
],
|
|
3452
3436
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3453
3437
|
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
3454
3438
|
"Accessing administrative interfaces over secure network protocols",
|
|
3455
|
-
"SSH",
|
|
3456
|
-
"HTTPS",
|
|
3457
|
-
"Telnet (Teletype Network)",
|
|
3458
|
-
"HTTP",
|
|
3459
|
-
"Configuration Management Tool"
|
|
3439
|
+
"SSH instead of TELNET",
|
|
3440
|
+
"HTTPS instead of HTTP",
|
|
3460
3441
|
],
|
|
3461
3442
|
relatedSafeguards: ["4.1", "12.3"],
|
|
3462
3443
|
systemPromptFull: {
|
|
@@ -3544,26 +3525,22 @@ export class SafeguardManager {
|
|
|
3544
3525
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
3545
3526
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
3546
3527
|
implementationGroup: "IG1",
|
|
3547
|
-
assetType: ["
|
|
3528
|
+
assetType: ["Users"],
|
|
3548
3529
|
securityFunction: ["Protect"],
|
|
3549
3530
|
governanceElements: [ // Orange - MUST be met
|
|
3550
3531
|
"Manage"
|
|
3551
3532
|
],
|
|
3552
3533
|
coreRequirements: [ // Green - The "what"
|
|
3553
|
-
"default accounts
|
|
3534
|
+
"default accounts"
|
|
3554
3535
|
],
|
|
3555
3536
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3556
|
-
"Default accounts",
|
|
3557
3537
|
"Enterprise assets",
|
|
3558
|
-
"Software"
|
|
3559
|
-
"Root",
|
|
3560
|
-
"Administrator",
|
|
3561
|
-
"Other pre-configured vendor accounts"
|
|
3538
|
+
"Software"
|
|
3562
3539
|
],
|
|
3563
3540
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3564
|
-
"Disabling",
|
|
3565
|
-
"Unusable",
|
|
3566
|
-
"
|
|
3541
|
+
"Disabling them",
|
|
3542
|
+
"making them Unusable",
|
|
3543
|
+
"Root, Administrator, or other pre-configured vendor accounts"
|
|
3567
3544
|
],
|
|
3568
3545
|
relatedSafeguards: ["4.1"],
|
|
3569
3546
|
systemPromptFull: {
|
|
@@ -3651,25 +3628,23 @@ export class SafeguardManager {
|
|
|
3651
3628
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
3652
3629
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
3653
3630
|
implementationGroup: "IG2",
|
|
3654
|
-
assetType: ["
|
|
3631
|
+
assetType: ["Devices", "Software"],
|
|
3655
3632
|
securityFunction: ["Protect"],
|
|
3656
3633
|
governanceElements: [ // Orange - MUST be met
|
|
3657
3634
|
"Uninstall",
|
|
3658
3635
|
"Disable"
|
|
3659
3636
|
],
|
|
3660
3637
|
coreRequirements: [ // Green - The "what"
|
|
3661
|
-
"unnecessary services
|
|
3638
|
+
"unnecessary services"
|
|
3662
3639
|
],
|
|
3663
3640
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3664
|
-
"Unnecessary Services",
|
|
3665
3641
|
"Enterprise assets",
|
|
3666
|
-
"Software"
|
|
3667
|
-
"Unused file sharing service",
|
|
3668
|
-
"Web application module",
|
|
3669
|
-
"Service function"
|
|
3642
|
+
"Software"
|
|
3670
3643
|
],
|
|
3671
3644
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3672
|
-
"
|
|
3645
|
+
"Unused File Sharing Services",
|
|
3646
|
+
"Web Application Module",
|
|
3647
|
+
"Service Function"
|
|
3673
3648
|
],
|
|
3674
3649
|
relatedSafeguards: ["4.1"],
|
|
3675
3650
|
systemPromptFull: {
|
|
@@ -3757,22 +3732,20 @@ export class SafeguardManager {
|
|
|
3757
3732
|
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
3758
3733
|
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
3759
3734
|
implementationGroup: "IG2",
|
|
3760
|
-
assetType: ["
|
|
3735
|
+
assetType: ["Devices"],
|
|
3761
3736
|
securityFunction: ["Protect"],
|
|
3762
3737
|
governanceElements: [ // Orange - MUST be met
|
|
3763
3738
|
"Configure"
|
|
3764
3739
|
],
|
|
3765
3740
|
coreRequirements: [ // Green - The "what"
|
|
3766
|
-
"trusted DNS servers
|
|
3741
|
+
"trusted DNS servers"
|
|
3767
3742
|
],
|
|
3768
3743
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3769
|
-
"Trusted DNS Servers",
|
|
3770
3744
|
"Enterprise assets"
|
|
3771
3745
|
],
|
|
3772
3746
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3773
3747
|
"Configuring assets to use enterprise-controlled DNS servers",
|
|
3774
|
-
"Reputable externally accessible DNS servers"
|
|
3775
|
-
"Configuration Management Tool"
|
|
3748
|
+
"Reputable externally accessible DNS servers"
|
|
3776
3749
|
],
|
|
3777
3750
|
relatedSafeguards: ["4.1", "8.6", "9.2"],
|
|
3778
3751
|
systemPromptFull: {
|
|
@@ -3860,7 +3833,7 @@ export class SafeguardManager {
|
|
|
3860
3833
|
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
3861
3834
|
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
3862
3835
|
implementationGroup: "IG2",
|
|
3863
|
-
assetType: ["
|
|
3836
|
+
assetType: ["Devices"],
|
|
3864
3837
|
securityFunction: ["Protect"],
|
|
3865
3838
|
governanceElements: [ // Orange - MUST be met
|
|
3866
3839
|
"Enforce",
|
|
@@ -3869,14 +3842,13 @@ export class SafeguardManager {
|
|
|
3869
3842
|
"No more than 10 Failed Authentication Attempts"
|
|
3870
3843
|
],
|
|
3871
3844
|
coreRequirements: [ // Green - The "what"
|
|
3872
|
-
"automatic device lockout
|
|
3845
|
+
"automatic device lockout"
|
|
3873
3846
|
],
|
|
3874
3847
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3875
|
-
"
|
|
3876
|
-
"
|
|
3877
|
-
"
|
|
3878
|
-
"
|
|
3879
|
-
"Tablets and smartphones"
|
|
3848
|
+
"After a Predetermined threshold of local failed authentication attempts",
|
|
3849
|
+
"On Portable end-user devices",
|
|
3850
|
+
"Such as Laptops",
|
|
3851
|
+
"Such as Tablets and smartphones"
|
|
3880
3852
|
],
|
|
3881
3853
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3882
3854
|
"Microsoft® InTune Device Lock",
|
|
@@ -3969,24 +3941,22 @@ export class SafeguardManager {
|
|
|
3969
3941
|
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
3970
3942
|
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
3971
3943
|
implementationGroup: "IG2",
|
|
3972
|
-
assetType: ["
|
|
3944
|
+
assetType: ["Devices"],
|
|
3973
3945
|
securityFunction: ["Protect"],
|
|
3974
3946
|
governanceElements: [ // Orange - MUST be met
|
|
3975
3947
|
"When deemed appropriate"
|
|
3976
3948
|
],
|
|
3977
3949
|
coreRequirements: [ // Green - The "what"
|
|
3978
|
-
"Remotely wipe enterprise data
|
|
3950
|
+
"Remotely wipe enterprise data"
|
|
3979
3951
|
],
|
|
3980
3952
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3981
|
-
"
|
|
3982
|
-
|
|
3953
|
+
"Portable end-user devices"
|
|
3954
|
+
],
|
|
3955
|
+
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3983
3956
|
"Lost devices",
|
|
3984
3957
|
"Stolen devices",
|
|
3985
3958
|
"When an individual no longer supports the enterprise"
|
|
3986
3959
|
],
|
|
3987
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3988
|
-
"Configuration Management Tool"
|
|
3989
|
-
],
|
|
3990
3960
|
relatedSafeguards: ["4.1"],
|
|
3991
3961
|
systemPromptFull: {
|
|
3992
3962
|
|
|
@@ -4073,7 +4043,7 @@ export class SafeguardManager {
|
|
|
4073
4043
|
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
4074
4044
|
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
4075
4045
|
implementationGroup: "IG3",
|
|
4076
|
-
assetType: ["
|
|
4046
|
+
assetType: ["Data"],
|
|
4077
4047
|
securityFunction: ["Protect"],
|
|
4078
4048
|
governanceElements: [ // Orange - MUST be met
|
|
4079
4049
|
"Ensure",
|
|
@@ -4083,17 +4053,12 @@ export class SafeguardManager {
|
|
|
4083
4053
|
"separate enterprise workspaces are used on mobile end-user devices"
|
|
4084
4054
|
],
|
|
4085
4055
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4086
|
-
"
|
|
4087
|
-
"
|
|
4088
|
-
"Enterprise Applications",
|
|
4089
|
-
"Enterprise Data",
|
|
4090
|
-
"Personal Applications",
|
|
4091
|
-
"Personal Data"
|
|
4056
|
+
"Enterprise Applications and Enterprise Data",
|
|
4057
|
+
"Seperate from Personal Applications and Personal Data"
|
|
4092
4058
|
],
|
|
4093
4059
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4094
4060
|
"Apple® Configuration Profile",
|
|
4095
|
-
"AndroidTM Work Profile"
|
|
4096
|
-
"Configuration Management Tool"
|
|
4061
|
+
"AndroidTM Work Profile"
|
|
4097
4062
|
],
|
|
4098
4063
|
relatedSafeguards: ["4.1"],
|
|
4099
4064
|
systemPromptFull: {
|
|
@@ -4181,36 +4146,26 @@ export class SafeguardManager {
|
|
|
4181
4146
|
title: "Establish and Maintain an Inventory of Accounts",
|
|
4182
4147
|
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4183
4148
|
implementationGroup: "IG1",
|
|
4184
|
-
assetType: ["
|
|
4149
|
+
assetType: ["Users"],
|
|
4185
4150
|
securityFunction: ["Identify"],
|
|
4186
4151
|
governanceElements: [ // Orange - MUST be met
|
|
4187
|
-
"Establish and maintain
|
|
4188
|
-
"
|
|
4189
|
-
"At a minimum, should contain the person's name, username, start/stop dates, and department",
|
|
4152
|
+
"Establish and maintain",
|
|
4153
|
+
"Must include",
|
|
4190
4154
|
"Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
|
|
4191
4155
|
],
|
|
4192
4156
|
coreRequirements: [ // Green - The "what"
|
|
4193
4157
|
"Inventory of Accounts"
|
|
4194
4158
|
],
|
|
4195
4159
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4196
|
-
"Establish",
|
|
4197
|
-
"Maintain",
|
|
4198
|
-
"Validate that all active accounts are authorized",
|
|
4199
|
-
"Recurring schedule",
|
|
4200
|
-
"Must Include",
|
|
4201
|
-
"At a minimum",
|
|
4202
|
-
"Minimum Quarterly",
|
|
4203
|
-
"More Frequently",
|
|
4204
4160
|
"User Accounts",
|
|
4205
4161
|
"Administrator Accounts",
|
|
4162
|
+
"Service Accounts",
|
|
4206
4163
|
"Name",
|
|
4207
4164
|
"Username",
|
|
4208
4165
|
"Start Stop Dates",
|
|
4209
4166
|
"Department"
|
|
4210
4167
|
],
|
|
4211
4168
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4212
|
-
"Account and Access Control Management",
|
|
4213
|
-
"Identity and Access Management Tool"
|
|
4214
4169
|
],
|
|
4215
4170
|
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
|
|
4216
4171
|
systemPromptFull: {
|
|
@@ -4298,25 +4253,19 @@ export class SafeguardManager {
|
|
|
4298
4253
|
title: "Use Unique Passwords",
|
|
4299
4254
|
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
4300
4255
|
implementationGroup: "IG1",
|
|
4301
|
-
assetType: ["
|
|
4256
|
+
assetType: ["Users"],
|
|
4302
4257
|
securityFunction: ["Protect"],
|
|
4303
4258
|
governanceElements: [ // Orange - MUST be met
|
|
4304
|
-
"Use
|
|
4305
|
-
"
|
|
4259
|
+
"Use",
|
|
4260
|
+
"At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
|
|
4306
4261
|
],
|
|
4307
4262
|
coreRequirements: [ // Green - The "what"
|
|
4308
4263
|
"Unique Passwords"
|
|
4309
4264
|
],
|
|
4310
4265
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4311
|
-
"
|
|
4312
|
-
"At a minimum",
|
|
4313
|
-
"All Enterprise Assets",
|
|
4314
|
-
"8-character password for accounts using MFA",
|
|
4315
|
-
"14-character password for accounts not using MFA"
|
|
4266
|
+
"All Enterprise Assets"
|
|
4316
4267
|
],
|
|
4317
4268
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4318
|
-
"Account and Access Control Management",
|
|
4319
|
-
"Password Management Tool"
|
|
4320
4269
|
],
|
|
4321
4270
|
relatedSafeguards: ["5.1"],
|
|
4322
4271
|
systemPromptFull: {
|
|
@@ -4404,10 +4353,11 @@ export class SafeguardManager {
|
|
|
4404
4353
|
title: "Disable Dormant Accounts",
|
|
4405
4354
|
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
4406
4355
|
implementationGroup: "IG1",
|
|
4407
|
-
assetType: ["
|
|
4356
|
+
assetType: ["Users"],
|
|
4408
4357
|
securityFunction: ["Protect"],
|
|
4409
4358
|
governanceElements: [ // Orange - MUST be met
|
|
4410
|
-
"
|
|
4359
|
+
"after a period of 45 days of inactivity",
|
|
4360
|
+
"where supported"
|
|
4411
4361
|
],
|
|
4412
4362
|
coreRequirements: [ // Green - The "what"
|
|
4413
4363
|
"Dormant Accounts"
|
|
@@ -4419,8 +4369,6 @@ export class SafeguardManager {
|
|
|
4419
4369
|
"Where Supported"
|
|
4420
4370
|
],
|
|
4421
4371
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4422
|
-
"Account and Access Control Management",
|
|
4423
|
-
"Identity and Access Management Tool"
|
|
4424
4372
|
],
|
|
4425
4373
|
relatedSafeguards: ["5.1"],
|
|
4426
4374
|
systemPromptFull: {
|
|
@@ -4508,25 +4456,21 @@ export class SafeguardManager {
|
|
|
4508
4456
|
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
4509
4457
|
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
4510
4458
|
implementationGroup: "IG1",
|
|
4511
|
-
assetType: ["
|
|
4459
|
+
assetType: ["Users"],
|
|
4512
4460
|
securityFunction: ["Protect"],
|
|
4513
4461
|
governanceElements: [ // Orange - MUST be met
|
|
4514
|
-
"Restrict
|
|
4515
|
-
"Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
|
|
4462
|
+
"Restrict"
|
|
4516
4463
|
],
|
|
4517
4464
|
coreRequirements: [ // Green - The "what"
|
|
4518
4465
|
"Administrator Privileges",
|
|
4519
4466
|
"Dedicated Admin Accounts"
|
|
4520
4467
|
],
|
|
4521
4468
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4522
|
-
"Restrict",
|
|
4523
4469
|
"Enterprise assets",
|
|
4524
4470
|
"User's primary, non-privileged account",
|
|
4525
4471
|
"General Computing Activities"
|
|
4526
4472
|
],
|
|
4527
4473
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4528
|
-
"Account and Access Control Management",
|
|
4529
|
-
"Identity and Access Management Tool",
|
|
4530
4474
|
"Such as",
|
|
4531
4475
|
"Internet browsing",
|
|
4532
4476
|
"Email",
|
|
@@ -4618,32 +4562,23 @@ export class SafeguardManager {
|
|
|
4618
4562
|
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
4619
4563
|
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
4620
4564
|
implementationGroup: "IG2",
|
|
4621
|
-
assetType: ["
|
|
4565
|
+
assetType: ["Users"],
|
|
4622
4566
|
securityFunction: ["Identify"],
|
|
4623
4567
|
governanceElements: [ // Orange - MUST be met
|
|
4624
|
-
"Establish and maintain
|
|
4625
|
-
"
|
|
4626
|
-
"Perform service account reviews to validate that all active accounts are authorized,
|
|
4568
|
+
"Establish and maintain",
|
|
4569
|
+
"at a minimum, must contain",
|
|
4570
|
+
"Perform service account reviews to validate that all active accounts are authorized",
|
|
4571
|
+
"recurring schedule at a minimum quarterly, or more frequently"
|
|
4627
4572
|
],
|
|
4628
4573
|
coreRequirements: [ // Green - The "what"
|
|
4629
4574
|
"Inventory of Service Accounts"
|
|
4630
4575
|
],
|
|
4631
4576
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4632
|
-
"Establish",
|
|
4633
|
-
"Maintain",
|
|
4634
|
-
"At a Minimum Must Contain",
|
|
4635
|
-
"Perform service account reviews to validate that all active accounts are authorized",
|
|
4636
|
-
"On a recurring schedule",
|
|
4637
4577
|
"Department Owner",
|
|
4638
4578
|
"Review date",
|
|
4639
|
-
"Purpose"
|
|
4640
|
-
"At a minimum quarterly",
|
|
4641
|
-
"More frequently",
|
|
4642
|
-
"Or"
|
|
4579
|
+
"Purpose"
|
|
4643
4580
|
],
|
|
4644
4581
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4645
|
-
"Account and Access Control Management",
|
|
4646
|
-
"Identity and Access Management Tool"
|
|
4647
4582
|
],
|
|
4648
4583
|
relatedSafeguards: ["5.1"],
|
|
4649
4584
|
systemPromptFull: {
|
|
@@ -4731,23 +4666,19 @@ export class SafeguardManager {
|
|
|
4731
4666
|
title: "Centralize Account Management",
|
|
4732
4667
|
description: "Centralize account management through a directory or identity service.",
|
|
4733
4668
|
implementationGroup: "IG2",
|
|
4734
|
-
assetType: ["
|
|
4669
|
+
assetType: ["Users"],
|
|
4735
4670
|
securityFunction: ["Govern"],
|
|
4736
4671
|
governanceElements: [ // Orange - MUST be met
|
|
4737
|
-
"Centralize
|
|
4672
|
+
"Centralize"
|
|
4738
4673
|
],
|
|
4739
4674
|
coreRequirements: [ // Green - The "what"
|
|
4740
4675
|
"Account Management"
|
|
4741
4676
|
],
|
|
4742
4677
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4743
|
-
"Centralize",
|
|
4744
4678
|
"Directory Service",
|
|
4745
|
-
"Identity Service"
|
|
4746
|
-
"Or"
|
|
4679
|
+
"Identity Service"
|
|
4747
4680
|
],
|
|
4748
4681
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4749
|
-
"Account and Access Control Management",
|
|
4750
|
-
"Identity and Access Management Tool"
|
|
4751
4682
|
],
|
|
4752
4683
|
relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
|
|
4753
4684
|
systemPromptFull: {
|
|
@@ -4835,7 +4766,7 @@ export class SafeguardManager {
|
|
|
4835
4766
|
title: "Establish an Access Granting Process",
|
|
4836
4767
|
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
4837
4768
|
implementationGroup: "IG1",
|
|
4838
|
-
assetType: ["
|
|
4769
|
+
assetType: ["Users"],
|
|
4839
4770
|
securityFunction: ["Govern"],
|
|
4840
4771
|
governanceElements: [ // Orange - MUST be met
|
|
4841
4772
|
"Establish",
|
|
@@ -4946,7 +4877,7 @@ export class SafeguardManager {
|
|
|
4946
4877
|
title: "Establish an Access Revoking Process",
|
|
4947
4878
|
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
4948
4879
|
implementationGroup: "IG1",
|
|
4949
|
-
assetType: ["
|
|
4880
|
+
assetType: ["Users"],
|
|
4950
4881
|
securityFunction: ["Govern"],
|
|
4951
4882
|
governanceElements: [ // Orange - MUST be met
|
|
4952
4883
|
"Establish",
|
|
@@ -5062,7 +4993,7 @@ export class SafeguardManager {
|
|
|
5062
4993
|
title: "Require MFA for Externally-Exposed Applications",
|
|
5063
4994
|
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
5064
4995
|
implementationGroup: "IG1",
|
|
5065
|
-
assetType: ["
|
|
4996
|
+
assetType: ["Users"],
|
|
5066
4997
|
securityFunction: ["Protect"],
|
|
5067
4998
|
governanceElements: [ // Orange - MUST be met
|
|
5068
4999
|
"Require",
|
|
@@ -5171,7 +5102,7 @@ export class SafeguardManager {
|
|
|
5171
5102
|
title: "Require MFA for Remote Network Access",
|
|
5172
5103
|
description: "Require MFA for remote network access.",
|
|
5173
5104
|
implementationGroup: "IG1",
|
|
5174
|
-
assetType: ["
|
|
5105
|
+
assetType: ["Users"],
|
|
5175
5106
|
securityFunction: ["Protect"],
|
|
5176
5107
|
governanceElements: [ // Orange - MUST be met
|
|
5177
5108
|
"Require",
|
|
@@ -5275,7 +5206,7 @@ export class SafeguardManager {
|
|
|
5275
5206
|
title: "Require MFA for Administrative Access",
|
|
5276
5207
|
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
5277
5208
|
implementationGroup: "IG1",
|
|
5278
|
-
assetType: ["
|
|
5209
|
+
assetType: ["Users"],
|
|
5279
5210
|
securityFunction: ["Protect"],
|
|
5280
5211
|
governanceElements: [ // Orange - MUST be met
|
|
5281
5212
|
"Require",
|
|
@@ -5496,7 +5427,7 @@ export class SafeguardManager {
|
|
|
5496
5427
|
title: "Centralize Access Control",
|
|
5497
5428
|
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
5498
5429
|
implementationGroup: "IG2",
|
|
5499
|
-
assetType: ["
|
|
5430
|
+
assetType: ["Users"],
|
|
5500
5431
|
securityFunction: ["Protect"],
|
|
5501
5432
|
governanceElements: [ // Orange - MUST be met
|
|
5502
5433
|
"Centralize",
|
|
@@ -5608,7 +5539,7 @@ export class SafeguardManager {
|
|
|
5608
5539
|
title: "Define and Maintain Role-Based Access Control",
|
|
5609
5540
|
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
5610
5541
|
implementationGroup: "IG3",
|
|
5611
|
-
assetType: ["
|
|
5542
|
+
assetType: ["Users"],
|
|
5612
5543
|
securityFunction: ["Govern"],
|
|
5613
5544
|
governanceElements: [ // Orange - MUST be met
|
|
5614
5545
|
"Define",
|
|
@@ -5960,7 +5891,7 @@ export class SafeguardManager {
|
|
|
5960
5891
|
title: "Perform Automated Operating System Patch Management",
|
|
5961
5892
|
description: "Perform automated operating system patch management on enterprise assets",
|
|
5962
5893
|
implementationGroup: "IG1",
|
|
5963
|
-
assetType: ["
|
|
5894
|
+
assetType: ["Devices"],
|
|
5964
5895
|
securityFunction: ["Protect"],
|
|
5965
5896
|
governanceElements: [ // Orange - MUST be met
|
|
5966
5897
|
"perform automated OS patch management",
|
|
@@ -6192,7 +6123,7 @@ export class SafeguardManager {
|
|
|
6192
6123
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
6193
6124
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
6194
6125
|
implementationGroup: "IG2",
|
|
6195
|
-
assetType: ["
|
|
6126
|
+
assetType: ["Devices", "Software"],
|
|
6196
6127
|
securityFunction: ["Detect"],
|
|
6197
6128
|
governanceElements: [ // Orange - MUST be met
|
|
6198
6129
|
"perform automated vulnerability scans",
|
|
@@ -6308,7 +6239,7 @@ export class SafeguardManager {
|
|
|
6308
6239
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
6309
6240
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
6310
6241
|
implementationGroup: "IG2",
|
|
6311
|
-
assetType: ["
|
|
6242
|
+
assetType: ["Devices", "Software"],
|
|
6312
6243
|
securityFunction: ["Detect"],
|
|
6313
6244
|
governanceElements: [ // Orange - MUST be met
|
|
6314
6245
|
"perform automated vulnerability scans",
|
|
@@ -7914,7 +7845,7 @@ export class SafeguardManager {
|
|
|
7914
7845
|
title: "Use DNS Filtering Services",
|
|
7915
7846
|
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
7916
7847
|
implementationGroup: "IG1",
|
|
7917
|
-
assetType: ["
|
|
7848
|
+
assetType: ["Devices", "network"],
|
|
7918
7849
|
securityFunction: ["Protect"],
|
|
7919
7850
|
governanceElements: [ // Orange - MUST be met
|
|
7920
7851
|
"use DNS filtering services on all end-user devices",
|
|
@@ -8590,7 +8521,7 @@ export class SafeguardManager {
|
|
|
8590
8521
|
title: "Deploy and Maintain Anti-Malware Software",
|
|
8591
8522
|
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
8592
8523
|
implementationGroup: "IG1",
|
|
8593
|
-
assetType: ["
|
|
8524
|
+
assetType: ["Devices"],
|
|
8594
8525
|
securityFunction: ["Detect"],
|
|
8595
8526
|
governanceElements: [ // Orange - MUST be met
|
|
8596
8527
|
"deploy anti-malware software",
|
|
@@ -8703,7 +8634,7 @@ export class SafeguardManager {
|
|
|
8703
8634
|
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
8704
8635
|
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
8705
8636
|
implementationGroup: "IG1",
|
|
8706
|
-
assetType: ["
|
|
8637
|
+
assetType: ["Devices"],
|
|
8707
8638
|
securityFunction: ["Protect"],
|
|
8708
8639
|
governanceElements: [ // Orange - MUST be met
|
|
8709
8640
|
"configure automatic updates",
|
|
@@ -8811,7 +8742,7 @@ export class SafeguardManager {
|
|
|
8811
8742
|
title: "Disable Autorun and Autoplay for Removable Media",
|
|
8812
8743
|
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
8813
8744
|
implementationGroup: "IG1",
|
|
8814
|
-
assetType: ["
|
|
8745
|
+
assetType: ["Devices"],
|
|
8815
8746
|
securityFunction: ["Protect"],
|
|
8816
8747
|
governanceElements: [ // Orange - MUST be met
|
|
8817
8748
|
"disable autorun functionality",
|
|
@@ -8924,7 +8855,7 @@ export class SafeguardManager {
|
|
|
8924
8855
|
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
8925
8856
|
description: "Configure anti-malware software to automatically scan removable media",
|
|
8926
8857
|
implementationGroup: "IG2",
|
|
8927
|
-
assetType: ["
|
|
8858
|
+
assetType: ["Devices"],
|
|
8928
8859
|
securityFunction: ["Detect"],
|
|
8929
8860
|
governanceElements: [ // Orange - MUST be met
|
|
8930
8861
|
"configure anti-malware software",
|
|
@@ -9036,7 +8967,7 @@ export class SafeguardManager {
|
|
|
9036
8967
|
title: "Enable Anti-Exploitation Features",
|
|
9037
8968
|
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
9038
8969
|
implementationGroup: "IG2",
|
|
9039
|
-
assetType: ["
|
|
8970
|
+
assetType: ["Devices"],
|
|
9040
8971
|
securityFunction: ["Protect"],
|
|
9041
8972
|
governanceElements: [ // Orange - MUST be met
|
|
9042
8973
|
"enable anti-exploitation features",
|
|
@@ -9150,7 +9081,7 @@ export class SafeguardManager {
|
|
|
9150
9081
|
title: "Centrally Manage Anti-Malware Software",
|
|
9151
9082
|
description: "Centrally manage anti-malware software",
|
|
9152
9083
|
implementationGroup: "IG2",
|
|
9153
|
-
assetType: ["
|
|
9084
|
+
assetType: ["Devices"],
|
|
9154
9085
|
securityFunction: ["Protect"],
|
|
9155
9086
|
governanceElements: [ // Orange - MUST be met
|
|
9156
9087
|
"centrally manage anti-malware",
|
|
@@ -9260,7 +9191,7 @@ export class SafeguardManager {
|
|
|
9260
9191
|
title: "Use Behavior-Based Anti-Malware Software",
|
|
9261
9192
|
description: "Use behavior-based anti-malware software",
|
|
9262
9193
|
implementationGroup: "IG2",
|
|
9263
|
-
assetType: ["
|
|
9194
|
+
assetType: ["Devices"],
|
|
9264
9195
|
securityFunction: ["Detect"],
|
|
9265
9196
|
governanceElements: [ // Orange - MUST be met
|
|
9266
9197
|
"use behavior-based anti-malware",
|
|
@@ -10636,7 +10567,7 @@ export class SafeguardManager {
|
|
|
10636
10567
|
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
10637
10568
|
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
10638
10569
|
implementationGroup: "IG2",
|
|
10639
|
-
assetType: ["
|
|
10570
|
+
assetType: ["Devices"],
|
|
10640
10571
|
securityFunction: ["Protect"],
|
|
10641
10572
|
governanceElements: [ // Orange - MUST be met
|
|
10642
10573
|
"require users to authenticate to enterprise-managed VPN",
|
|
@@ -10750,7 +10681,7 @@ export class SafeguardManager {
|
|
|
10750
10681
|
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
10751
10682
|
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
10752
10683
|
implementationGroup: "IG3",
|
|
10753
|
-
assetType: ["
|
|
10684
|
+
assetType: ["Devices"],
|
|
10754
10685
|
securityFunction: ["Protect"],
|
|
10755
10686
|
governanceElements: [ // Orange - MUST be met
|
|
10756
10687
|
"establish dedicated computing resources for administrative work",
|
|
@@ -10866,7 +10797,7 @@ export class SafeguardManager {
|
|
|
10866
10797
|
title: "Centralize Security Event Alerting",
|
|
10867
10798
|
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
10868
10799
|
implementationGroup: "IG2",
|
|
10869
|
-
assetType: ["network", "
|
|
10800
|
+
assetType: ["network", "Devices"],
|
|
10870
10801
|
securityFunction: ["Detect"],
|
|
10871
10802
|
governanceElements: [ // Orange - MUST be met
|
|
10872
10803
|
"centralize security event alerting across enterprise assets",
|
|
@@ -10979,7 +10910,7 @@ export class SafeguardManager {
|
|
|
10979
10910
|
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
10980
10911
|
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
10981
10912
|
implementationGroup: "IG2",
|
|
10982
|
-
assetType: ["
|
|
10913
|
+
assetType: ["Devices"],
|
|
10983
10914
|
securityFunction: ["Detect"],
|
|
10984
10915
|
governanceElements: [ // Orange - MUST be met
|
|
10985
10916
|
"deploy host-based intrusion detection solution",
|
|
@@ -11307,7 +11238,7 @@ export class SafeguardManager {
|
|
|
11307
11238
|
title: "Manage Access Control for Remote Assets",
|
|
11308
11239
|
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
11309
11240
|
implementationGroup: "IG2",
|
|
11310
|
-
assetType: ["
|
|
11241
|
+
assetType: ["Devices", "network"],
|
|
11311
11242
|
securityFunction: ["Protect"],
|
|
11312
11243
|
governanceElements: [ // Orange - MUST be met
|
|
11313
11244
|
"manage access control for assets remotely connecting to enterprise networks",
|
|
@@ -11529,7 +11460,7 @@ export class SafeguardManager {
|
|
|
11529
11460
|
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
11530
11461
|
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
11531
11462
|
implementationGroup: "IG3",
|
|
11532
|
-
assetType: ["
|
|
11463
|
+
assetType: ["Devices"],
|
|
11533
11464
|
securityFunction: ["Respond"],
|
|
11534
11465
|
governanceElements: [ // Orange - MUST be met
|
|
11535
11466
|
"deploy host-based intrusion prevention solution",
|
|
@@ -11966,7 +11897,7 @@ export class SafeguardManager {
|
|
|
11966
11897
|
title: "Tune Security Event Alerting Thresholds",
|
|
11967
11898
|
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
11968
11899
|
implementationGroup: "IG3",
|
|
11969
|
-
assetType: ["network", "
|
|
11900
|
+
assetType: ["network", "Devices"],
|
|
11970
11901
|
securityFunction: ["Detect"],
|
|
11971
11902
|
governanceElements: [ // Orange - MUST be met
|
|
11972
11903
|
"tune security event alerting thresholds",
|
|
@@ -12074,7 +12005,7 @@ export class SafeguardManager {
|
|
|
12074
12005
|
title: "Establish and Maintain a Security Awareness Program",
|
|
12075
12006
|
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
12076
12007
|
implementationGroup: "IG1",
|
|
12077
|
-
assetType: ["
|
|
12008
|
+
assetType: ["Users"],
|
|
12078
12009
|
securityFunction: ["Govern"],
|
|
12079
12010
|
governanceElements: [ // Orange - MUST be met
|
|
12080
12011
|
"establish and maintain a security awareness program",
|
|
@@ -12190,7 +12121,7 @@ export class SafeguardManager {
|
|
|
12190
12121
|
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
12191
12122
|
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
12192
12123
|
implementationGroup: "IG1",
|
|
12193
|
-
assetType: ["
|
|
12124
|
+
assetType: ["Users"],
|
|
12194
12125
|
securityFunction: ["Protect"],
|
|
12195
12126
|
governanceElements: [ // Orange - MUST be met
|
|
12196
12127
|
"train workforce members to recognize social engineering attacks",
|
|
@@ -12303,7 +12234,7 @@ export class SafeguardManager {
|
|
|
12303
12234
|
title: "Train Workforce Members on Authentication Best Practices",
|
|
12304
12235
|
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
12305
12236
|
implementationGroup: "IG1",
|
|
12306
|
-
assetType: ["
|
|
12237
|
+
assetType: ["Users"],
|
|
12307
12238
|
securityFunction: ["Protect"],
|
|
12308
12239
|
governanceElements: [ // Orange - MUST be met
|
|
12309
12240
|
"train workforce members on authentication best practices",
|
|
@@ -12414,7 +12345,7 @@ export class SafeguardManager {
|
|
|
12414
12345
|
title: "Train Workforce on Data Handling Best Practices",
|
|
12415
12346
|
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
12416
12347
|
implementationGroup: "IG1",
|
|
12417
|
-
assetType: ["
|
|
12348
|
+
assetType: ["Users"],
|
|
12418
12349
|
securityFunction: ["Protect"],
|
|
12419
12350
|
governanceElements: [ // Orange - MUST be met
|
|
12420
12351
|
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
@@ -12533,7 +12464,7 @@ export class SafeguardManager {
|
|
|
12533
12464
|
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
12534
12465
|
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
12535
12466
|
implementationGroup: "IG1",
|
|
12536
|
-
assetType: ["
|
|
12467
|
+
assetType: ["Users"],
|
|
12537
12468
|
securityFunction: ["Protect"],
|
|
12538
12469
|
governanceElements: [ // Orange - MUST be met
|
|
12539
12470
|
"train workforce members to be aware of causes for unintentional data exposure",
|
|
@@ -12644,7 +12575,7 @@ export class SafeguardManager {
|
|
|
12644
12575
|
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
12645
12576
|
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
12646
12577
|
implementationGroup: "IG1",
|
|
12647
|
-
assetType: ["
|
|
12578
|
+
assetType: ["Users"],
|
|
12648
12579
|
securityFunction: ["Protect"],
|
|
12649
12580
|
governanceElements: [ // Orange - MUST be met
|
|
12650
12581
|
"train workforce members to be able to recognize a potential incident",
|
|
@@ -12753,7 +12684,7 @@ export class SafeguardManager {
|
|
|
12753
12684
|
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
12754
12685
|
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
12755
12686
|
implementationGroup: "IG1",
|
|
12756
|
-
assetType: ["
|
|
12687
|
+
assetType: ["Users"],
|
|
12757
12688
|
securityFunction: ["Protect"],
|
|
12758
12689
|
governanceElements: [ // Orange - MUST be met
|
|
12759
12690
|
"train workforce to understand how to verify and report out-of-date software patches",
|
|
@@ -12868,7 +12799,7 @@ export class SafeguardManager {
|
|
|
12868
12799
|
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
12869
12800
|
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
12870
12801
|
implementationGroup: "IG1",
|
|
12871
|
-
assetType: ["
|
|
12802
|
+
assetType: ["Users"],
|
|
12872
12803
|
securityFunction: ["Protect"],
|
|
12873
12804
|
governanceElements: [ // Orange - MUST be met
|
|
12874
12805
|
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
@@ -12982,7 +12913,7 @@ export class SafeguardManager {
|
|
|
12982
12913
|
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
12983
12914
|
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
12984
12915
|
implementationGroup: "IG2",
|
|
12985
|
-
assetType: ["
|
|
12916
|
+
assetType: ["Users"],
|
|
12986
12917
|
securityFunction: ["Protect"],
|
|
12987
12918
|
governanceElements: [ // Orange - MUST be met
|
|
12988
12919
|
"conduct role-specific security awareness and skills training",
|
|
@@ -13094,7 +13025,7 @@ export class SafeguardManager {
|
|
|
13094
13025
|
title: "Establish and Maintain an Inventory of Service Providers",
|
|
13095
13026
|
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13096
13027
|
implementationGroup: "IG1",
|
|
13097
|
-
assetType: ["
|
|
13028
|
+
assetType: ["Users"],
|
|
13098
13029
|
securityFunction: ["Identify"],
|
|
13099
13030
|
governanceElements: [ // Orange - MUST be met
|
|
13100
13031
|
"establish and maintain an inventory of service providers",
|
|
@@ -13208,7 +13139,7 @@ export class SafeguardManager {
|
|
|
13208
13139
|
title: "Establish and Maintain a Service Provider Management Policy",
|
|
13209
13140
|
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13210
13141
|
implementationGroup: "IG2",
|
|
13211
|
-
assetType: ["
|
|
13142
|
+
assetType: ["Users"],
|
|
13212
13143
|
securityFunction: ["Govern"],
|
|
13213
13144
|
governanceElements: [ // Orange - MUST be met
|
|
13214
13145
|
"establish and maintain a service provider management policy",
|
|
@@ -13327,7 +13258,7 @@ export class SafeguardManager {
|
|
|
13327
13258
|
title: "Classify Service Providers",
|
|
13328
13259
|
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13329
13260
|
implementationGroup: "IG2",
|
|
13330
|
-
assetType: ["
|
|
13261
|
+
assetType: ["Users"],
|
|
13331
13262
|
securityFunction: ["Govern"],
|
|
13332
13263
|
governanceElements: [ // Orange - MUST be met
|
|
13333
13264
|
"classify service providers",
|
|
@@ -13444,7 +13375,7 @@ export class SafeguardManager {
|
|
|
13444
13375
|
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
13445
13376
|
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
13446
13377
|
implementationGroup: "IG2",
|
|
13447
|
-
assetType: ["
|
|
13378
|
+
assetType: ["Users"],
|
|
13448
13379
|
securityFunction: ["Govern"],
|
|
13449
13380
|
governanceElements: [ // Orange - MUST be met
|
|
13450
13381
|
"ensure service provider contracts include security requirements",
|
|
@@ -13560,7 +13491,7 @@ export class SafeguardManager {
|
|
|
13560
13491
|
title: "Assess Service Providers",
|
|
13561
13492
|
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
13562
13493
|
implementationGroup: "IG3",
|
|
13563
|
-
assetType: ["
|
|
13494
|
+
assetType: ["Users"],
|
|
13564
13495
|
securityFunction: ["Govern"],
|
|
13565
13496
|
governanceElements: [ // Orange - MUST be met
|
|
13566
13497
|
"assess service providers consistent with enterprise's service provider management policy",
|
|
@@ -14799,7 +14730,7 @@ export class SafeguardManager {
|
|
|
14799
14730
|
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
14800
14731
|
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
14801
14732
|
implementationGroup: "IG2",
|
|
14802
|
-
assetType: ["
|
|
14733
|
+
assetType: ["Users"],
|
|
14803
14734
|
securityFunction: ["Protect"],
|
|
14804
14735
|
governanceElements: [ // Orange - MUST be met
|
|
14805
14736
|
"ensure that all software development personnel receive training in writing secure code",
|
|
@@ -15479,7 +15410,7 @@ export class SafeguardManager {
|
|
|
15479
15410
|
title: "Designate Personnel to Manage Incident Handling",
|
|
15480
15411
|
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15481
15412
|
implementationGroup: "IG1",
|
|
15482
|
-
assetType: ["
|
|
15413
|
+
assetType: ["Users"],
|
|
15483
15414
|
securityFunction: ["Respond"],
|
|
15484
15415
|
governanceElements: [ // Orange - MUST be met
|
|
15485
15416
|
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
@@ -15591,7 +15522,7 @@ export class SafeguardManager {
|
|
|
15591
15522
|
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
15592
15523
|
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
15593
15524
|
implementationGroup: "IG1",
|
|
15594
|
-
assetType: ["
|
|
15525
|
+
assetType: ["Users"],
|
|
15595
15526
|
securityFunction: ["Respond"],
|
|
15596
15527
|
governanceElements: [ // Orange - MUST be met
|
|
15597
15528
|
"establish and maintain contact information for reporting security incidents",
|
|
@@ -15701,7 +15632,7 @@ export class SafeguardManager {
|
|
|
15701
15632
|
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
15702
15633
|
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15703
15634
|
implementationGroup: "IG1",
|
|
15704
|
-
assetType: ["
|
|
15635
|
+
assetType: ["Users"],
|
|
15705
15636
|
securityFunction: ["Govern"],
|
|
15706
15637
|
governanceElements: [ // Orange - MUST be met
|
|
15707
15638
|
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
@@ -15813,7 +15744,7 @@ export class SafeguardManager {
|
|
|
15813
15744
|
title: "Establish and Maintain an Incident Response Process",
|
|
15814
15745
|
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15815
15746
|
implementationGroup: "IG2",
|
|
15816
|
-
assetType: ["
|
|
15747
|
+
assetType: ["Users"],
|
|
15817
15748
|
securityFunction: ["Govern"],
|
|
15818
15749
|
governanceElements: [ // Orange - MUST be met
|
|
15819
15750
|
"establish and maintain a documented incident response process",
|
|
@@ -15922,7 +15853,7 @@ export class SafeguardManager {
|
|
|
15922
15853
|
title: "Assign Key Roles and Responsibilities",
|
|
15923
15854
|
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
15924
15855
|
implementationGroup: "IG2",
|
|
15925
|
-
assetType: ["
|
|
15856
|
+
assetType: ["Users"],
|
|
15926
15857
|
securityFunction: ["Respond"],
|
|
15927
15858
|
governanceElements: [ // Orange - MUST be met
|
|
15928
15859
|
"assign key roles and responsibilities for incident response",
|
|
@@ -16034,7 +15965,7 @@ export class SafeguardManager {
|
|
|
16034
15965
|
title: "Define Mechanisms for Communicating During Incident Response",
|
|
16035
15966
|
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16036
15967
|
implementationGroup: "IG2",
|
|
16037
|
-
assetType: ["
|
|
15968
|
+
assetType: ["Users"],
|
|
16038
15969
|
securityFunction: ["Respond"],
|
|
16039
15970
|
governanceElements: [ // Orange - MUST be met
|
|
16040
15971
|
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
@@ -16145,7 +16076,7 @@ export class SafeguardManager {
|
|
|
16145
16076
|
title: "Conduct Routine Incident Response Exercises",
|
|
16146
16077
|
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
16147
16078
|
implementationGroup: "IG2",
|
|
16148
|
-
assetType: ["
|
|
16079
|
+
assetType: ["Users"],
|
|
16149
16080
|
securityFunction: ["Recover"],
|
|
16150
16081
|
governanceElements: [ // Orange - MUST be met
|
|
16151
16082
|
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
@@ -16256,7 +16187,7 @@ export class SafeguardManager {
|
|
|
16256
16187
|
title: "Conduct Post-Incident Reviews",
|
|
16257
16188
|
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
16258
16189
|
implementationGroup: "IG2",
|
|
16259
|
-
assetType: ["
|
|
16190
|
+
assetType: ["Users"],
|
|
16260
16191
|
securityFunction: ["Recover"],
|
|
16261
16192
|
governanceElements: [ // Orange - MUST be met
|
|
16262
16193
|
"conduct post-incident reviews"
|
|
@@ -16363,7 +16294,7 @@ export class SafeguardManager {
|
|
|
16363
16294
|
title: "Establish and Maintain Security Incident Thresholds",
|
|
16364
16295
|
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
16365
16296
|
implementationGroup: "IG3",
|
|
16366
|
-
assetType: ["
|
|
16297
|
+
assetType: ["Users"],
|
|
16367
16298
|
securityFunction: ["Recover"],
|
|
16368
16299
|
governanceElements: [ // Orange - MUST be met
|
|
16369
16300
|
"establish and maintain security incident thresholds",
|