framework-mcp 2.5.6 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/README.md +34 -9
  2. package/dist/core/safeguard-manager.js +4 -4
  3. package/dist/core/safeguard-manager.js.map +1 -1
  4. package/dist/index.d.ts +1 -0
  5. package/dist/index.d.ts.map +1 -1
  6. package/dist/index.js.map +1 -1
  7. package/dist/interfaces/http/http-server.js +3 -3
  8. package/dist/interfaces/mcp/mcp-server.js +3 -3
  9. package/dist/shared/types.d.ts +49 -25
  10. package/dist/shared/types.d.ts.map +1 -1
  11. package/dist/shared/types.js.map +1 -1
  12. package/package.json +8 -1
  13. package/swagger.json +9 -77
  14. package/.claude/agents/mcp-developer.md +0 -41
  15. package/.claude/agents/project-orchestrator.md +0 -43
  16. package/.claude/agents/version-consistency-reviewer.md +0 -50
  17. package/.claude/commands/speckit.analyze.md +0 -184
  18. package/.claude/commands/speckit.checklist.md +0 -294
  19. package/.claude/commands/speckit.clarify.md +0 -181
  20. package/.claude/commands/speckit.constitution.md +0 -82
  21. package/.claude/commands/speckit.implement.md +0 -135
  22. package/.claude/commands/speckit.plan.md +0 -89
  23. package/.claude/commands/speckit.specify.md +0 -258
  24. package/.claude/commands/speckit.tasks.md +0 -137
  25. package/.claude/commands/speckit.taskstoissues.md +0 -30
  26. package/.claude/config.json +0 -11
  27. package/.claude_config.json +0 -11
  28. package/.do/app.yaml +0 -78
  29. package/.github/dependabot.yml +0 -15
  30. package/.github/workflows/ci.yml +0 -90
  31. package/.github/workflows/release.yml +0 -30
  32. package/.mcp.json +0 -11
  33. package/.specify/memory/constitution.md +0 -50
  34. package/.specify/scripts/bash/check-prerequisites.sh +0 -166
  35. package/.specify/scripts/bash/common.sh +0 -156
  36. package/.specify/scripts/bash/create-new-feature.sh +0 -297
  37. package/.specify/scripts/bash/setup-plan.sh +0 -61
  38. package/.specify/scripts/bash/update-agent-context.sh +0 -799
  39. package/.specify/templates/agent-file-template.md +0 -28
  40. package/.specify/templates/checklist-template.md +0 -40
  41. package/.specify/templates/plan-template.md +0 -104
  42. package/.specify/templates/spec-template.md +0 -115
  43. package/.specify/templates/tasks-template.md +0 -251
  44. package/examples/example-usage.md +0 -293
  45. package/examples/llm-analysis-patterns.md +0 -553
  46. package/examples/vendors.csv +0 -9
  47. package/examples/vendors.json +0 -32
  48. package/scripts/validate-documentation.sh +0 -150
  49. package/src/core/safeguard-manager.ts +0 -4634
  50. package/src/index.ts +0 -17
  51. package/src/interfaces/http/http-server.ts +0 -262
  52. package/src/interfaces/mcp/mcp-server.ts +0 -165
  53. package/src/shared/types.ts +0 -300
  54. package/tsconfig.json +0 -23
@@ -1,4634 +0,0 @@
1
- import { SafeguardElement, CacheEntry } from '../shared/types.js';
2
-
3
- export class SafeguardManager {
4
- private cache: Map<string, CacheEntry<any>>;
5
- private safeguards: Record<string, SafeguardElement> = {};
6
- private static readonly MAX_CACHE_SIZE = 1000; // Prevent unlimited cache growth
7
- private static readonly CACHE_CLEANUP_INTERVAL = 30 * 60 * 1000; // 30 minutes
8
- private safeguardKeysCache: string[] | null = null; // Pre-computed sorted keys
9
- private lastCleanup: number = 0;
10
-
11
- constructor() {
12
- this.cache = new Map();
13
- this.initializeSafeguards();
14
- this.precomputeSafeguardKeys();
15
- }
16
-
17
- public getSafeguardDetails(safeguardId: string, includeExamples: boolean = false): SafeguardElement | null {
18
- // Check cache first
19
- const cacheKey = `${safeguardId}_${includeExamples}`;
20
- const cached = this.getCachedSafeguardDetails(cacheKey);
21
- if (cached) {
22
- return cached;
23
- }
24
-
25
- const safeguard = this.safeguards[safeguardId];
26
- if (!safeguard) {
27
- return null;
28
- }
29
-
30
- // Add examples if requested
31
- let result = { ...safeguard };
32
- if (includeExamples) {
33
- result = this.addImplementationExamples(result);
34
- }
35
-
36
- // Cache the result
37
- this.cache.set(cacheKey, {
38
- data: result,
39
- timestamp: Date.now()
40
- });
41
-
42
- return result;
43
- }
44
-
45
- public listAvailableSafeguards(): string[] {
46
- // Use pre-computed sorted keys for optimal performance
47
- if (this.safeguardKeysCache) {
48
- return [...this.safeguardKeysCache]; // Return copy to prevent external modification
49
- }
50
-
51
- // Fallback to original method if pre-computed cache not available
52
- const safeguardList = Object.keys(this.safeguards).sort((a, b) => {
53
- const [aMajor, aMinor] = a.split('.').map(Number);
54
- const [bMajor, bMinor] = b.split('.').map(Number);
55
- return aMajor - bMajor || aMinor - bMinor;
56
- });
57
-
58
- return safeguardList;
59
- }
60
-
61
- public getAllSafeguards(): Record<string, SafeguardElement> {
62
- return { ...this.safeguards };
63
- }
64
-
65
- public validateSafeguardId(safeguardId: string): void {
66
- if (!safeguardId || typeof safeguardId !== 'string') {
67
- throw new Error('Safeguard ID is required and must be a string');
68
- }
69
-
70
- if (!/^[0-9]+\.[0-9]+$/.test(safeguardId)) {
71
- throw new Error('Safeguard ID must be in format "X.Y" (e.g., "1.1", "5.1")');
72
- }
73
-
74
- if (!this.safeguards[safeguardId]) {
75
- const availableSafeguards = this.listAvailableSafeguards();
76
- throw new Error(`Safeguard ${safeguardId} not found. Available safeguards: ${availableSafeguards.join(', ')}`);
77
- }
78
- }
79
-
80
- private getCachedSafeguardDetails(cacheKey: string): SafeguardElement | null {
81
- // Clean up old cache entries periodically
82
- this.performCacheCleanupIfNeeded();
83
-
84
- const cached = this.cache.get(cacheKey);
85
-
86
- if (cached && (Date.now() - cached.timestamp < 5 * 60 * 1000)) { // 5 minute cache
87
- return cached.data;
88
- }
89
-
90
- return null;
91
- }
92
-
93
- private precomputeSafeguardKeys(): void {
94
- // Pre-compute and cache the sorted safeguard keys for optimal listAvailableSafeguards() performance
95
- this.safeguardKeysCache = Object.keys(this.safeguards).sort((a, b) => {
96
- const [aMajor, aMinor] = a.split('.').map(Number);
97
- const [bMajor, bMinor] = b.split('.').map(Number);
98
- return aMajor - bMajor || aMinor - bMinor;
99
- });
100
- }
101
-
102
- private performCacheCleanupIfNeeded(): void {
103
- const now = Date.now();
104
-
105
- // Check if cleanup is needed
106
- if (now - this.lastCleanup < SafeguardManager.CACHE_CLEANUP_INTERVAL &&
107
- this.cache.size < SafeguardManager.MAX_CACHE_SIZE) {
108
- return;
109
- }
110
-
111
- // Remove expired entries
112
- const expiredKeys: string[] = [];
113
- for (const [key, entry] of this.cache.entries()) {
114
- if (now - entry.timestamp > 5 * 60 * 1000) { // 5 minute expiry
115
- expiredKeys.push(key);
116
- }
117
- }
118
-
119
- for (const key of expiredKeys) {
120
- this.cache.delete(key);
121
- }
122
-
123
- // If still too many entries, remove oldest ones
124
- if (this.cache.size > SafeguardManager.MAX_CACHE_SIZE) {
125
- const sortedEntries = Array.from(this.cache.entries())
126
- .sort((a, b) => a[1].timestamp - b[1].timestamp);
127
-
128
- const entriesToRemove = sortedEntries.slice(0, this.cache.size - SafeguardManager.MAX_CACHE_SIZE);
129
- for (const [key] of entriesToRemove) {
130
- this.cache.delete(key);
131
- }
132
- }
133
-
134
- this.lastCleanup = now;
135
- }
136
-
137
- /**
138
- * Get cache statistics for monitoring and debugging
139
- */
140
- public getCacheStats(): { size: number; lastCleanup: number } {
141
- return {
142
- size: this.cache.size,
143
- lastCleanup: this.lastCleanup
144
- };
145
- }
146
-
147
- /**
148
- * Clear the cache manually if needed
149
- */
150
- public clearCache(): void {
151
- this.cache.clear();
152
- this.lastCleanup = Date.now();
153
- }
154
-
155
- private addImplementationExamples(safeguard: SafeguardElement): SafeguardElement {
156
- // Add implementation examples based on safeguard type
157
- const examples = this.getImplementationExamples(safeguard.id);
158
-
159
- return {
160
- ...safeguard,
161
- implementationSuggestions: [
162
- ...safeguard.implementationSuggestions,
163
- ...examples
164
- ]
165
- };
166
- }
167
-
168
- private getImplementationExamples(safeguardId: string): string[] {
169
- const exampleMap: Record<string, string[]> = {
170
- "1.1": [
171
- "Example: Use Lansweeper for automated asset discovery",
172
- "Example: Implement ServiceNow CMDB for centralized tracking",
173
- "Example: Deploy Microsoft SCCM for Windows asset management"
174
- ],
175
- "5.1": [
176
- "Example: Use Azure AD for centralized account management",
177
- "Example: Implement Okta for identity lifecycle management",
178
- "Example: Deploy JumpCloud for directory services"
179
- ],
180
- "6.3": [
181
- "Example: Enable Azure MFA for all external applications",
182
- "Example: Implement Duo Security for multi-factor authentication",
183
- "Example: Use Google Workspace SSO with MFA enforcement"
184
- ],
185
- "7.1": [
186
- "Example: Establish Nessus vulnerability scanning schedule",
187
- "Example: Implement Qualys VMDR for continuous monitoring",
188
- "Example: Use Rapid7 InsightVM for vulnerability management"
189
- ]
190
- };
191
-
192
- return exampleMap[safeguardId] || [];
193
- }
194
-
195
- private initializeSafeguards(): void {
196
- this.safeguards = {
197
- "1.1": {
198
- id: "1.1",
199
- title: "Establish and Maintain a Detailed Enterprise Asset Inventory",
200
- description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.",
201
- implementationGroup: "IG1",
202
- assetType: ["Devices"],
203
- securityFunction: ["Identify"],
204
- governanceElements: [ // Orange - MUST be met
205
- "Establish",
206
- "Maintain",
207
- "Review and update the inventory of all enterprise assets bi-annually, or more frequently"
208
- ],
209
- coreRequirements: [ // Green - The "what"
210
- "Asset inventory of all enterprise assets with the potential to store or process data"
211
- ],
212
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
213
- "Network Address (IF STATIC)",
214
- "Hardware Address",
215
- "Machine Name",
216
- "Enterprise asset owner",
217
- "Department for each asset",
218
- "Asset has been approved to connect to the network",
219
- "End-User Devices",
220
- "Mobile",
221
- "Portable",
222
- "Network Devices",
223
- "IOT Devices",
224
- "Servers",
225
- "Connected to Infrastructure",
226
- "Physically",
227
- "Virtually",
228
- "Remotely",
229
- "Those within cloud environments",
230
- "Regularly Connected Devices - NOT Under Control of Enterprise",
231
- "Detailed",
232
- "Accurate",
233
- "Up-to-date",
234
- "Potential to store or process data"
235
- ],
236
- implementationSuggestions: [ // Gray - Implementation suggestions
237
- "For mobile end-user devices, MDM type tools can support this process, where appropriate"
238
- ],
239
- relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"] },
240
- "1.2": {
241
- id: "1.2",
242
- title: "Address Unauthorized Assets",
243
- description: "Ensure that a process exists to address unauthorized assets on a weekly basis",
244
- implementationGroup: "IG1",
245
- assetType: ["Devices"],
246
- securityFunction: ["Respond"],
247
- governanceElements: [ // Orange - MUST be met
248
- "Ensure that a process exists to address unauthorized assets on a weekly basis"
249
- ],
250
- coreRequirements: [ // Green - The "what"
251
- "Address Unauthorized Assets"
252
- ],
253
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
254
- "Address Unauthorized Assets"
255
- ],
256
- implementationSuggestions: [ // Gray - Implementation suggestions
257
- "The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
258
- ],
259
- relatedSafeguards: ["1.1", "1.3"] },
260
- "1.3": {
261
- id: "1.3",
262
- title: "Utilize an Active Discovery Tool",
263
- description: "Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.",
264
- implementationGroup: "IG2",
265
- assetType: ["Devices"],
266
- securityFunction: ["Detect"],
267
- governanceElements: [ // Orange - MUST be met
268
- "Utilize an active discovery tool",
269
- "Configure the active discovery tool to execute daily, or more frequently"
270
- ],
271
- coreRequirements: [ // Green - The "what"
272
- "Active discovery tool"
273
- ],
274
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
275
- "Utilize",
276
- "Configure",
277
- "Execute daily, or more frequently"
278
- ],
279
- implementationSuggestions: [ // Gray - Implementation suggestions
280
- ],
281
- relatedSafeguards: ["1.1", "1.2", "1.4", "1.5"] },
282
- "1.4": {
283
- id: "1.4",
284
- title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory",
285
- description: "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.",
286
- implementationGroup: "IG2",
287
- assetType: ["Devices"],
288
- securityFunction: ["Identify"],
289
- governanceElements: [ // Orange - MUST be met
290
- "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory",
291
- "Review and use logs to update the enterprise's asset inventory weekly, or more frequently"
292
- ],
293
- coreRequirements: [ // Green - The "what"
294
- "DHCP Logging on all DHCP servers",
295
- "Or IPAM",
296
- "This is an OR of the two above, but can be in conjunction"
297
- ],
298
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
299
- "Review and Use Logs",
300
- "Update asset inventory"
301
- ],
302
- implementationSuggestions: [ // Gray - Implementation suggestions
303
- ],
304
- relatedSafeguards: ["1.1", "1.2", "1.3", "1.5"] },
305
- "1.5": {
306
- id: "1.5",
307
- title: "Use a Passive Asset Discovery Tool",
308
- description: "Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.",
309
- implementationGroup: "IG3",
310
- assetType: ["Devices"],
311
- securityFunction: ["Detect"],
312
- governanceElements: [ // Orange - MUST be met
313
- "Use a passive discovery tool to identify assets connected to the enterprise's network",
314
- "Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently"
315
- ],
316
- coreRequirements: [ // Green - The "what"
317
- "Passive Discovery Tool"
318
- ],
319
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
320
- "Review and Use scans",
321
- "Update asset inventory"
322
- ],
323
- implementationSuggestions: [ // Gray - Implementation suggestions
324
- ],
325
- relatedSafeguards: ["1.1", "1.2", "1.3", "1.4"] },
326
- "2.1": {
327
- id: "2.1",
328
- title: "Establish and Maintain a Software Inventory",
329
- description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
330
- implementationGroup: "IG1",
331
- assetType: ["Software"],
332
- securityFunction: ["Identify"],
333
- governanceElements: [ // Orange - MUST be met
334
- "Establish a Software Inventory",
335
- "The software inventory must document the sub-taxonomical elements, where appropriate",
336
- "Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
337
- ],
338
- coreRequirements: [ // Green - The "what"
339
- "Detailed inventory of all licensed software"
340
- ],
341
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
342
- "Title",
343
- "Publisher",
344
- "Initial Install / Use Date",
345
- "Business Purpose",
346
- "URL",
347
- "App Store(s)",
348
- "App Version(s)",
349
- "Deployment mechanism",
350
- "Decomm. Date"
351
- ],
352
- implementationSuggestions: [ // Gray - Implementation suggestions
353
- ],
354
- relatedSafeguards: ["1.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"] },
355
- "2.2": {
356
- id: "2.2",
357
- title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
358
- description: "Ensure that only currently supported software is designated as authorized in the software inventory",
359
- implementationGroup: "IG1",
360
- assetType: ["Software"],
361
- securityFunction: ["Identify"],
362
- governanceElements: [ // Orange - MUST be met
363
- "Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
364
- ],
365
- coreRequirements: [ // Green - The "what"
366
- "Currently supported software",
367
- "Authorized in the software inventory"
368
- ],
369
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
370
- "Determine if Authorized Software Is Currently Supported",
371
- "Determine Necessity for Business",
372
- "Document Exception detailing mitigating controls IF Unsupported",
373
- "Document Residual risk acceptance IF Unsupported"
374
- ],
375
- implementationSuggestions: [ // Gray - Implementation suggestions
376
- ],
377
- relatedSafeguards: ["2.1", "2.3", "2.4", "2.5", "2.6", "2.7"] },
378
- "2.3": {
379
- id: "2.3",
380
- title: "Address Unauthorized Software",
381
- description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
382
- implementationGroup: "IG1",
383
- assetType: ["Software"],
384
- securityFunction: ["Respond"],
385
- governanceElements: [ // Orange - MUST be met
386
- "Ensure",
387
- "Review monthly, or more frequently"
388
- ],
389
- coreRequirements: [ // Green - The "what"
390
- "unauthorized software is either removed from use on enterprise assets or receives a documented exception"
391
- ],
392
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
393
- "Address Unauthorized Software",
394
- "Remove from use",
395
- "Document Exception"
396
- ],
397
- implementationSuggestions: [ // Gray - Implementation suggestions
398
- ],
399
- relatedSafeguards: ["2.1", "2.2", "2.4", "2.5", "2.6", "2.7"] },
400
- "2.4": {
401
- id: "2.4",
402
- title: "Utilize Automated Software Inventory Tools",
403
- description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
404
- implementationGroup: "IG2",
405
- assetType: ["Software"],
406
- securityFunction: ["Detect"],
407
- governanceElements: [ // Orange - MUST be met
408
- "Utilize",
409
- "when possible"
410
- ],
411
- coreRequirements: [ // Green - The "what"
412
- "software inventory tools"
413
- ],
414
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
415
- "Automate Discovery",
416
- "Automate Documentation",
417
- "Installed Software"
418
- ],
419
- implementationSuggestions: [ // Gray - Implementation suggestions
420
- ],
421
- relatedSafeguards: ["2.1", "2.2", "2.3", "2.5", "2.6", "2.7"] },
422
- "2.5": {
423
- id: "2.5",
424
- title: "Allowlist Authorized Software",
425
- description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
426
- implementationGroup: "IG2",
427
- assetType: ["Software"],
428
- securityFunction: ["Protect"],
429
- governanceElements: [ // Orange - MUST be met
430
- "Use",
431
- "Ensure",
432
- "Reassess bi-annually, or more frequently"
433
- ],
434
- coreRequirements: [ // Green - The "what"
435
- "technical controls",
436
- "only authorized software can execute or be accessed"
437
- ],
438
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
439
- "Technical Controls",
440
- "Allow software to Execute",
441
- "Allow software to be Accessed"
442
- ],
443
- implementationSuggestions: [ // Gray - Implementation suggestions
444
- "Application Allowlisting"
445
- ],
446
- relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.6", "2.7"] },
447
- "2.6": {
448
- id: "2.6",
449
- title: "Allowlist Authorized Libraries",
450
- description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
451
- implementationGroup: "IG2",
452
- assetType: ["Software"],
453
- securityFunction: ["Protect"],
454
- governanceElements: [ // Orange - MUST be met
455
- "Use",
456
- "Ensure",
457
- "Reassess bi-annually, or more frequently"
458
- ],
459
- coreRequirements: [ // Green - The "what"
460
- "only authorized software libraries",
461
- "are allowed to load into a system process"
462
- ],
463
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
464
- "Technical Controls",
465
- "Block unauthorized libraries from loading into a system process"
466
- ],
467
- implementationSuggestions: [ // Gray - Implementation suggestions
468
- "Specific .dll files",
469
- "Specific .ocx files",
470
- "Specific .so files"
471
- ],
472
- relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.7"] },
473
- "2.7": {
474
- id: "2.7",
475
- title: "Allowlist Authorized Scripts",
476
- description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
477
- implementationGroup: "IG3",
478
- assetType: ["Software"],
479
- securityFunction: ["Protect"],
480
- governanceElements: [ // Orange - MUST be met
481
- "Use",
482
- "Ensure",
483
- "Reassess bi-annually, or more frequently"
484
- ],
485
- coreRequirements: [ // Green - The "what"
486
- "only authorized files are allowed to execute"
487
- ],
488
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
489
- "Technical Controls",
490
- "Block unauthorized scripts from executing",
491
- ],
492
- implementationSuggestions: [ // Gray - Implementation suggestions
493
- "Digital signatures",
494
- "Version control",
495
- "Specific .ps1 files",
496
- "Specific .py files"
497
- ],
498
- relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6"] },
499
- "3.1": {
500
- id: "3.1",
501
- title: "Establish and Maintain a Data Management Process",
502
- description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
503
- implementationGroup: "IG1",
504
- assetType: ["Data"],
505
- securityFunction: ["Govern"],
506
- governanceElements: [ // Orange - MUST be met
507
- "Establish",
508
- "Maintain",
509
- "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
510
- ],
511
- coreRequirements: [ // Green - The "what"
512
- "documented data management process"
513
- ],
514
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
515
- "Data Sensitivity",
516
- "Data Owner",
517
- "Data Handling",
518
- "Data Retention Limits",
519
- "Disposal Requirements",
520
- "Retention Standards"
521
- ],
522
- implementationSuggestions: [ // Gray - Implementation suggestions
523
- ],
524
- relatedSafeguards: ["3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] },
525
- "3.2": {
526
- id: "3.2",
527
- title: "Establish and Maintain a Data Inventory",
528
- description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
529
- implementationGroup: "IG1",
530
- assetType: ["Data"],
531
- securityFunction: ["Identify"],
532
- governanceElements: [ // Orange - MUST be met
533
- "Establish",
534
- "Maintain",
535
- "Review and update inventory annually, at a minimum, with a priority on sensitive data"
536
- ],
537
- coreRequirements: [ // Green - The "what"
538
- "data inventory"
539
- ],
540
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
541
- "Based on Data Management process",
542
- "Sensitive Data at a Minimum"
543
- ],
544
- implementationSuggestions: [ // Gray - Implementation suggestions
545
- ],
546
- relatedSafeguards: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] },
547
- "3.3": {
548
- id: "3.3",
549
- title: "Configure Data Access Control Lists",
550
- description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
551
- implementationGroup: "IG1",
552
- assetType: ["Data"],
553
- securityFunction: ["Protect"],
554
- governanceElements: [ // Orange - MUST be met
555
- "Configure"
556
- ],
557
- coreRequirements: [ // Green - The "what"
558
- "data access control lists"
559
- ],
560
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
561
- "Data Access control lists",
562
- "Based on \"Need to Know\"",
563
- "ACLS - \"aka\" Access Permissions",
564
- "Local",
565
- "Remote File Systems",
566
- "Software",
567
- "Databases"
568
- ],
569
- implementationSuggestions: [ // Gray - Implementation suggestions
570
- ],
571
- relatedSafeguards: ["3.1", "3.2", "3.4", "3.5", "3.6", "5.1", "6.1", "6.2"] },
572
- "3.4": {
573
- id: "3.4",
574
- title: "Enforce Data Retention",
575
- description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
576
- implementationGroup: "IG1",
577
- assetType: ["Data"],
578
- securityFunction: ["Protect"],
579
- governanceElements: [ // Orange - MUST be met
580
- "Retain",
581
- "Enforce",
582
- "must include both minimum and maximum timelines"
583
- ],
584
- coreRequirements: [ // Green - The "what"
585
- "data according to the enterprise's documented data management process",
586
- "Data retention"
587
- ],
588
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
589
- "Data Retention",
590
- "Minimum Timelines",
591
- "Maximum timelines"
592
- ],
593
- implementationSuggestions: [ // Gray - Implementation suggestions
594
- ],
595
- relatedSafeguards: ["3.1", "3.2", "3.5", "3.6", "3.10"] },
596
- "3.5": {
597
- id: "3.5",
598
- title: "Securely Dispose of Data",
599
- description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
600
- implementationGroup: "IG1",
601
- assetType: ["Data"],
602
- securityFunction: ["Protect"],
603
- governanceElements: [ // Orange - MUST be met
604
- "Disposal process and method are commensurate with the data sensitivity",
605
- "Ensure"
606
- ],
607
- coreRequirements: [ // Green - The "what"
608
- "Securely Dispose of Data"
609
- ],
610
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
611
- "Securely dispose of Data"
612
- ],
613
- implementationSuggestions: [ // Gray - Implementation suggestions
614
- ],
615
- relatedSafeguards: ["3.1", "3.2", "3.4", "3.6", "3.10"] },
616
- "3.6": {
617
- id: "3.6",
618
- title: "Encrypt Data on End-User Devices",
619
- description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
620
- implementationGroup: "IG1",
621
- assetType: ["Data"],
622
- securityFunction: ["Protect"],
623
- governanceElements: [ // Orange - MUST be met
624
- "Encrypt"
625
- ],
626
- coreRequirements: [ // Green - The "what"
627
- "data on end-user devices"
628
- ],
629
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
630
- "Data on end-user devices",
631
- "that contain Sensitive data"
632
- ],
633
- implementationSuggestions: [ // Gray - Implementation suggestions
634
- "Windows Bitlocker",
635
- "Apple FileVault",
636
- "Linux dm-crypt"
637
- ],
638
- relatedSafeguards: ["1.1", "3.1", "3.2", "3.7", "3.8", "3.9", "3.11"] },
639
- "3.7": {
640
- id: "3.7",
641
- title: "Establish and Maintain a Data Classification Scheme",
642
- description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
643
- implementationGroup: "IG2",
644
- assetType: ["Data"],
645
- securityFunction: ["Identify"],
646
- governanceElements: [ // Orange - MUST be met
647
- "Establish",
648
- "Maintain",
649
- "Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
650
- ],
651
- coreRequirements: [ // Green - The "what"
652
- "data classification scheme"
653
- ],
654
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
655
- "Classify their data according to labels"
656
- ],
657
- implementationSuggestions: [ // Gray - Implementation suggestions
658
- "Sensitive",
659
- "Confidential",
660
- "Public"
661
- ],
662
- relatedSafeguards: ["3.1", "3.2", "3.3", "3.8", "3.9", "3.10", "3.11", "3.12"] },
663
- "3.8": {
664
- id: "3.8",
665
- title: "Document Data Flows",
666
- description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
667
- implementationGroup: "IG2",
668
- assetType: ["Data"],
669
- securityFunction: ["Identify"],
670
- governanceElements: [ // Orange - MUST be met
671
- "Document data flows"
672
- ],
673
- coreRequirements: [ // Green - The "what"
674
- "Document Data Flows"
675
- ],
676
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
677
- "Enterprise Data Flows",
678
- "Service Provider Data Flows"
679
- ],
680
- implementationSuggestions: [ // Gray - Implementation suggestions
681
- ],
682
- relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"] },
683
- "3.9": {
684
- id: "3.9",
685
- title: "Encrypt Data on Removable Media",
686
- description: "Encrypt Data on Removable Media",
687
- implementationGroup: "IG2",
688
- assetType: ["Data"],
689
- securityFunction: ["Protect"],
690
- governanceElements: [ // Orange - MUST be met
691
- "Encrypt"
692
- ],
693
- coreRequirements: [ // Green - The "what"
694
- "Encrypt Data on Removable Media"
695
- ],
696
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
697
- "Data on Removable Media",
698
- ],
699
- implementationSuggestions: [ // Gray - Implementation suggestions
700
- ],
701
- relatedSafeguards: ["3.1", "3.6", "3.7", "3.10", "3.11"] },
702
- "3.10": {
703
- id: "3.10",
704
- title: "Encrypt Sensitive Data in Transit",
705
- description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
706
- implementationGroup: "IG2",
707
- assetType: ["Data"],
708
- securityFunction: ["Protect"],
709
- governanceElements: [ // Orange - MUST be met
710
- "Encrypt"
711
- ],
712
- coreRequirements: [ // Green - The "what"
713
- "Encrypt sensitive data in transit"
714
- ],
715
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
716
- "Sensitive data in transit"
717
- ],
718
- implementationSuggestions: [ // Gray - Implementation suggestions
719
- "TLS",
720
- "OpenSSH"
721
- ],
722
- relatedSafeguards: ["3.1", "3.7", "3.8", "3.11", "13.1", "13.2"] },
723
- "3.11": {
724
- id: "3.11",
725
- title: "Encrypt Sensitive Data at Rest",
726
- description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
727
- implementationGroup: "IG2",
728
- assetType: ["Data"],
729
- securityFunction: ["Protect"],
730
- governanceElements: [ // Orange - MUST be met
731
- "Encrypt",
732
- "Minimum Requirement"
733
- ],
734
- coreRequirements: [ // Green - The "what"
735
- "Encrypt sensitive data at rest"
736
- ],
737
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
738
- "Sensitive Data At Rest",
739
- "Servers",
740
- "Applications",
741
- "Databases",
742
- "Storage Layer (server side) encryption"
743
- ],
744
- implementationSuggestions: [ // Gray - Implementation suggestions
745
- "Application layer (client-side) encryption",
746
- "Where access to the data storage device(s) does not permit access to the plain-text data"
747
- ],
748
- relatedSafeguards: ["3.1", "3.6", "3.7", "3.9", "3.10", "11.1"] },
749
- "3.12": {
750
- id: "3.12",
751
- title: "Segment Data Processing and Storage Based on Sensitivity",
752
- description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
753
- implementationGroup: "IG2",
754
- assetType: ["Data"],
755
- securityFunction: ["Protect"],
756
- governanceElements: [ // Orange - MUST be met
757
- "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
758
- ],
759
- coreRequirements: [ // Green - The "what"
760
- "Segment Data Processing",
761
- "Segment Data Storage",
762
- "Based on Sensitivity"
763
- ],
764
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
765
- ],
766
- implementationSuggestions: [ // Gray - Implementation suggestions
767
- ],
768
- relatedSafeguards: ["3.1", "3.7", "12.1", "12.2", "12.3"] },
769
- "3.13": {
770
- id: "3.13",
771
- title: "Deploy a Data Loss Prevention Solution",
772
- description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
773
- implementationGroup: "IG3",
774
- assetType: ["Data"],
775
- securityFunction: ["Protect"],
776
- governanceElements: [ // Orange - MUST be met
777
- "Implement"
778
- ],
779
- coreRequirements: [ // Green - The "what"
780
- "automated tool to identify all sensitive data"
781
- ],
782
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
783
- "Identify all sensitive Data",
784
- "Stored",
785
- "Processed",
786
- "Transmitted",
787
- "Onsite Data",
788
- "Remote Service Provider",
789
- "Update Data Inventory"
790
- ],
791
- implementationSuggestions: [ // Gray - Implementation suggestions
792
- "Host-based Data loss Prevention (DLP) tool"
793
- ],
794
- relatedSafeguards: ["3.1", "3.7", "3.8", "3.10", "3.11"] },
795
- "3.14": {
796
- id: "3.14",
797
- title: "Log Sensitive Data Access",
798
- description: "Log sensitive data access, including modification and disposal.",
799
- implementationGroup: "IG3",
800
- assetType: ["Data"],
801
- securityFunction: ["Detect"],
802
- governanceElements: [ // Orange - MUST be met
803
- "Log"
804
- ],
805
- coreRequirements: [ // Green - The "what"
806
- "Log sensitive data access, including modification and disposal"
807
- ],
808
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
809
- ],
810
- implementationSuggestions: [ // Gray - Implementation suggestions
811
- ],
812
- relatedSafeguards: ["3.1", "3.7", "3.8", "8.1", "8.2"] },
813
- "4.1": {
814
- id: "4.1",
815
- title: "Establish and Maintain a Secure Configuration Process",
816
- description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
817
- implementationGroup: "IG1",
818
- assetType: ["Docuemntation"],
819
- securityFunction: ["Govern"],
820
- governanceElements: [ // Orange - MUST be met
821
- "Establish",
822
- "Maintain",
823
- "Review and update documentation",
824
- "Annually",
825
- "When significant enterprise changes occur that could impact this Safeguard"
826
- ],
827
- coreRequirements: [ // Green - The "what"
828
- "documented secure configuration process"
829
- ],
830
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
831
- "Enterprise assets",
832
- "Software",
833
- "End-user devices",
834
- "Mobile",
835
- "Portable",
836
- "Non-computing/IoT devices",
837
- "Servers",
838
- "OS"
839
- ],
840
- implementationSuggestions: [ // Gray - Implementation suggestions
841
- ],
842
- relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"] },
843
- "4.2": {
844
- id: "4.2",
845
- title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
846
- description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
847
- implementationGroup: "IG1",
848
- assetType: ["Documentation"],
849
- securityFunction: ["Govern"],
850
- governanceElements: [ // Orange - MUST be met
851
- "Establish",
852
- "Maintain",
853
- "Review and update documentation",
854
- "Annually",
855
- "When significant enterprise changes occur that could impact this Safeguard"
856
- ],
857
- coreRequirements: [ // Green - The "what"
858
- "documented secure configuration process"
859
- ],
860
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
861
- "Network devices"
862
- ],
863
- implementationSuggestions: [ // Gray - Implementation suggestions
864
- ],
865
- relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"] },
866
- "4.3": {
867
- id: "4.3",
868
- title: "Configure Automatic Session Locking on Enterprise Assets",
869
- description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
870
- implementationGroup: "IG1",
871
- assetType: ["Devices"],
872
- securityFunction: ["Protect"],
873
- governanceElements: [ // Orange - MUST be met
874
- "Configure",
875
- "Period must not exceed for 15 Minutes",
876
- "Period must not exceed for 2 Minutes"
877
- ],
878
- coreRequirements: [ // Green - The "what"
879
- "automatic session locking on enterprise assets"
880
- ],
881
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
882
- "Period of inactivity",
883
- "General Purpose OSs",
884
- "Mobile end-user devices"
885
- ],
886
- implementationSuggestions: [ // Gray - Implementation suggestions
887
- ],
888
- relatedSafeguards: ["4.1"] },
889
- "4.4": {
890
- id: "4.4",
891
- title: "Implement and Manage a Firewall on Servers",
892
- description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
893
- implementationGroup: "IG1",
894
- assetType: ["Devices"],
895
- securityFunction: ["Protect"],
896
- governanceElements: [ // Orange - MUST be met
897
- "Implement",
898
- "Manage",
899
- "Where Supported"
900
- ],
901
- coreRequirements: [ // Green - The "what"
902
- "firewall on servers"
903
- ],
904
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
905
- "Server Firewall"
906
- ],
907
- implementationSuggestions: [ // Gray - Implementation suggestions
908
- "Virtual Firewall",
909
- "OS Firewall",
910
- "Third Party Firewall",
911
- ],
912
- relatedSafeguards: ["4.1"] },
913
- "4.5": {
914
- id: "4.5",
915
- title: "Implement and Manage a Firewall on End-User Devices",
916
- description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
917
- implementationGroup: "IG1",
918
- assetType: ["Devices"],
919
- securityFunction: ["Protect"],
920
- governanceElements: [ // Orange - MUST be met
921
- "Implement",
922
- "Manage"
923
- ],
924
- coreRequirements: [ // Green - The "what"
925
- "host-based firewall or port-filtering tool on end-user devices"
926
- ],
927
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
928
- "Default Deny Rule that drops all traffic",
929
- "Except Explicitly Allowed",
930
- "Services",
931
- "Ports"
932
- ],
933
- implementationSuggestions: [ // Gray - Implementation suggestions
934
- "Firewall",
935
- "Configuration Management Tool"
936
- ],
937
- relatedSafeguards: ["4.1"] },
938
- "4.6": {
939
- id: "4.6",
940
- title: "Securely Manage Enterprise Assets and Software",
941
- description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
942
- implementationGroup: "IG1",
943
- assetType: ["Devices"],
944
- securityFunction: ["Protect"],
945
- governanceElements: [ // Orange - MUST be met
946
- "Do not use insecure management protocols",
947
- "Unless operationally essential"
948
- ],
949
- coreRequirements: [ // Green - The "what"
950
- "Securely manage enterprise assets and software"
951
- ],
952
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
953
- "Securely manage enterprise assets and software",
954
- "Do not use insecure management protocols unless operationally essential"
955
- ],
956
- implementationSuggestions: [ // Gray - Implementation suggestions
957
- "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
958
- "Accessing administrative interfaces over secure network protocols",
959
- "SSH instead of TELNET",
960
- "HTTPS instead of HTTP",
961
- ],
962
- relatedSafeguards: ["4.1", "12.3"] },
963
- "4.7": {
964
- id: "4.7",
965
- title: "Manage Default Accounts on Enterprise Assets and Software",
966
- description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
967
- implementationGroup: "IG1",
968
- assetType: ["Users"],
969
- securityFunction: ["Protect"],
970
- governanceElements: [ // Orange - MUST be met
971
- "Manage"
972
- ],
973
- coreRequirements: [ // Green - The "what"
974
- "default accounts"
975
- ],
976
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
977
- "Enterprise assets",
978
- "Software"
979
- ],
980
- implementationSuggestions: [ // Gray - Implementation suggestions
981
- "Disabling them",
982
- "making them Unusable",
983
- "Root, Administrator, or other pre-configured vendor accounts"
984
- ],
985
- relatedSafeguards: ["4.1"] },
986
- "4.8": {
987
- id: "4.8",
988
- title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
989
- description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
990
- implementationGroup: "IG2",
991
- assetType: ["Devices", "Software"],
992
- securityFunction: ["Protect"],
993
- governanceElements: [ // Orange - MUST be met
994
- "Uninstall",
995
- "Disable"
996
- ],
997
- coreRequirements: [ // Green - The "what"
998
- "unnecessary services"
999
- ],
1000
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1001
- "Enterprise assets",
1002
- "Software"
1003
- ],
1004
- implementationSuggestions: [ // Gray - Implementation suggestions
1005
- "Unused File Sharing Services",
1006
- "Web Application Module",
1007
- "Service Function"
1008
- ],
1009
- relatedSafeguards: ["4.1"] },
1010
- "4.9": {
1011
- id: "4.9",
1012
- title: "Configure Trusted DNS Servers on Enterprise Assets",
1013
- description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
1014
- implementationGroup: "IG2",
1015
- assetType: ["Devices"],
1016
- securityFunction: ["Protect"],
1017
- governanceElements: [ // Orange - MUST be met
1018
- "Configure"
1019
- ],
1020
- coreRequirements: [ // Green - The "what"
1021
- "trusted DNS servers"
1022
- ],
1023
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1024
- "Enterprise assets"
1025
- ],
1026
- implementationSuggestions: [ // Gray - Implementation suggestions
1027
- "Configuring assets to use enterprise-controlled DNS servers",
1028
- "Reputable externally accessible DNS servers"
1029
- ],
1030
- relatedSafeguards: ["4.1", "8.6", "9.2"] },
1031
- "4.10": {
1032
- id: "4.10",
1033
- title: "Enforce Automatic Device Lockout on Portable End-User Devices",
1034
- description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
1035
- implementationGroup: "IG2",
1036
- assetType: ["Devices"],
1037
- securityFunction: ["Protect"],
1038
- governanceElements: [ // Orange - MUST be met
1039
- "Enforce",
1040
- "Where supported",
1041
- "Do not allow more than 20 Failed Authentication Attempts",
1042
- "No more than 10 Failed Authentication Attempts"
1043
- ],
1044
- coreRequirements: [ // Green - The "what"
1045
- "automatic device lockout"
1046
- ],
1047
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1048
- "After a Predetermined threshold of local failed authentication attempts",
1049
- "On Portable end-user devices",
1050
- "Such as Laptops",
1051
- "Such as Tablets and smartphones"
1052
- ],
1053
- implementationSuggestions: [ // Gray - Implementation suggestions
1054
- "Microsoft® InTune Device Lock",
1055
- "Apple® Configuration Profile maxFailedAttempts",
1056
- "Configuration Management Tool"
1057
- ],
1058
- relatedSafeguards: ["4.1"] },
1059
- "4.11": {
1060
- id: "4.11",
1061
- title: "Enforce Remote Wipe Capability on Portable End-User Devices",
1062
- description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
1063
- implementationGroup: "IG2",
1064
- assetType: ["Devices"],
1065
- securityFunction: ["Protect"],
1066
- governanceElements: [ // Orange - MUST be met
1067
- "When deemed appropriate"
1068
- ],
1069
- coreRequirements: [ // Green - The "what"
1070
- "Remotely wipe enterprise data"
1071
- ],
1072
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1073
- "Portable end-user devices"
1074
- ],
1075
- implementationSuggestions: [ // Gray - Implementation suggestions
1076
- "Lost devices",
1077
- "Stolen devices",
1078
- "When an individual no longer supports the enterprise"
1079
- ],
1080
- relatedSafeguards: ["4.1"] },
1081
- "4.12": {
1082
- id: "4.12",
1083
- title: "Separate Enterprise Workspaces on Mobile End-User Devices",
1084
- description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
1085
- implementationGroup: "IG3",
1086
- assetType: ["Data"],
1087
- securityFunction: ["Protect"],
1088
- governanceElements: [ // Orange - MUST be met
1089
- "Ensure",
1090
- "Where Supported"
1091
- ],
1092
- coreRequirements: [ // Green - The "what"
1093
- "separate enterprise workspaces are used on mobile end-user devices"
1094
- ],
1095
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1096
- "Enterprise Applications and Enterprise Data",
1097
- "Seperate from Personal Applications and Personal Data"
1098
- ],
1099
- implementationSuggestions: [ // Gray - Implementation suggestions
1100
- "Apple® Configuration Profile",
1101
- "AndroidTM Work Profile"
1102
- ],
1103
- relatedSafeguards: ["4.1"] },
1104
- "5.1": {
1105
- id: "5.1",
1106
- title: "Establish and Maintain an Inventory of Accounts",
1107
- description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
1108
- implementationGroup: "IG1",
1109
- assetType: ["Users"],
1110
- securityFunction: ["Identify"],
1111
- governanceElements: [ // Orange - MUST be met
1112
- "Establish and maintain",
1113
- "Must include",
1114
- "Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
1115
- ],
1116
- coreRequirements: [ // Green - The "what"
1117
- "Inventory of Accounts"
1118
- ],
1119
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1120
- "User Accounts",
1121
- "Administrator Accounts",
1122
- "Service Accounts",
1123
- "Name",
1124
- "Username",
1125
- "Start Stop Dates",
1126
- "Department"
1127
- ],
1128
- implementationSuggestions: [ // Gray - Implementation suggestions
1129
- ],
1130
- relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"] },
1131
- "5.2": {
1132
- id: "5.2",
1133
- title: "Use Unique Passwords",
1134
- description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
1135
- implementationGroup: "IG1",
1136
- assetType: ["Users"],
1137
- securityFunction: ["Protect"],
1138
- governanceElements: [ // Orange - MUST be met
1139
- "Use",
1140
- "At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
1141
- ],
1142
- coreRequirements: [ // Green - The "what"
1143
- "Unique Passwords"
1144
- ],
1145
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1146
- "All Enterprise Assets"
1147
- ],
1148
- implementationSuggestions: [ // Gray - Implementation suggestions
1149
- ],
1150
- relatedSafeguards: ["5.1"] },
1151
- "5.3": {
1152
- id: "5.3",
1153
- title: "Disable Dormant Accounts",
1154
- description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
1155
- implementationGroup: "IG1",
1156
- assetType: ["Users"],
1157
- securityFunction: ["Protect"],
1158
- governanceElements: [ // Orange - MUST be met
1159
- "after a period of 45 days of inactivity",
1160
- "where supported"
1161
- ],
1162
- coreRequirements: [ // Green - The "what"
1163
- "Dormant Accounts"
1164
- ],
1165
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1166
- "Dormant Accounts"
1167
- ],
1168
- implementationSuggestions: [ // Gray - Implementation suggestions
1169
- ],
1170
- relatedSafeguards: ["5.1"] },
1171
- "5.4": {
1172
- id: "5.4",
1173
- title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
1174
- description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
1175
- implementationGroup: "IG1",
1176
- assetType: ["Users"],
1177
- securityFunction: ["Protect"],
1178
- governanceElements: [ // Orange - MUST be met
1179
- "Restrict"
1180
- ],
1181
- coreRequirements: [ // Green - The "what"
1182
- "Administrator Privileges",
1183
- "Dedicated Admin Accounts"
1184
- ],
1185
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1186
- "Enterprise assets",
1187
- "User's primary, non-privileged account",
1188
- "General Computing Activities"
1189
- ],
1190
- implementationSuggestions: [ // Gray - Implementation suggestions
1191
- "Such as",
1192
- "Internet browsing",
1193
- "Email",
1194
- "Productivity suite use"
1195
- ],
1196
- relatedSafeguards: ["4.1", "5.1"] },
1197
- "5.5": {
1198
- id: "5.5",
1199
- title: "Establish and Maintain an Inventory of Service Accounts",
1200
- description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
1201
- implementationGroup: "IG2",
1202
- assetType: ["Users"],
1203
- securityFunction: ["Identify"],
1204
- governanceElements: [ // Orange - MUST be met
1205
- "Establish and maintain",
1206
- "at a minimum, must contain",
1207
- "Perform service account reviews to validate that all active accounts are authorized",
1208
- "recurring schedule at a minimum quarterly, or more frequently"
1209
- ],
1210
- coreRequirements: [ // Green - The "what"
1211
- "Inventory of Service Accounts"
1212
- ],
1213
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1214
- "Department Owner",
1215
- "Review date",
1216
- "Purpose"
1217
- ],
1218
- implementationSuggestions: [ // Gray - Implementation suggestions
1219
- ],
1220
- relatedSafeguards: ["5.1"] },
1221
- "5.6": {
1222
- id: "5.6",
1223
- title: "Centralize Account Management",
1224
- description: "Centralize account management through a directory or identity service.",
1225
- implementationGroup: "IG2",
1226
- assetType: ["Users"],
1227
- securityFunction: ["Govern"],
1228
- governanceElements: [ // Orange - MUST be met
1229
- "Centralize"
1230
- ],
1231
- coreRequirements: [ // Green - The "what"
1232
- "Account Management"
1233
- ],
1234
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1235
- "Directory Service",
1236
- "Identity Service"
1237
- ],
1238
- implementationSuggestions: [ // Gray - Implementation suggestions
1239
- ],
1240
- relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"] },
1241
- "6.1": {
1242
- id: "6.1",
1243
- title: "Establish an Access Granting Process",
1244
- description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
1245
- implementationGroup: "IG1",
1246
- assetType: ["Documentation"],
1247
- securityFunction: ["Govern"],
1248
- governanceElements: [ // Orange - MUST be met
1249
- "Establish",
1250
- "Follow"
1251
- ],
1252
- coreRequirements: [ // Green - The "what"
1253
- "documented process",
1254
- "granting access to enterprise assets"
1255
- ],
1256
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1257
- "upon new hire",
1258
- "role change of a user",
1259
- "Enterprise assets"
1260
- ],
1261
- implementationSuggestions: [ // Gray - Implementation suggestions
1262
- ],
1263
- relatedSafeguards: ["5.1", "6.7", "6.8"] },
1264
- "6.2": {
1265
- id: "6.2",
1266
- title: "Establish an Access Revoking Process",
1267
- description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
1268
- implementationGroup: "IG1",
1269
- assetType: ["Documentation"],
1270
- securityFunction: ["Govern"],
1271
- governanceElements: [ // Orange - MUST be met
1272
- "Establish",
1273
- "Follow",
1274
- "Disabling Accounts, instead of Deleting accounts, may be necessary to preserve audit trails"
1275
- ],
1276
- coreRequirements: [ // Green - The "what"
1277
- "Access Revoking Process"
1278
- ],
1279
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1280
- "Role Change",
1281
- "Termination",
1282
- "Rights revocation",
1283
- "Enterprise assets",
1284
- "Disabling accounts immediately"
1285
- ],
1286
- implementationSuggestions: [ // Gray - Implementation suggestions
1287
- "Preferably Automated"
1288
- ],
1289
- relatedSafeguards: ["5.1", "6.7"] },
1290
- "6.3": {
1291
- id: "6.3",
1292
- title: "Require MFA for Externally-Exposed Applications",
1293
- description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
1294
- implementationGroup: "IG1",
1295
- assetType: ["Users"],
1296
- securityFunction: ["Protect"],
1297
- governanceElements: [ // Orange - MUST be met
1298
- "Require",
1299
- "Enforce",
1300
- "Where Supported"
1301
- ],
1302
- coreRequirements: [ // Green - The "what"
1303
- "all externally-exposed enterprise or third-party applications to enforce MFA",
1304
- "MFA - Multi Factor Authentication"
1305
- ],
1306
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1307
- "MFA for all externally exposed enterprise or third-party applications"
1308
- ],
1309
- implementationSuggestions: [ // Gray - Implementation suggestions
1310
- "Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard"
1311
- ],
1312
- relatedSafeguards: ["2.1", "4.1"] },
1313
- "6.4": {
1314
- id: "6.4",
1315
- title: "Require MFA for Remote Network Access",
1316
- description: "Require MFA for remote network access.",
1317
- implementationGroup: "IG1",
1318
- assetType: ["Users"],
1319
- securityFunction: ["Protect"],
1320
- governanceElements: [ // Orange - MUST be met
1321
- "Require"
1322
- ],
1323
- coreRequirements: [ // Green - The "what"
1324
- "MFA for remote network access"
1325
- ],
1326
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1327
- "MFA for Remote Network Access"
1328
- ],
1329
- implementationSuggestions: [ // Gray - Implementation suggestions
1330
- ],
1331
- relatedSafeguards: ["4.2", "12.7"] },
1332
- "6.5": {
1333
- id: "6.5",
1334
- title: "Require MFA for Administrative Access",
1335
- description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
1336
- implementationGroup: "IG1",
1337
- assetType: ["Users"],
1338
- securityFunction: ["Protect"],
1339
- governanceElements: [ // Orange - MUST be met
1340
- "Require",
1341
- "Where Supported"
1342
- ],
1343
- coreRequirements: [ // Green - The "what"
1344
- "MFA on all administrative access accounts"
1345
- ],
1346
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1347
- "All Admin Access Accounts",
1348
- "All enterprise assets",
1349
- "Onsite Management accounts or Service Provider Admin Accounts"
1350
- ],
1351
- implementationSuggestions: [ // Gray - Implementation suggestions
1352
- ],
1353
- relatedSafeguards: ["4.1"] },
1354
- "6.6": {
1355
- id: "6.6",
1356
- title: "Establish and Maintain an Inventory of Authentication and Authorization Systems",
1357
- description: "Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.",
1358
- implementationGroup: "IG2",
1359
- assetType: ["Software"],
1360
- securityFunction: ["Identify"],
1361
- governanceElements: [ // Orange - MUST be met
1362
- "Establish",
1363
- "maintain",
1364
- "Review and update inventory",
1365
- "At a minimum, monthly or more frequenlty"
1366
- ],
1367
- coreRequirements: [ // Green - The "what"
1368
- "inventory of the enterprise's authentication and authorization systems"
1369
- ],
1370
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1371
- "hosted on-site",
1372
- "hosted at a remote service provider"
1373
- ],
1374
- implementationSuggestions: [ // Gray - Implementation suggestions
1375
- ],
1376
- relatedSafeguards: ["1.1", "2.1", "3.3", "5.6", "6.7"] },
1377
- "6.7": {
1378
- id: "6.7",
1379
- title: "Centralize Access Control",
1380
- description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
1381
- implementationGroup: "IG2",
1382
- assetType: ["Users"],
1383
- securityFunction: ["Protect"],
1384
- governanceElements: [ // Orange - MUST be met
1385
- "Centralize",
1386
- "Where Supported"
1387
- ],
1388
- coreRequirements: [ // Green - The "what"
1389
- "access control"
1390
- ],
1391
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1392
- "through a directory service or SSO provider",
1393
- "Directory Service or SSO Provider",
1394
- "All enterprise assets"
1395
- ],
1396
- implementationSuggestions: [ // Gray - Implementation suggestions
1397
- ],
1398
- relatedSafeguards: ["4.1", "5.1", "5.6", "6.1", "6.2", "6.6", "12.5", "12.7"] },
1399
- "6.8": {
1400
- id: "6.8",
1401
- title: "Define and Maintain Role-Based Access Control",
1402
- description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
1403
- implementationGroup: "IG3",
1404
- assetType: ["Users"],
1405
- securityFunction: ["Govern"],
1406
- governanceElements: [ // Orange - MUST be met
1407
- "Define",
1408
- "maintain",
1409
- "Necessary",
1410
- "Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule",
1411
- "At a mimimum Annually, or more Frequently"
1412
- ],
1413
- coreRequirements: [ // Green - The "what"
1414
- "role-based access control"
1415
- ],
1416
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1417
- "Access rights",
1418
- "Each Role",
1419
- "Neccesary to Successfully carry out its assigned duties",
1420
- "Determining",
1421
- "Documenting"
1422
- ],
1423
- implementationSuggestions: [ // Gray - Implementation suggestions
1424
- ],
1425
- relatedSafeguards: ["3.3", "4.1", "6.1"] },
1426
- "7.1": {
1427
- id: "7.1",
1428
- title: "Establish and Maintain a Vulnerability Management Process",
1429
- description: "Establish and maintain a documented vulnerability management process for enterprise assets",
1430
- implementationGroup: "IG1",
1431
- assetType: ["documentation"],
1432
- securityFunction: ["Govern"],
1433
- governanceElements: [ // Orange - MUST be met
1434
- "Establish",
1435
- "Maintain",
1436
- "review and update documentation annually",
1437
- "update when significant enterprise changes occur"
1438
- ],
1439
- coreRequirements: [ // Green - The "what"
1440
- "vulnerability management process",
1441
- "documented",
1442
- ],
1443
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1444
- "Enterprise Assets"
1445
- ],
1446
- implementationSuggestions: [ // Gray - Implementation suggestions
1447
- ],
1448
- relatedSafeguards: ["1.1", "2.1", "7.2", "7.3", "7.4", "7.5", "7.6", "7.7"] },
1449
- "7.2": {
1450
- id: "7.2",
1451
- title: "Establish and Maintain a Remediation Process",
1452
- description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
1453
- implementationGroup: "IG1",
1454
- assetType: ["Software"],
1455
- securityFunction: ["Respond"],
1456
- governanceElements: [ // Orange - MUST be met
1457
- "establish remediation process",
1458
- "maintain remediation process",
1459
- "SLA for security vulnerabilities",
1460
- "vulnerability remediation governance"
1461
- ],
1462
- coreRequirements: [ // Green - The "what"
1463
- "remediation process",
1464
- "service level agreement",
1465
- "security vulnerability handling",
1466
- "remediation timeline management"
1467
- ],
1468
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1469
- "vulnerability prioritization",
1470
- "remediation timelines",
1471
- "escalation procedures",
1472
- "patch management integration",
1473
- "risk-based remediation",
1474
- "remediation tracking",
1475
- "verification procedures"
1476
- ],
1477
- implementationSuggestions: [ // Gray - Implementation suggestions
1478
- "vulnerability management platforms",
1479
- "patch management systems",
1480
- "remediation workflow tools",
1481
- "SLA tracking systems",
1482
- "risk scoring frameworks"
1483
- ],
1484
- relatedSafeguards: ["7.1", "7.3", "7.4", "7.5", "7.6", "7.7"] },
1485
- "7.3": {
1486
- id: "7.3",
1487
- title: "Perform Automated Operating System Patch Management",
1488
- description: "Perform automated operating system patch management on enterprise assets",
1489
- implementationGroup: "IG1",
1490
- assetType: ["Devices"],
1491
- securityFunction: ["Protect"],
1492
- governanceElements: [ // Orange - MUST be met
1493
- "perform automated OS patch management",
1494
- "enterprise assets coverage",
1495
- "automated patching requirement",
1496
- "patch management governance"
1497
- ],
1498
- coreRequirements: [ // Green - The "what"
1499
- "automated operating system patching",
1500
- "enterprise asset coverage",
1501
- "patch deployment automation",
1502
- "OS security updates"
1503
- ],
1504
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1505
- "patch deployment scheduling",
1506
- "patch testing procedures",
1507
- "rollback capabilities",
1508
- "patch compliance monitoring",
1509
- "emergency patching procedures",
1510
- "patch approval workflows",
1511
- "system restart management"
1512
- ],
1513
- implementationSuggestions: [ // Gray - Implementation suggestions
1514
- "Windows Update Services",
1515
- "patch management platforms",
1516
- "configuration management tools",
1517
- "automated patching solutions",
1518
- "system center tools"
1519
- ],
1520
- relatedSafeguards: ["1.1", "4.1", "7.1", "7.2", "7.4", "7.5"] },
1521
- "7.4": {
1522
- id: "7.4",
1523
- title: "Perform Automated Application Patch Management",
1524
- description: "Perform automated application patch management on enterprise assets",
1525
- implementationGroup: "IG1",
1526
- assetType: ["Software"],
1527
- securityFunction: ["Protect"],
1528
- governanceElements: [ // Orange - MUST be met
1529
- "perform automated application patching",
1530
- "enterprise assets coverage",
1531
- "automated application updates",
1532
- "application patch governance"
1533
- ],
1534
- coreRequirements: [ // Green - The "what"
1535
- "automated application patching",
1536
- "enterprise asset coverage",
1537
- "application security updates",
1538
- "patch deployment automation"
1539
- ],
1540
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1541
- "application update management",
1542
- "third-party software updates",
1543
- "browser plugin updates",
1544
- "security patch prioritization",
1545
- "application compatibility testing",
1546
- "update rollback procedures",
1547
- "vendor patch notifications"
1548
- ],
1549
- implementationSuggestions: [ // Gray - Implementation suggestions
1550
- "application update managers",
1551
- "third-party patch solutions",
1552
- "automated deployment tools",
1553
- "software inventory integration",
1554
- "patch compliance scanners"
1555
- ],
1556
- relatedSafeguards: ["2.1", "2.2", "7.1", "7.2", "7.3", "7.5"] },
1557
- "7.5": {
1558
- id: "7.5",
1559
- title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
1560
- description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
1561
- implementationGroup: "IG2",
1562
- assetType: ["Devices", "Software"],
1563
- securityFunction: ["Detect"],
1564
- governanceElements: [ // Orange - MUST be met
1565
- "perform automated vulnerability scans",
1566
- "internal enterprise assets",
1567
- "quarterly or more frequent basis",
1568
- "vulnerability scanning governance"
1569
- ],
1570
- coreRequirements: [ // Green - The "what"
1571
- "automated vulnerability scanning",
1572
- "internal asset coverage",
1573
- "quarterly scan frequency",
1574
- "vulnerability detection"
1575
- ],
1576
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1577
- "network vulnerability scanning",
1578
- "host-based vulnerability scanning",
1579
- "application vulnerability scanning",
1580
- "database vulnerability scanning",
1581
- "scan scheduling",
1582
- "scan result analysis",
1583
- "false positive management"
1584
- ],
1585
- implementationSuggestions: [ // Gray - Implementation suggestions
1586
- "vulnerability scanners",
1587
- "network security scanners",
1588
- "application security scanners",
1589
- "automated scanning platforms",
1590
- "vulnerability management systems"
1591
- ],
1592
- relatedSafeguards: ["1.1", "2.1", "7.1", "7.2", "7.3", "7.4", "7.6", "7.7"] },
1593
- "7.6": {
1594
- id: "7.6",
1595
- title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
1596
- description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
1597
- implementationGroup: "IG2",
1598
- assetType: ["Devices", "Software"],
1599
- securityFunction: ["Detect"],
1600
- governanceElements: [ // Orange - MUST be met
1601
- "perform automated vulnerability scans",
1602
- "externally-exposed enterprise assets",
1603
- "internal or external scanning service",
1604
- "external asset scanning governance"
1605
- ],
1606
- coreRequirements: [ // Green - The "what"
1607
- "automated vulnerability scanning",
1608
- "externally-exposed assets",
1609
- "external vulnerability detection",
1610
- "internet-facing asset scanning"
1611
- ],
1612
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1613
- "external network scanning",
1614
- "web application scanning",
1615
- "exposed service scanning",
1616
- "cloud asset scanning",
1617
- "external IP monitoring",
1618
- "internet exposure assessment",
1619
- "attack surface analysis"
1620
- ],
1621
- implementationSuggestions: [ // Gray - Implementation suggestions
1622
- "external vulnerability scanners",
1623
- "cloud security scanning",
1624
- "web application scanners",
1625
- "internet asset discovery",
1626
- "third-party scanning services"
1627
- ],
1628
- relatedSafeguards: ["1.1", "2.1", "7.1", "7.2", "7.5", "7.7"] },
1629
- "7.7": {
1630
- id: "7.7",
1631
- title: "Remediate Detected Vulnerabilities",
1632
- description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
1633
- implementationGroup: "IG2",
1634
- assetType: ["Software"],
1635
- securityFunction: ["Respond"],
1636
- governanceElements: [ // Orange - MUST be met
1637
- "remediate detected vulnerabilities",
1638
- "software vulnerability remediation",
1639
- "monthly or more frequent basis",
1640
- "vulnerability remediation governance"
1641
- ],
1642
- coreRequirements: [ // Green - The "what"
1643
- "vulnerability remediation",
1644
- "detected vulnerability handling",
1645
- "monthly remediation cycles",
1646
- "software security updates"
1647
- ],
1648
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1649
- "vulnerability assessment",
1650
- "risk-based prioritization",
1651
- "patch deployment",
1652
- "compensating controls",
1653
- "remediation verification",
1654
- "remediation tracking",
1655
- "exception management"
1656
- ],
1657
- implementationSuggestions: [ // Gray - Implementation suggestions
1658
- "vulnerability management platforms",
1659
- "automated remediation tools",
1660
- "patch management integration",
1661
- "remediation workflow systems",
1662
- "risk assessment tools"
1663
- ],
1664
- relatedSafeguards: ["7.1", "7.2", "7.3", "7.4", "7.5", "7.6"] },
1665
- "8.1": {
1666
- id: "8.1",
1667
- title: "Establish and Maintain an Audit Log Management Process",
1668
- description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1669
- implementationGroup: "IG1",
1670
- assetType: ["enterprise assets", "Data"],
1671
- securityFunction: ["Govern"],
1672
- governanceElements: [
1673
- "establish and maintain",
1674
- "documented audit log management process",
1675
- "review and update documentation annually",
1676
- "when significant enterprise changes occur that could impact this Safeguard"
1677
- ],
1678
- coreRequirements: [
1679
- "enterprise's logging requirements",
1680
- "collection, review, and retention of audit logs",
1681
- "enterprise assets"
1682
- ],
1683
- subTaxonomicalElements: [
1684
- "collection",
1685
- "review",
1686
- "retention",
1687
- "annually",
1688
- "minimum"
1689
- ],
1690
- implementationSuggestions: [
1691
- "log management policy/process",
1692
- "documentation"
1693
- ],
1694
- relatedSafeguards: ["8.2", "8.3", "8.5", "8.6", "8.7", "8.8", "8.9", "8.10", "8.11", "8.12"] },
1695
- "8.2": {
1696
- id: "8.2",
1697
- title: "Collect Audit Logs",
1698
- description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
1699
- implementationGroup: "IG1",
1700
- assetType: ["enterprise assets", "Data"],
1701
- securityFunction: ["Detect"],
1702
- governanceElements: [
1703
- "per the enterprise's audit log management process"
1704
- ],
1705
- coreRequirements: [
1706
- "collect audit logs",
1707
- "logging enabled",
1708
- "enterprise assets"
1709
- ],
1710
- subTaxonomicalElements: [
1711
- "enabled"
1712
- ],
1713
- implementationSuggestions: [
1714
- "log management tool",
1715
- "OS dependent"
1716
- ],
1717
- relatedSafeguards: ["8.1"] },
1718
- "8.3": {
1719
- id: "8.3",
1720
- title: "Ensure Adequate Audit Log Storage",
1721
- description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
1722
- implementationGroup: "IG1",
1723
- assetType: ["Data"],
1724
- securityFunction: ["Protect"],
1725
- governanceElements: [
1726
- "comply with the enterprise's audit log management process"
1727
- ],
1728
- coreRequirements: [
1729
- "logging destinations maintain adequate storage"
1730
- ],
1731
- subTaxonomicalElements: [
1732
- "adequate storage",
1733
- "maintain",
1734
- "comply",
1735
- "logging destinations"
1736
- ],
1737
- implementationSuggestions: [
1738
- "log management tool",
1739
- "potentially OS dependent"
1740
- ],
1741
- relatedSafeguards: ["8.1", "8.9", "8.10"] },
1742
- "8.4": {
1743
- id: "8.4",
1744
- title: "Standardize Time Synchronization",
1745
- description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
1746
- implementationGroup: "IG2",
1747
- assetType: ["enterprise assets", "Data"],
1748
- securityFunction: ["Protect"],
1749
- governanceElements: [
1750
- "standardize time synchronization"
1751
- ],
1752
- coreRequirements: [
1753
- "configure at least two synchronized time sources",
1754
- "enterprise assets",
1755
- "where supported"
1756
- ],
1757
- subTaxonomicalElements: [
1758
- "at least two",
1759
- "synchronized",
1760
- "time sources",
1761
- "where supported"
1762
- ],
1763
- implementationSuggestions: [
1764
- "secure configuration policy/process",
1765
- "potentially OS dependent"
1766
- ],
1767
- relatedSafeguards: ["4.1"] },
1768
- "8.5": {
1769
- id: "8.5",
1770
- title: "Collect Detailed Audit Logs",
1771
- description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
1772
- implementationGroup: "IG2",
1773
- assetType: ["enterprise assets", "Data"],
1774
- securityFunction: ["Detect"],
1775
- governanceElements: [
1776
- "configure detailed audit logging"
1777
- ],
1778
- coreRequirements: [
1779
- "enterprise assets containing sensitive data",
1780
- "forensic investigation"
1781
- ],
1782
- subTaxonomicalElements: [
1783
- "event source",
1784
- "date",
1785
- "username",
1786
- "timestamp",
1787
- "source addresses",
1788
- "destination addresses",
1789
- "other useful elements"
1790
- ],
1791
- implementationSuggestions: [
1792
- "log management tool",
1793
- "log management policy/process",
1794
- "potentially OS dependent"
1795
- ],
1796
- relatedSafeguards: ["8.1", "1.1", "3.2"] },
1797
- "8.6": {
1798
- id: "8.6",
1799
- title: "Collect DNS Query Audit Logs",
1800
- description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
1801
- implementationGroup: "IG2",
1802
- assetType: ["enterprise assets", "Data"],
1803
- securityFunction: ["Detect"],
1804
- governanceElements: [
1805
- "where appropriate and supported"
1806
- ],
1807
- coreRequirements: [
1808
- "collect DNS query audit logs",
1809
- "enterprise assets"
1810
- ],
1811
- subTaxonomicalElements: [
1812
- "DNS query logs",
1813
- "where appropriate",
1814
- "where supported"
1815
- ],
1816
- implementationSuggestions: [
1817
- "log management tool",
1818
- "secure configuration policy/process",
1819
- "potentially OS dependent"
1820
- ],
1821
- relatedSafeguards: ["8.1", "4.9"] },
1822
- "8.7": {
1823
- id: "8.7",
1824
- title: "Collect URL Request Audit Logs",
1825
- description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
1826
- implementationGroup: "IG2",
1827
- assetType: ["enterprise assets", "Data"],
1828
- securityFunction: ["Detect"],
1829
- governanceElements: [
1830
- "where appropriate and supported"
1831
- ],
1832
- coreRequirements: [
1833
- "collect URL request audit logs",
1834
- "enterprise assets"
1835
- ],
1836
- subTaxonomicalElements: [
1837
- "URL request audit logs",
1838
- "where appropriate",
1839
- "where supported"
1840
- ],
1841
- implementationSuggestions: [
1842
- "log management tool",
1843
- "secure configuration policy/process",
1844
- "potentially OS dependent"
1845
- ],
1846
- relatedSafeguards: ["8.1"] },
1847
- "8.8": {
1848
- id: "8.8",
1849
- title: "Collect Command-Line Audit Logs",
1850
- description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
1851
- implementationGroup: "IG2",
1852
- assetType: ["Data"],
1853
- securityFunction: ["Detect"],
1854
- governanceElements: [
1855
- "collect command-line audit logs"
1856
- ],
1857
- coreRequirements: [
1858
- "command-line audit logs"
1859
- ],
1860
- subTaxonomicalElements: [
1861
- "PowerShell",
1862
- "BASH",
1863
- "remote administrative terminals"
1864
- ],
1865
- implementationSuggestions: [
1866
- "log management tool",
1867
- "secure configuration policy/process",
1868
- "OS dependent"
1869
- ],
1870
- relatedSafeguards: ["8.1"] },
1871
- "8.9": {
1872
- id: "8.9",
1873
- title: "Centralize Audit Logs",
1874
- description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
1875
- implementationGroup: "IG2",
1876
- assetType: ["enterprise assets", "Data"],
1877
- securityFunction: ["Detect"],
1878
- governanceElements: [
1879
- "in accordance with documented audit log management process",
1880
- "to the extent possible"
1881
- ],
1882
- coreRequirements: [
1883
- "centralize audit log collection and retention",
1884
- "enterprise assets"
1885
- ],
1886
- subTaxonomicalElements: [
1887
- "audit log collection",
1888
- "audit log retention",
1889
- "to the extent possible"
1890
- ],
1891
- implementationSuggestions: [
1892
- "SIEM tool",
1893
- "log analytics and centralization tool",
1894
- "OS dependent"
1895
- ],
1896
- relatedSafeguards: ["8.1", "8.3", "12.5", "13.1"] },
1897
- "8.10": {
1898
- id: "8.10",
1899
- title: "Retain Audit Logs",
1900
- description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
1901
- implementationGroup: "IG2",
1902
- assetType: ["enterprise assets", "Data"],
1903
- securityFunction: ["Protect"],
1904
- governanceElements: [
1905
- "minimum of 90 days"
1906
- ],
1907
- coreRequirements: [
1908
- "retain audit logs",
1909
- "enterprise assets"
1910
- ],
1911
- subTaxonomicalElements: [
1912
- "minimum of 90 days"
1913
- ],
1914
- implementationSuggestions: [
1915
- "log analytics and centralization tool"
1916
- ],
1917
- relatedSafeguards: ["8.1", "8.3"] },
1918
- "8.11": {
1919
- id: "8.11",
1920
- title: "Conduct Audit Log Reviews",
1921
- description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
1922
- implementationGroup: "IG2",
1923
- assetType: ["Data"],
1924
- securityFunction: ["Detect"],
1925
- governanceElements: [
1926
- "conduct reviews on a weekly, or more frequent, basis"
1927
- ],
1928
- coreRequirements: [
1929
- "detect anomalies or abnormal events",
1930
- "potential threat"
1931
- ],
1932
- subTaxonomicalElements: [
1933
- "weekly",
1934
- "more frequent",
1935
- "anomalies",
1936
- "abnormal events"
1937
- ],
1938
- implementationSuggestions: [
1939
- "log analytics and centralization tool"
1940
- ],
1941
- relatedSafeguards: ["8.1", "8.12"] },
1942
- "8.12": {
1943
- id: "8.12",
1944
- title: "Collect Service Provider Logs",
1945
- description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
1946
- implementationGroup: "IG3",
1947
- assetType: ["Data"],
1948
- securityFunction: ["Detect"],
1949
- governanceElements: [
1950
- "where supported"
1951
- ],
1952
- coreRequirements: [
1953
- "collect service provider logs"
1954
- ],
1955
- subTaxonomicalElements: [
1956
- "authentication events",
1957
- "authorization events",
1958
- "data creation events",
1959
- "disposal events",
1960
- "user management events"
1961
- ],
1962
- implementationSuggestions: [
1963
- "log analytics and centralization tool",
1964
- "secure configuration policy/process"
1965
- ],
1966
- relatedSafeguards: ["8.1", "8.11", "15.1"] },
1967
- "9.1": {
1968
- id: "9.1",
1969
- title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
1970
- description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
1971
- implementationGroup: "IG1",
1972
- assetType: ["Software"],
1973
- securityFunction: ["Protect"],
1974
- governanceElements: [ // Orange - MUST be met
1975
- "ensure only fully supported browsers and email clients are allowed to execute",
1976
- "only using the latest version provided through the vendor"
1977
- ],
1978
- coreRequirements: [ // Green - The "what"
1979
- "fully supported browsers only",
1980
- "fully supported email clients only",
1981
- "latest vendor versions only",
1982
- "execution restriction enforcement"
1983
- ],
1984
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1985
- "ensure only fully supported",
1986
- "browsers and email clients",
1987
- "are allowed to execute",
1988
- "in the enterprise",
1989
- "only using the latest version",
1990
- "provided through the vendor"
1991
- ],
1992
- implementationSuggestions: [ // Gray - Implementation suggestions
1993
- "enterprise and software asset management tools",
1994
- "application allowlisting",
1995
- "software inventory systems",
1996
- "automated patch management"
1997
- ],
1998
- relatedSafeguards: ["2.1", "4.1", "7.4"] },
1999
- "9.2": {
2000
- id: "9.2",
2001
- title: "Use DNS Filtering Services",
2002
- description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
2003
- implementationGroup: "IG1",
2004
- assetType: ["Devices", "network"],
2005
- securityFunction: ["Protect"],
2006
- governanceElements: [ // Orange - MUST be met
2007
- "use DNS filtering services on all end-user devices",
2008
- "including remote and on-premise assets",
2009
- "to block access to known malicious domains"
2010
- ],
2011
- coreRequirements: [ // Green - The "what"
2012
- "DNS filtering services deployment",
2013
- "all end-user device coverage",
2014
- "malicious domain blocking",
2015
- "remote and on-premise asset inclusion"
2016
- ],
2017
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2018
- "use DNS filtering services",
2019
- "on all end-user devices",
2020
- "including remote assets",
2021
- "including on-premise assets",
2022
- "to block access",
2023
- "to known malicious domains"
2024
- ],
2025
- implementationSuggestions: [ // Gray - Implementation suggestions
2026
- "DNS filtering services",
2027
- "secure DNS servers",
2028
- "DNS security platforms",
2029
- "cloud-based DNS filtering"
2030
- ],
2031
- relatedSafeguards: ["4.1", "4.9"] },
2032
- "9.3": {
2033
- id: "9.3",
2034
- title: "Maintain and Enforce Network-Based URL Filters",
2035
- description: "Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets",
2036
- implementationGroup: "IG2",
2037
- assetType: ["network"],
2038
- securityFunction: ["Protect"],
2039
- governanceElements: [ // Orange - MUST be met
2040
- "enforce and update network-based URL filters",
2041
- "to limit enterprise asset from connecting to potentially malicious or unapproved websites",
2042
- "enforce filters for all enterprise assets"
2043
- ],
2044
- coreRequirements: [ // Green - The "what"
2045
- "network-based URL filters",
2046
- "enterprise asset connection limiting",
2047
- "malicious website blocking",
2048
- "unapproved website blocking"
2049
- ],
2050
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2051
- "enforce network-based URL filters",
2052
- "update network-based URL filters",
2053
- "limit enterprise asset from connecting",
2054
- "to potentially malicious websites",
2055
- "to unapproved websites",
2056
- "enforce filters for all enterprise assets"
2057
- ],
2058
- implementationSuggestions: [ // Gray - Implementation suggestions
2059
- "URL filtering tools",
2060
- "category-based filtering",
2061
- "reputation-based filtering",
2062
- "block lists",
2063
- "web content filtering"
2064
- ],
2065
- relatedSafeguards: ["4.1"] },
2066
- "9.4": {
2067
- id: "9.4",
2068
- title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
2069
- description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
2070
- implementationGroup: "IG2",
2071
- assetType: ["Software"],
2072
- securityFunction: ["Protect"],
2073
- governanceElements: [ // Orange - MUST be met
2074
- "restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
2075
- "either through uninstalling or disabling"
2076
- ],
2077
- coreRequirements: [ // Green - The "what"
2078
- "browser plugin restrictions",
2079
- "email client plugin restrictions",
2080
- "browser extension restrictions",
2081
- "add-on application restrictions"
2082
- ],
2083
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2084
- "restrict through uninstalling or disabling",
2085
- "unauthorized browser plugins",
2086
- "unnecessary browser plugins",
2087
- "unauthorized email client plugins",
2088
- "unnecessary email client plugins",
2089
- "unauthorized browser extensions",
2090
- "unnecessary browser extensions",
2091
- "unauthorized add-on applications",
2092
- "unnecessary add-on applications"
2093
- ],
2094
- implementationSuggestions: [ // Gray - Implementation suggestions
2095
- "configuration management tools",
2096
- "browser management systems",
2097
- "application control policies",
2098
- "extension management platforms"
2099
- ],
2100
- relatedSafeguards: ["4.1"] },
2101
- "9.5": {
2102
- id: "9.5",
2103
- title: "Implement DMARC",
2104
- description: "To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards",
2105
- implementationGroup: "IG2",
2106
- assetType: ["network"],
2107
- securityFunction: ["Protect"],
2108
- governanceElements: [ // Orange - MUST be met
2109
- "implement DMARC policy and verification",
2110
- "to lower the chance of spoofed or modified emails from valid domains",
2111
- "starting with implementing SPF and DKIM standards"
2112
- ],
2113
- coreRequirements: [ // Green - The "what"
2114
- "DMARC policy implementation",
2115
- "DMARC verification implementation",
2116
- "SPF standard implementation",
2117
- "DKIM standard implementation"
2118
- ],
2119
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2120
- "implement DMARC policy",
2121
- "implement DMARC verification",
2122
- "to lower the chance of spoofed emails",
2123
- "to lower the chance of modified emails",
2124
- "from valid domains",
2125
- "starting with implementing SPF",
2126
- "starting with implementing DKIM",
2127
- "Sender Policy Framework standards",
2128
- "DomainKeys Identified Mail standards"
2129
- ],
2130
- implementationSuggestions: [ // Gray - Implementation suggestions
2131
- "DMARC management tools",
2132
- "email authentication services",
2133
- "SPF record management",
2134
- "DKIM signature management"
2135
- ],
2136
- relatedSafeguards: ["4.1"] },
2137
- "9.6": {
2138
- id: "9.6",
2139
- title: "Block Unnecessary File Types",
2140
- description: "Block unnecessary file types attempting to enter the enterprise's email gateway",
2141
- implementationGroup: "IG2",
2142
- assetType: ["network"],
2143
- securityFunction: ["Protect"],
2144
- governanceElements: [ // Orange - MUST be met
2145
- "block unnecessary file types attempting to enter the enterprise's email gateway"
2146
- ],
2147
- coreRequirements: [ // Green - The "what"
2148
- "unnecessary file type blocking",
2149
- "email gateway protection",
2150
- "file type filtering"
2151
- ],
2152
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2153
- "block unnecessary file types",
2154
- "attempting to enter",
2155
- "the enterprise's email gateway"
2156
- ],
2157
- implementationSuggestions: [ // Gray - Implementation suggestions
2158
- "email security tools",
2159
- "email gateway filtering",
2160
- "file type blocking systems",
2161
- "email content filtering"
2162
- ],
2163
- relatedSafeguards: ["4.1"] },
2164
- "9.7": {
2165
- id: "9.7",
2166
- title: "Deploy and Maintain Email Server Anti-Malware Protections",
2167
- description: "Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing",
2168
- implementationGroup: "IG1",
2169
- assetType: ["network"],
2170
- securityFunction: ["Protect"],
2171
- governanceElements: [ // Orange - MUST be met
2172
- "deploy and maintain email server anti-malware protections",
2173
- "such as attachment scanning and/or sandboxing"
2174
- ],
2175
- coreRequirements: [ // Green - The "what"
2176
- "email server anti-malware protections",
2177
- "attachment scanning capabilities",
2178
- "sandboxing capabilities",
2179
- "deployment and maintenance"
2180
- ],
2181
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2182
- "deploy email server anti-malware protections",
2183
- "maintain email server anti-malware protections",
2184
- "such as attachment scanning",
2185
- "such as sandboxing",
2186
- "attachment scanning and/or sandboxing"
2187
- ],
2188
- implementationSuggestions: [ // Gray - Implementation suggestions
2189
- "email security tools",
2190
- "anti-malware platforms",
2191
- "attachment scanning systems",
2192
- "email sandboxing solutions"
2193
- ],
2194
- relatedSafeguards: ["4.1", "10.1"] },
2195
- "10.1": {
2196
- id: "10.1",
2197
- title: "Deploy and Maintain Anti-Malware Software",
2198
- description: "Deploy and maintain anti-malware software on all enterprise assets",
2199
- implementationGroup: "IG1",
2200
- assetType: ["Devices"],
2201
- securityFunction: ["Detect"],
2202
- governanceElements: [ // Orange - MUST be met
2203
- "deploy anti-malware software",
2204
- "maintain anti-malware software",
2205
- "all enterprise assets coverage",
2206
- "anti-malware software management"
2207
- ],
2208
- coreRequirements: [ // Green - The "what"
2209
- "anti-malware software deployment",
2210
- "anti-malware software maintenance",
2211
- "enterprise assets protection",
2212
- "malware detection capabilities"
2213
- ],
2214
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2215
- "deploy",
2216
- "maintain",
2217
- "anti-malware software",
2218
- "all enterprise assets"
2219
- ],
2220
- implementationSuggestions: [ // Gray - Implementation suggestions
2221
- "endpoint protection platforms",
2222
- "anti-virus solutions",
2223
- "endpoint detection and response",
2224
- "malware protection tools",
2225
- "security software management"
2226
- ],
2227
- relatedSafeguards: ["4.1", "10.2", "10.4", "10.6", "10.7", "13.5"] },
2228
- "10.2": {
2229
- id: "10.2",
2230
- title: "Configure Automatic Anti-Malware Signature Updates",
2231
- description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
2232
- implementationGroup: "IG1",
2233
- assetType: ["Devices"],
2234
- securityFunction: ["Protect"],
2235
- governanceElements: [ // Orange - MUST be met
2236
- "configure automatic updates",
2237
- "anti-malware signature files",
2238
- "all enterprise assets coverage",
2239
- "signature update management"
2240
- ],
2241
- coreRequirements: [ // Green - The "what"
2242
- "automatic updates configuration",
2243
- "anti-malware signature files",
2244
- "enterprise assets coverage"
2245
- ],
2246
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2247
- "configure",
2248
- "automatic updates",
2249
- "anti-malware signature files",
2250
- "all enterprise assets"
2251
- ],
2252
- implementationSuggestions: [ // Gray - Implementation suggestions
2253
- "anti-malware software can auto update potentially"
2254
- ],
2255
- relatedSafeguards: ["10.1"] },
2256
- "10.3": {
2257
- id: "10.3",
2258
- title: "Disable Autorun and Autoplay for Removable Media",
2259
- description: "Disable autorun and autoplay auto-execute functionality for removable media",
2260
- implementationGroup: "IG1",
2261
- assetType: ["Devices"],
2262
- securityFunction: ["Protect"],
2263
- governanceElements: [ // Orange - MUST be met
2264
- "disable autorun functionality",
2265
- "disable autoplay functionality",
2266
- "auto-execute prevention",
2267
- "removable media security"
2268
- ],
2269
- coreRequirements: [ // Green - The "what"
2270
- "autorun disabling",
2271
- "autoplay disabling",
2272
- "auto-execute prevention",
2273
- "removable media protection"
2274
- ],
2275
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2276
- "disable",
2277
- "autorun",
2278
- "autoplay",
2279
- "auto-execute functionality",
2280
- "removable media"
2281
- ],
2282
- implementationSuggestions: [ // Gray - Implementation suggestions
2283
- "group policy settings",
2284
- "registry modifications",
2285
- "configuration management tools",
2286
- "secure configuration policy/process"
2287
- ],
2288
- relatedSafeguards: ["4.1"] },
2289
- "10.4": {
2290
- id: "10.4",
2291
- title: "Configure Automatic Anti-Malware Scanning of Removable Media",
2292
- description: "Configure anti-malware software to automatically scan removable media",
2293
- implementationGroup: "IG2",
2294
- assetType: ["Devices"],
2295
- securityFunction: ["Detect"],
2296
- governanceElements: [ // Orange - MUST be met
2297
- "configure anti-malware software",
2298
- "automatic scanning configuration",
2299
- "removable media scanning",
2300
- "scanning policy management"
2301
- ],
2302
- coreRequirements: [ // Green - The "what"
2303
- "anti-malware software configuration",
2304
- "automatic scanning",
2305
- "removable media protection",
2306
- "malware detection on media"
2307
- ],
2308
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2309
- "configure",
2310
- "anti-malware software",
2311
- "automatically scan",
2312
- "removable media"
2313
- ],
2314
- implementationSuggestions: [ // Gray - Implementation suggestions
2315
- "anti-malware software configuration policy/process",
2316
- "endpoint scanning policies",
2317
- "media scanning tools",
2318
- "automated threat detection"
2319
- ],
2320
- relatedSafeguards: ["10.1"] },
2321
- "10.5": {
2322
- id: "10.5",
2323
- title: "Enable Anti-Exploitation Features",
2324
- description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
2325
- implementationGroup: "IG2",
2326
- assetType: ["Devices"],
2327
- securityFunction: ["Protect"],
2328
- governanceElements: [ // Orange - MUST be met
2329
- "enable anti-exploitation features",
2330
- "enterprise assets coverage",
2331
- "software protection",
2332
- "where possible implementation"
2333
- ],
2334
- coreRequirements: [ // Green - The "what"
2335
- "anti-exploitation features",
2336
- "enterprise assets protection",
2337
- "software security",
2338
- "exploit prevention"
2339
- ],
2340
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2341
- "enable",
2342
- "anti-exploitation features",
2343
- "enterprise assets",
2344
- "software",
2345
- "where possible"
2346
- ],
2347
- implementationSuggestions: [ // Gray - Implementation suggestions
2348
- "Microsoft® Data Execution Prevention (DEP)",
2349
- "Windows® Defender Exploit Guard (WDEG)",
2350
- "Apple® System Integrity Protection (SIP)",
2351
- "Gatekeeper™",
2352
- "configuration management tool"
2353
- ],
2354
- relatedSafeguards: ["4.1"] },
2355
- "10.6": {
2356
- id: "10.6",
2357
- title: "Centrally Manage Anti-Malware Software",
2358
- description: "Centrally manage anti-malware software",
2359
- implementationGroup: "IG2",
2360
- assetType: ["Devices"],
2361
- securityFunction: ["Protect"],
2362
- governanceElements: [ // Orange - MUST be met
2363
- "centrally manage anti-malware",
2364
- "centralized management process",
2365
- "anti-malware software governance",
2366
- "management infrastructure"
2367
- ],
2368
- coreRequirements: [ // Green - The "what"
2369
- "centralized management",
2370
- "anti-malware software",
2371
- "management capabilities",
2372
- "centralized control"
2373
- ],
2374
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2375
- "centrally manage",
2376
- "anti-malware software"
2377
- ],
2378
- implementationSuggestions: [ // Gray - Implementation suggestions
2379
- "anti-malware software configuration policy/process",
2380
- "centralized management platforms",
2381
- "security management consoles",
2382
- "enterprise security tools"
2383
- ],
2384
- relatedSafeguards: ["10.1"] },
2385
- "10.7": {
2386
- id: "10.7",
2387
- title: "Use Behavior-Based Anti-Malware Software",
2388
- description: "Use behavior-based anti-malware software",
2389
- implementationGroup: "IG2",
2390
- assetType: ["Devices"],
2391
- securityFunction: ["Detect"],
2392
- governanceElements: [ // Orange - MUST be met
2393
- "use behavior-based anti-malware",
2394
- "behavioral analysis implementation",
2395
- "advanced threat detection",
2396
- "behavior-based protection"
2397
- ],
2398
- coreRequirements: [ // Green - The "what"
2399
- "behavior-based anti-malware software",
2400
- "behavioral analysis",
2401
- "advanced malware detection",
2402
- "dynamic threat identification"
2403
- ],
2404
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2405
- "use",
2406
- "behavior-based",
2407
- "anti-malware software"
2408
- ],
2409
- implementationSuggestions: [ // Gray - Implementation suggestions
2410
- "anti-malware software configuration policy/process",
2411
- "behavioral analysis tools",
2412
- "advanced endpoint detection",
2413
- "machine learning security"
2414
- ],
2415
- relatedSafeguards: ["10.1"] },
2416
- "11.1": {
2417
- id: "11.1",
2418
- title: "Establish and Maintain a Data Recovery Process",
2419
- description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
2420
- implementationGroup: "IG1",
2421
- assetType: ["Data"],
2422
- securityFunction: ["Govern"],
2423
- governanceElements: [ // Orange - MUST be met
2424
- "establish documented data recovery process",
2425
- "maintain documented data recovery process",
2426
- "review and update documentation annually",
2427
- "when significant enterprise changes occur that could impact this Safeguard"
2428
- ],
2429
- coreRequirements: [ // Green - The "what"
2430
- "documented data recovery process",
2431
- "scope of data recovery activities",
2432
- "recovery prioritization",
2433
- "security of backup data"
2434
- ],
2435
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2436
- "establish",
2437
- "maintain",
2438
- "documented data recovery process",
2439
- "scope of data recovery activities",
2440
- "recovery prioritization",
2441
- "security of backup data",
2442
- "review and update documentation",
2443
- "annually",
2444
- "when significant enterprise changes occur"
2445
- ],
2446
- implementationSuggestions: [ // Gray - Implementation suggestions
2447
- "data recovery policy/process",
2448
- "business continuity documentation",
2449
- "recovery procedures manual",
2450
- "backup and recovery strategy"
2451
- ],
2452
- relatedSafeguards: ["3.2", "3.4", "3.5", "3.8", "11.2", "11.3", "11.4", "11.5"] },
2453
- "11.2": {
2454
- id: "11.2",
2455
- title: "Perform Automated Backups",
2456
- description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
2457
- implementationGroup: "IG1",
2458
- assetType: ["Data"],
2459
- securityFunction: ["Recover"],
2460
- governanceElements: [ // Orange - MUST be met
2461
- "perform automated backups",
2462
- "in-scope enterprise assets",
2463
- "run backups weekly or more frequently",
2464
- "based on sensitivity of data"
2465
- ],
2466
- coreRequirements: [ // Green - The "what"
2467
- "automated backups",
2468
- "in-scope enterprise assets",
2469
- "backup frequency requirements",
2470
- "data sensitivity considerations"
2471
- ],
2472
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2473
- "perform",
2474
- "automated backups",
2475
- "in-scope enterprise assets",
2476
- "run backups",
2477
- "weekly",
2478
- "more frequently",
2479
- "based on sensitivity of the data"
2480
- ],
2481
- implementationSuggestions: [ // Gray - Implementation suggestions
2482
- "data backup and recovery tool",
2483
- "automated backup systems",
2484
- "backup scheduling software",
2485
- "enterprise backup solutions"
2486
- ],
2487
- relatedSafeguards: ["1.1", "2.1", "11.1"] },
2488
- "11.3": {
2489
- id: "11.3",
2490
- title: "Protect Recovery Data",
2491
- description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
2492
- implementationGroup: "IG1",
2493
- assetType: ["Data"],
2494
- securityFunction: ["Protect"],
2495
- governanceElements: [ // Orange - MUST be met
2496
- "protect recovery data",
2497
- "equivalent controls to original data",
2498
- "reference encryption or data separation",
2499
- "based on requirements"
2500
- ],
2501
- coreRequirements: [ // Green - The "what"
2502
- "recovery data protection",
2503
- "equivalent controls",
2504
- "original data protection parity",
2505
- "requirements-based implementation"
2506
- ],
2507
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2508
- "protect",
2509
- "recovery data",
2510
- "equivalent controls to the original data",
2511
- "reference encryption",
2512
- "data separation",
2513
- "based on requirements"
2514
- ],
2515
- implementationSuggestions: [ // Gray - Implementation suggestions
2516
- "data backup and recovery tool",
2517
- "backup encryption systems",
2518
- "secure backup storage",
2519
- "data separation technologies"
2520
- ],
2521
- relatedSafeguards: ["3.3", "3.10", "3.11", "11.1"] },
2522
- "11.4": {
2523
- id: "11.4",
2524
- title: "Establish and Maintain an Isolated Instance of Recovery Data",
2525
- description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
2526
- implementationGroup: "IG1",
2527
- assetType: ["Data"],
2528
- securityFunction: ["Recover"],
2529
- governanceElements: [ // Orange - MUST be met
2530
- "establish isolated instance of recovery data",
2531
- "maintain isolated instance of recovery data",
2532
- "version controlling backup destinations",
2533
- "example implementations include offline, cloud, or off-site systems or services"
2534
- ],
2535
- coreRequirements: [ // Green - The "what"
2536
- "isolated instance of recovery data",
2537
- "backup destination control",
2538
- "recovery data isolation",
2539
- "implementation flexibility"
2540
- ],
2541
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2542
- "establish",
2543
- "maintain",
2544
- "isolated instance of recovery data",
2545
- "version controlling backup destinations",
2546
- "offline",
2547
- "cloud",
2548
- "off-site systems",
2549
- "services"
2550
- ],
2551
- implementationSuggestions: [ // Gray - Implementation suggestions
2552
- "data backup and recovery tool",
2553
- "offline backup systems",
2554
- "cloud backup services",
2555
- "off-site storage solutions",
2556
- "version controlling backup destinations"
2557
- ],
2558
- relatedSafeguards: ["11.1"] },
2559
- "11.5": {
2560
- id: "11.5",
2561
- title: "Test Data Recovery",
2562
- description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
2563
- implementationGroup: "IG2",
2564
- assetType: ["Data"],
2565
- securityFunction: ["Recover"],
2566
- governanceElements: [ // Orange - MUST be met
2567
- "test backup recovery quarterly or more frequently",
2568
- "sampling of in-scope enterprise assets",
2569
- "recovery testing requirements",
2570
- "testing frequency management"
2571
- ],
2572
- coreRequirements: [ // Green - The "what"
2573
- "backup recovery testing",
2574
- "quarterly testing frequency",
2575
- "in-scope enterprise assets sampling",
2576
- "recovery validation"
2577
- ],
2578
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2579
- "test backup recovery",
2580
- "quarterly",
2581
- "more frequently",
2582
- "sampling",
2583
- "in-scope enterprise assets"
2584
- ],
2585
- implementationSuggestions: [ // Gray - Implementation suggestions
2586
- "data recovery policy/process",
2587
- "data backup and recovery tool",
2588
- "recovery testing procedures",
2589
- "backup validation systems"
2590
- ],
2591
- relatedSafeguards: ["11.1"] },
2592
- "12.1": {
2593
- id: "12.1",
2594
- title: "Ensure Network Infrastructure is Up-to-Date",
2595
- description: "Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support",
2596
- implementationGroup: "IG1",
2597
- assetType: ["network"],
2598
- securityFunction: ["Protect"],
2599
- governanceElements: [ // Orange - MUST be met
2600
- "ensure network infrastructure is kept up-to-date",
2601
- "review software versions monthly or more frequently",
2602
- "verify software support",
2603
- "network infrastructure maintenance"
2604
- ],
2605
- coreRequirements: [ // Green - The "what"
2606
- "network infrastructure up-to-date",
2607
- "latest stable release of software",
2608
- "currently supported network-as-a-service offerings",
2609
- "software version review"
2610
- ],
2611
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2612
- "ensure",
2613
- "network infrastructure is kept up-to-date",
2614
- "running the latest stable release of software",
2615
- "using currently supported network-as-a-service (NaaS) offerings",
2616
- "review software versions",
2617
- "monthly",
2618
- "more frequently",
2619
- "verify software support"
2620
- ],
2621
- implementationSuggestions: [ // Gray - Implementation suggestions
2622
- "enterprise and software asset management tool",
2623
- "network management systems",
2624
- "automated patching tools",
2625
- "network-as-a-service platforms"
2626
- ],
2627
- relatedSafeguards: ["4.2", "7.3"] },
2628
- "12.2": {
2629
- id: "12.2",
2630
- title: "Establish and Maintain a Secure Network Architecture",
2631
- description: "Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components",
2632
- implementationGroup: "IG2",
2633
- assetType: ["network"],
2634
- securityFunction: ["Protect"],
2635
- governanceElements: [ // Orange - MUST be met
2636
- "design secure network architecture",
2637
- "maintain secure network architecture",
2638
- "must address segmentation, least privilege, and availability at minimum",
2639
- "secure network architecture requirements"
2640
- ],
2641
- coreRequirements: [ // Green - The "what"
2642
- "secure network architecture",
2643
- "segmentation",
2644
- "least privilege (POLP)",
2645
- "availability"
2646
- ],
2647
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2648
- "design",
2649
- "maintain",
2650
- "secure network architecture",
2651
- "must address",
2652
- "segmentation",
2653
- "least privilege",
2654
- "availability",
2655
- "at a minimum"
2656
- ],
2657
- implementationSuggestions: [ // Gray - Implementation suggestions
2658
- "secure network management and design policy/process",
2659
- "documentation",
2660
- "policy",
2661
- "design components",
2662
- "network architecture tools"
2663
- ],
2664
- relatedSafeguards: ["3.3", "3.10", "4.2", "12.4", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"] },
2665
- "12.3": {
2666
- id: "12.3",
2667
- title: "Securely Manage Network Infrastructure",
2668
- description: "Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as code, and the use of secure network protocols, such as SSH and HTTPS",
2669
- implementationGroup: "IG2",
2670
- assetType: ["network"],
2671
- securityFunction: ["Protect"],
2672
- governanceElements: [ // Orange - MUST be met
2673
- "securely manage network infrastructure",
2674
- "secure network protocols usage",
2675
- "infrastructure security management",
2676
- "secure management practices"
2677
- ],
2678
- coreRequirements: [ // Green - The "what"
2679
- "secure network management",
2680
- "version-controlled infrastructure-as-code",
2681
- "secure network protocols",
2682
- "infrastructure security"
2683
- ],
2684
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2685
- "securely manage",
2686
- "network infrastructure",
2687
- "version-controlled infrastructure-as-code",
2688
- "use of secure network protocols",
2689
- "SSH",
2690
- "HTTPS"
2691
- ],
2692
- implementationSuggestions: [ // Gray - Implementation suggestions
2693
- "secure network management and design policy/process",
2694
- "network management and monitoring tool",
2695
- "infrastructure-as-code platforms",
2696
- "secure protocol implementations"
2697
- ],
2698
- relatedSafeguards: ["4.2", "12.6"] },
2699
- "12.4": {
2700
- id: "12.4",
2701
- title: "Establish and Maintain Architecture Diagram(s)",
2702
- description: "Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
2703
- implementationGroup: "IG2",
2704
- assetType: ["documentation"],
2705
- securityFunction: ["Govern"],
2706
- governanceElements: [ // Orange - MUST be met
2707
- "establish architecture diagrams",
2708
- "maintain architecture diagrams",
2709
- "review and update documentation annually",
2710
- "when significant enterprise changes occur that could impact this Safeguard"
2711
- ],
2712
- coreRequirements: [ // Green - The "what"
2713
- "architecture diagrams",
2714
- "network system documentation",
2715
- "documentation review and updates",
2716
- "enterprise change management"
2717
- ],
2718
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2719
- "establish",
2720
- "maintain",
2721
- "architecture diagrams",
2722
- "other network system documentation",
2723
- "review and update documentation",
2724
- "annually",
2725
- "when significant enterprise changes occur"
2726
- ],
2727
- implementationSuggestions: [ // Gray - Implementation suggestions
2728
- "secure network management and design policy/process",
2729
- "network architecture diagramming tool",
2730
- "documentation management systems",
2731
- "architecture visualization tools"
2732
- ],
2733
- relatedSafeguards: ["3.8", "4.2", "12.2"] },
2734
- "12.5": {
2735
- id: "12.5",
2736
- title: "Centralize Network Authentication, Authorization, and Auditing (AAA)",
2737
- description: "Centralize network AAA",
2738
- implementationGroup: "IG2",
2739
- assetType: ["network"],
2740
- securityFunction: ["Protect"],
2741
- governanceElements: [ // Orange - MUST be met
2742
- "centralize network AAA",
2743
- "network authentication centralization",
2744
- "network authorization centralization",
2745
- "network auditing centralization"
2746
- ],
2747
- coreRequirements: [ // Green - The "what"
2748
- "network AAA centralization",
2749
- "authentication",
2750
- "authorization",
2751
- "auditing"
2752
- ],
2753
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2754
- "centralize",
2755
- "network AAA",
2756
- "authentication",
2757
- "authorization",
2758
- "auditing"
2759
- ],
2760
- implementationSuggestions: [ // Gray - Implementation suggestions
2761
- "secure network management and design policy/process",
2762
- "identity and access management tool",
2763
- "AAA servers",
2764
- "centralized authentication systems"
2765
- ],
2766
- relatedSafeguards: ["4.2", "5.6", "6.7", "8.9", "12.6", "12.7"] },
2767
- "12.6": {
2768
- id: "12.6",
2769
- title: "Use of Secure Network Management and Communication Protocols",
2770
- description: "Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater)",
2771
- implementationGroup: "IG2",
2772
- assetType: ["network"],
2773
- securityFunction: ["Protect"],
2774
- governanceElements: [ // Orange - MUST be met
2775
- "use secure network management protocols",
2776
- "use secure communication protocols",
2777
- "secure protocol implementation",
2778
- "enterprise-grade security protocols"
2779
- ],
2780
- coreRequirements: [ // Green - The "what"
2781
- "secure network management",
2782
- "secure communication protocols",
2783
- "802.1X implementation",
2784
- "WPA2 Enterprise or greater"
2785
- ],
2786
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2787
- "use",
2788
- "secure network management",
2789
- "communication protocols",
2790
- "802.1X",
2791
- "Wi-Fi Protected Access 2 (WPA2) Enterprise",
2792
- "greater"
2793
- ],
2794
- implementationSuggestions: [ // Gray - Implementation suggestions
2795
- "secure network management and design policy/process",
2796
- "802.1X authentication systems",
2797
- "enterprise wireless controllers",
2798
- "secure protocol implementations"
2799
- ],
2800
- relatedSafeguards: ["12.3", "12.5"] },
2801
- "12.7": {
2802
- id: "12.7",
2803
- title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
2804
- description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
2805
- implementationGroup: "IG2",
2806
- assetType: ["Devices"],
2807
- securityFunction: ["Protect"],
2808
- governanceElements: [ // Orange - MUST be met
2809
- "require users to authenticate to enterprise-managed VPN",
2810
- "authenticate to authentication services",
2811
- "prior to accessing enterprise resources on end-user devices",
2812
- "VPN and AAA integration requirements"
2813
- ],
2814
- coreRequirements: [ // Green - The "what"
2815
- "enterprise-managed VPN",
2816
- "authentication services",
2817
- "user authentication requirements",
2818
- "enterprise resource access control"
2819
- ],
2820
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2821
- "require",
2822
- "users to authenticate",
2823
- "enterprise-managed VPN",
2824
- "authentication services",
2825
- "prior to accessing enterprise resources",
2826
- "end-user devices"
2827
- ],
2828
- implementationSuggestions: [ // Gray - Implementation suggestions
2829
- "secure network management and design policy/process",
2830
- "VPN/encryption tool",
2831
- "enterprise VPN solutions",
2832
- "AAA integration systems"
2833
- ],
2834
- relatedSafeguards: ["6.4", "12.5"] },
2835
- "12.8": {
2836
- id: "12.8",
2837
- title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
2838
- description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
2839
- implementationGroup: "IG3",
2840
- assetType: ["Devices"],
2841
- securityFunction: ["Protect"],
2842
- governanceElements: [ // Orange - MUST be met
2843
- "establish dedicated computing resources for administrative work",
2844
- "maintain dedicated computing resources",
2845
- "segmented from enterprise's primary network",
2846
- "not allowed internet access"
2847
- ],
2848
- coreRequirements: [ // Green - The "what"
2849
- "dedicated computing resources (SAW)",
2850
- "administrative tasks isolation",
2851
- "administrative access separation",
2852
- "network segmentation from primary network"
2853
- ],
2854
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2855
- "establish",
2856
- "maintain",
2857
- "dedicated computing resources",
2858
- "physically or logically separated",
2859
- "all administrative tasks",
2860
- "tasks requiring administrative access",
2861
- "segmented from primary network",
2862
- "no internet access"
2863
- ],
2864
- implementationSuggestions: [ // Gray - Implementation suggestions
2865
- "secure network management and design policy/process",
2866
- "secure admin workstations (SAW)",
2867
- "network segmentation tools",
2868
- "administrative isolation systems"
2869
- ],
2870
- relatedSafeguards: ["1.1", "5.1"] },
2871
- "13.1": {
2872
- id: "13.1",
2873
- title: "Centralize Security Event Alerting",
2874
- description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
2875
- implementationGroup: "IG2",
2876
- assetType: ["network", "Devices"],
2877
- securityFunction: ["Detect"],
2878
- governanceElements: [ // Orange - MUST be met
2879
- "centralize security event alerting across enterprise assets",
2880
- "log correlation and analysis",
2881
- "active exploitation attempts monitoring"
2882
- ],
2883
- coreRequirements: [ // Green - The "what"
2884
- "centralized security event alerting",
2885
- "log correlation capabilities",
2886
- "analysis of security events",
2887
- "active exploitation attempt detection"
2888
- ],
2889
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2890
- "centralize security event alerting",
2891
- "across enterprise assets",
2892
- "for log correlation",
2893
- "for analysis",
2894
- "active exploitation attempts",
2895
- "of enterprise assets"
2896
- ],
2897
- implementationSuggestions: [ // Gray - Implementation suggestions
2898
- "security information and event management (SIEM)",
2899
- "security orchestration, automation and response (SOAR)",
2900
- "log aggregation platforms",
2901
- "event correlation engines"
2902
- ],
2903
- relatedSafeguards: ["8.1", "8.2", "8.11", "13.2", "13.3", "13.11"] },
2904
- "13.2": {
2905
- id: "13.2",
2906
- title: "Deploy a Host-Based Intrusion Detection Solution",
2907
- description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
2908
- implementationGroup: "IG2",
2909
- assetType: ["Devices"],
2910
- securityFunction: ["Detect"],
2911
- governanceElements: [ // Orange - MUST be met
2912
- "deploy host-based intrusion detection solution",
2913
- "on enterprise assets",
2914
- "where technically feasible"
2915
- ],
2916
- coreRequirements: [ // Green - The "what"
2917
- "host-based intrusion detection solution",
2918
- "deployment on enterprise assets",
2919
- "technical feasibility assessment"
2920
- ],
2921
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2922
- "deploy",
2923
- "host-based intrusion detection solution",
2924
- "on enterprise assets",
2925
- "where technically feasible"
2926
- ],
2927
- implementationSuggestions: [ // Gray - Implementation suggestions
2928
- "host-based intrusion detection systems (HIDS)",
2929
- "endpoint detection and response (EDR)",
2930
- "host-based security monitoring",
2931
- "behavioral analysis tools"
2932
- ],
2933
- relatedSafeguards: ["1.1", "13.1", "13.3", "13.7"] },
2934
- "13.3": {
2935
- id: "13.3",
2936
- title: "Deploy a Network Intrusion Detection Solution",
2937
- description: "Deploy a network intrusion detection solution with ruleset tuned for threats facing the enterprise's industry sector",
2938
- implementationGroup: "IG2",
2939
- assetType: ["network"],
2940
- securityFunction: ["Detect"],
2941
- governanceElements: [ // Orange - MUST be met
2942
- "deploy network intrusion detection solution",
2943
- "ruleset tuned for threats facing enterprise's industry sector"
2944
- ],
2945
- coreRequirements: [ // Green - The "what"
2946
- "network intrusion detection solution",
2947
- "threat-tuned rulesets",
2948
- "industry-specific threat focus"
2949
- ],
2950
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2951
- "deploy",
2952
- "network intrusion detection solution",
2953
- "with ruleset tuned",
2954
- "for threats facing",
2955
- "the enterprise's industry sector"
2956
- ],
2957
- implementationSuggestions: [ // Gray - Implementation suggestions
2958
- "network intrusion detection systems (NIDS)",
2959
- "network security monitoring",
2960
- "threat intelligence integration",
2961
- "industry-specific threat feeds"
2962
- ],
2963
- relatedSafeguards: ["13.1", "13.2", "13.8"] },
2964
- "13.4": {
2965
- id: "13.4",
2966
- title: "Perform Traffic Filtering Between Network Segments",
2967
- description: "Perform traffic filtering between network segments, where technically feasible",
2968
- implementationGroup: "IG2",
2969
- assetType: ["network"],
2970
- securityFunction: ["Protect"],
2971
- governanceElements: [ // Orange - MUST be met
2972
- "perform traffic filtering between network segments",
2973
- "where technically feasible"
2974
- ],
2975
- coreRequirements: [ // Green - The "what"
2976
- "traffic filtering between network segments",
2977
- "network segmentation controls",
2978
- "technical feasibility assessment"
2979
- ],
2980
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2981
- "perform traffic filtering",
2982
- "between network segments",
2983
- "where technically feasible"
2984
- ],
2985
- implementationSuggestions: [ // Gray - Implementation suggestions
2986
- "network firewalls",
2987
- "micro-segmentation",
2988
- "network access control",
2989
- "software-defined perimeter"
2990
- ],
2991
- relatedSafeguards: ["12.2", "12.3", "13.9"] },
2992
- "13.5": {
2993
- id: "13.5",
2994
- title: "Manage Access Control for Remote Assets",
2995
- description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
2996
- implementationGroup: "IG2",
2997
- assetType: ["Devices", "network"],
2998
- securityFunction: ["Protect"],
2999
- governanceElements: [ // Orange - MUST be met
3000
- "manage access control for assets remotely connecting to enterprise networks",
3001
- "determine amount of access based on security posture"
3002
- ],
3003
- coreRequirements: [ // Green - The "what"
3004
- "access control for remote assets",
3005
- "remote connection management",
3006
- "security posture-based access"
3007
- ],
3008
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3009
- "manage access control",
3010
- "for assets remotely connecting",
3011
- "to enterprise networks",
3012
- "determine amount of access",
3013
- "up-to-date anti-malware software",
3014
- "up-to-date system patches",
3015
- "up-to-date host-based firewall",
3016
- "up-to-date host-based intrusion detection or prevention"
3017
- ],
3018
- implementationSuggestions: [ // Gray - Implementation suggestions
3019
- "network access control (NAC)",
3020
- "zero trust network access",
3021
- "device compliance checking",
3022
- "posture assessment tools"
3023
- ],
3024
- relatedSafeguards: ["6.1", "10.1", "10.7", "12.1", "13.2"] },
3025
- "13.6": {
3026
- id: "13.6",
3027
- title: "Collect Network Traffic Flow Logs",
3028
- description: "Collect network traffic flow logs and/or network traffic to review and alert upon",
3029
- implementationGroup: "IG2",
3030
- assetType: ["network"],
3031
- securityFunction: ["Detect"],
3032
- governanceElements: [ // Orange - MUST be met
3033
- "collect network traffic flow logs and/or network traffic",
3034
- "to review and alert upon"
3035
- ],
3036
- coreRequirements: [ // Green - The "what"
3037
- "network traffic flow log collection",
3038
- "network traffic monitoring",
3039
- "review and alerting capabilities"
3040
- ],
3041
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3042
- "collect network traffic flow logs",
3043
- "collect network traffic",
3044
- "to review",
3045
- "to alert upon"
3046
- ],
3047
- implementationSuggestions: [ // Gray - Implementation suggestions
3048
- "network flow analyzers",
3049
- "packet capture systems",
3050
- "network monitoring tools",
3051
- "traffic analysis platforms"
3052
- ],
3053
- relatedSafeguards: ["8.5", "13.1", "13.3"] },
3054
- "13.7": {
3055
- id: "13.7",
3056
- title: "Deploy a Host-Based Intrusion Prevention Solution",
3057
- description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
3058
- implementationGroup: "IG3",
3059
- assetType: ["Devices"],
3060
- securityFunction: ["Respond"],
3061
- governanceElements: [ // Orange - MUST be met
3062
- "deploy host-based intrusion prevention solution",
3063
- "on enterprise assets",
3064
- "where technically feasible"
3065
- ],
3066
- coreRequirements: [ // Green - The "what"
3067
- "host-based intrusion prevention solution",
3068
- "deployment on enterprise assets",
3069
- "technical feasibility assessment"
3070
- ],
3071
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3072
- "deploy",
3073
- "host-based intrusion prevention solution",
3074
- "on enterprise assets",
3075
- "where technically feasible"
3076
- ],
3077
- implementationSuggestions: [ // Gray - Implementation suggestions
3078
- "host-based intrusion prevention systems (HIPS)",
3079
- "endpoint protection platforms",
3080
- "behavioral blocking systems",
3081
- "automated threat response"
3082
- ],
3083
- relatedSafeguards: ["13.2", "13.8"] },
3084
- "13.8": {
3085
- id: "13.8",
3086
- title: "Deploy a Network Intrusion Prevention Solution",
3087
- description: "Deploy a network intrusion prevention solution to block malicious network traffic in real-time",
3088
- implementationGroup: "IG3",
3089
- assetType: ["network"],
3090
- securityFunction: ["Respond"],
3091
- governanceElements: [ // Orange - MUST be met
3092
- "deploy network intrusion prevention solution",
3093
- "to block malicious network traffic in real-time"
3094
- ],
3095
- coreRequirements: [ // Green - The "what"
3096
- "network intrusion prevention solution",
3097
- "malicious traffic blocking",
3098
- "real-time response capabilities"
3099
- ],
3100
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3101
- "deploy",
3102
- "network intrusion prevention solution",
3103
- "to block malicious network traffic",
3104
- "in real-time"
3105
- ],
3106
- implementationSuggestions: [ // Gray - Implementation suggestions
3107
- "network intrusion prevention systems (NIPS)",
3108
- "inline security appliances",
3109
- "automated blocking systems",
3110
- "real-time threat mitigation"
3111
- ],
3112
- relatedSafeguards: ["13.3", "13.7"] },
3113
- "13.9": {
3114
- id: "13.9",
3115
- title: "Deploy Port-Level Access Control",
3116
- description: "Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates",
3117
- implementationGroup: "IG3",
3118
- assetType: ["network"],
3119
- securityFunction: ["Protect"],
3120
- governanceElements: [ // Orange - MUST be met
3121
- "deploy port-level access control",
3122
- "utilizes 802.1x or similar network access control protocols"
3123
- ],
3124
- coreRequirements: [ // Green - The "what"
3125
- "port-level access control",
3126
- "802.1x implementation",
3127
- "network access control protocols"
3128
- ],
3129
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3130
- "deploy port-level access control",
3131
- "utilizes 802.1x",
3132
- "similar network access control protocols",
3133
- "such as certificates"
3134
- ],
3135
- implementationSuggestions: [ // Gray - Implementation suggestions
3136
- "802.1x authentication",
3137
- "network access control systems",
3138
- "certificate-based authentication",
3139
- "port-based network access control"
3140
- ],
3141
- relatedSafeguards: ["12.7", "13.4"] },
3142
- "13.10": {
3143
- id: "13.10",
3144
- title: "Perform Application Layer Filtering",
3145
- description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
3146
- implementationGroup: "IG3",
3147
- assetType: ["network", "Software"],
3148
- securityFunction: ["Protect"],
3149
- governanceElements: [ // Orange - MUST be met
3150
- "perform application layer filtering",
3151
- "to protect against enterprise's most common network-based attacks"
3152
- ],
3153
- coreRequirements: [ // Green - The "what"
3154
- "application layer filtering",
3155
- "protection against common network-based attacks",
3156
- "enterprise-specific threat focus"
3157
- ],
3158
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3159
- "perform application layer filtering",
3160
- "to protect against",
3161
- "the enterprise's most common",
3162
- "network-based attacks"
3163
- ],
3164
- implementationSuggestions: [ // Gray - Implementation suggestions
3165
- "web application firewalls",
3166
- "application layer gateways",
3167
- "deep packet inspection",
3168
- "application-aware filtering"
3169
- ],
3170
- relatedSafeguards: ["13.4", "16.11"] },
3171
- "13.11": {
3172
- id: "13.11",
3173
- title: "Tune Security Event Alerting Thresholds",
3174
- description: "Tune security event alerting thresholds monthly, or more frequently",
3175
- implementationGroup: "IG3",
3176
- assetType: ["network", "Devices"],
3177
- securityFunction: ["Detect"],
3178
- governanceElements: [ // Orange - MUST be met
3179
- "tune security event alerting thresholds",
3180
- "monthly or more frequently"
3181
- ],
3182
- coreRequirements: [ // Green - The "what"
3183
- "security event alerting threshold tuning",
3184
- "monthly tuning frequency",
3185
- "threshold optimization"
3186
- ],
3187
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3188
- "tune security event alerting thresholds",
3189
- "monthly",
3190
- "or more frequently"
3191
- ],
3192
- implementationSuggestions: [ // Gray - Implementation suggestions
3193
- "SIEM tuning processes",
3194
- "threshold optimization tools",
3195
- "alert management platforms",
3196
- "false positive reduction"
3197
- ],
3198
- relatedSafeguards: ["13.1", "8.11"] },
3199
- "14.1": {
3200
- id: "14.1",
3201
- title: "Establish and Maintain a Security Awareness Program",
3202
- description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
3203
- implementationGroup: "IG1",
3204
- assetType: ["Users"],
3205
- securityFunction: ["Govern"],
3206
- governanceElements: [ // Orange - MUST be met
3207
- "establish and maintain a security awareness program",
3208
- "conduct training at hire and at a minimum annually",
3209
- "review and update content annually or when significant enterprise changes occur"
3210
- ],
3211
- coreRequirements: [ // Green - The "what"
3212
- "security awareness program establishment",
3213
- "workforce education on secure interaction",
3214
- "enterprise assets and data security training",
3215
- "training frequency requirements"
3216
- ],
3217
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3218
- "establish security awareness program",
3219
- "maintain security awareness program",
3220
- "educate enterprise workforce",
3221
- "how to interact with enterprise assets",
3222
- "how to interact with data in secure manner",
3223
- "conduct training at hire",
3224
- "conduct training minimum annually",
3225
- "review and update content annually",
3226
- "when significant enterprise changes occur"
3227
- ],
3228
- implementationSuggestions: [ // Gray - Implementation suggestions
3229
- "security training and awareness tools",
3230
- "security training and awareness policy/process",
3231
- "training documentation systems",
3232
- "learning management systems"
3233
- ],
3234
- relatedSafeguards: ["14.2", "14.3", "14.4", "14.5", "14.6", "14.7", "14.8", "14.9"] },
3235
- "14.2": {
3236
- id: "14.2",
3237
- title: "Train Workforce Members to Recognize Social Engineering Attacks",
3238
- description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
3239
- implementationGroup: "IG1",
3240
- assetType: ["Users"],
3241
- securityFunction: ["Protect"],
3242
- governanceElements: [ // Orange - MUST be met
3243
- "train workforce members to recognize social engineering attacks",
3244
- "such as phishing, business email compromise, pretexting, and tailgating"
3245
- ],
3246
- coreRequirements: [ // Green - The "what"
3247
- "workforce training on social engineering recognition",
3248
- "phishing attack awareness",
3249
- "business email compromise awareness",
3250
- "pretexting attack awareness",
3251
- "tailgating attack awareness"
3252
- ],
3253
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3254
- "train workforce members",
3255
- "to recognize social engineering attacks",
3256
- "such as phishing",
3257
- "such as business email compromise (BEC)",
3258
- "such as pretexting",
3259
- "such as tailgating"
3260
- ],
3261
- implementationSuggestions: [ // Gray - Implementation suggestions
3262
- "security training and awareness tools",
3263
- "phishing simulation platforms",
3264
- "social engineering awareness training",
3265
- "security awareness modules"
3266
- ],
3267
- relatedSafeguards: ["14.1"] },
3268
- "14.3": {
3269
- id: "14.3",
3270
- title: "Train Workforce Members on Authentication Best Practices",
3271
- description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
3272
- implementationGroup: "IG1",
3273
- assetType: ["Users"],
3274
- securityFunction: ["Protect"],
3275
- governanceElements: [ // Orange - MUST be met
3276
- "train workforce members on authentication best practices",
3277
- "example topics include MFA, password composition, and credential management"
3278
- ],
3279
- coreRequirements: [ // Green - The "what"
3280
- "authentication best practices training",
3281
- "MFA training",
3282
- "password composition training",
3283
- "credential management training"
3284
- ],
3285
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3286
- "train workforce members",
3287
- "on authentication best practices",
3288
- "example topics include MFA",
3289
- "example topics include password composition",
3290
- "example topics include credential management"
3291
- ],
3292
- implementationSuggestions: [ // Gray - Implementation suggestions
3293
- "security training and awareness tools",
3294
- "authentication training modules",
3295
- "password security training",
3296
- "MFA awareness programs"
3297
- ],
3298
- relatedSafeguards: ["14.1", "6.2", "6.3"] },
3299
- "14.4": {
3300
- id: "14.4",
3301
- title: "Train Workforce on Data Handling Best Practices",
3302
- description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
3303
- implementationGroup: "IG1",
3304
- assetType: ["Users"],
3305
- securityFunction: ["Protect"],
3306
- governanceElements: [ // Orange - MUST be met
3307
- "train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
3308
- "training on clear screen and desk best practices",
3309
- "such as locking screen when stepping away, erasing whiteboards, storing data securely"
3310
- ],
3311
- coreRequirements: [ // Green - The "what"
3312
- "data handling best practices training",
3313
- "sensitive data identification training",
3314
- "secure data storage, transfer, archive, destroy procedures",
3315
- "clear screen and desk policies"
3316
- ],
3317
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3318
- "train workforce members on how to",
3319
- "identify sensitive data",
3320
- "properly store sensitive data",
3321
- "properly transfer sensitive data",
3322
- "properly archive sensitive data",
3323
- "properly destroy sensitive data",
3324
- "clear screen best practices",
3325
- "clear desk best practices",
3326
- "locking screen when stepping away",
3327
- "erasing physical whiteboards at end of meetings",
3328
- "erasing virtual whiteboards at end of meetings",
3329
- "storing data and assets securely"
3330
- ],
3331
- implementationSuggestions: [ // Gray - Implementation suggestions
3332
- "security training and awareness tools",
3333
- "data handling training modules",
3334
- "clean desk policy training",
3335
- "data classification training"
3336
- ],
3337
- relatedSafeguards: ["14.1", "3.1", "3.2"] },
3338
- "14.5": {
3339
- id: "14.5",
3340
- title: "Train Workforce Members on Causes of Unintentional Data Exposure",
3341
- description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
3342
- implementationGroup: "IG1",
3343
- assetType: ["Users"],
3344
- securityFunction: ["Protect"],
3345
- governanceElements: [ // Orange - MUST be met
3346
- "train workforce members to be aware of causes for unintentional data exposure",
3347
- "example topics include mis-delivery, losing portable devices, publishing to unintended audiences"
3348
- ],
3349
- coreRequirements: [ // Green - The "what"
3350
- "unintentional data exposure awareness training",
3351
- "mis-delivery prevention training",
3352
- "portable device security awareness",
3353
- "data publication controls training"
3354
- ],
3355
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3356
- "train workforce members",
3357
- "to be aware of causes for unintentional data exposure",
3358
- "example topics include mis-delivery of sensitive data",
3359
- "example topics include losing a portable end-user device",
3360
- "example topics include publishing data to unintended audiences"
3361
- ],
3362
- implementationSuggestions: [ // Gray - Implementation suggestions
3363
- "security training and awareness tools",
3364
- "data loss prevention training",
3365
- "device security awareness training",
3366
- "data sharing awareness programs"
3367
- ],
3368
- relatedSafeguards: ["14.1", "3.3"] },
3369
- "14.6": {
3370
- id: "14.6",
3371
- title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
3372
- description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
3373
- implementationGroup: "IG1",
3374
- assetType: ["Users"],
3375
- securityFunction: ["Protect"],
3376
- governanceElements: [ // Orange - MUST be met
3377
- "train workforce members to be able to recognize a potential incident",
3378
- "train workforce members to be able to report such an incident"
3379
- ],
3380
- coreRequirements: [ // Green - The "what"
3381
- "security incident recognition training",
3382
- "incident reporting training",
3383
- "potential incident identification",
3384
- "incident reporting procedures"
3385
- ],
3386
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3387
- "train workforce members",
3388
- "to be able to recognize a potential incident",
3389
- "to be able to report such an incident"
3390
- ],
3391
- implementationSuggestions: [ // Gray - Implementation suggestions
3392
- "security training and awareness tools",
3393
- "incident response training",
3394
- "security incident awareness programs",
3395
- "incident reporting tools"
3396
- ],
3397
- relatedSafeguards: ["14.1", "17.3"] },
3398
- "14.7": {
3399
- id: "14.7",
3400
- title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
3401
- description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
3402
- implementationGroup: "IG1",
3403
- assetType: ["Users"],
3404
- securityFunction: ["Protect"],
3405
- governanceElements: [ // Orange - MUST be met
3406
- "train workforce to understand how to verify and report out-of-date software patches",
3407
- "train on reporting failures in automated processes and tools",
3408
- "include notifying IT personnel of any failures in automated processes and tools"
3409
- ],
3410
- coreRequirements: [ // Green - The "what"
3411
- "security update verification training",
3412
- "out-of-date software patch identification",
3413
- "automated process failure reporting",
3414
- "IT personnel notification procedures"
3415
- ],
3416
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3417
- "train workforce to understand how to",
3418
- "verify out-of-date software patches",
3419
- "report out-of-date software patches",
3420
- "report any failures in automated processes",
3421
- "report any failures in automated tools",
3422
- "training should include notifying IT personnel",
3423
- "of any failures in automated processes",
3424
- "of any failures in automated tools"
3425
- ],
3426
- implementationSuggestions: [ // Gray - Implementation suggestions
3427
- "security training and awareness tools",
3428
- "patch management awareness training",
3429
- "IT support reporting procedures",
3430
- "automated system monitoring training"
3431
- ],
3432
- relatedSafeguards: ["14.1", "7.3", "7.4"] },
3433
- "14.8": {
3434
- id: "14.8",
3435
- title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
3436
- description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
3437
- implementationGroup: "IG1",
3438
- assetType: ["Users"],
3439
- securityFunction: ["Protect"],
3440
- governanceElements: [ // Orange - MUST be met
3441
- "train workforce members on dangers of connecting to and transmitting data over insecure networks",
3442
- "if enterprise has remote workers, training must include guidance for secure home network configuration"
3443
- ],
3444
- coreRequirements: [ // Green - The "what"
3445
- "insecure network dangers training",
3446
- "secure connection practices",
3447
- "enterprise data transmission security",
3448
- "remote worker home network security"
3449
- ],
3450
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3451
- "train workforce members on the dangers of",
3452
- "connecting to insecure networks",
3453
- "transmitting data over insecure networks",
3454
- "for enterprise activities",
3455
- "if enterprise has remote workers",
3456
- "training must include guidance",
3457
- "to ensure all users securely configure",
3458
- "their home network infrastructure"
3459
- ],
3460
- implementationSuggestions: [ // Gray - Implementation suggestions
3461
- "security training and awareness tools",
3462
- "network security awareness training",
3463
- "remote work security training",
3464
- "home network configuration guides"
3465
- ],
3466
- relatedSafeguards: ["14.1", "12.1"] },
3467
- "14.9": {
3468
- id: "14.9",
3469
- title: "Conduct Role-Specific Security Awareness and Skills Training",
3470
- description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
3471
- implementationGroup: "IG2",
3472
- assetType: ["Users"],
3473
- securityFunction: ["Protect"],
3474
- governanceElements: [ // Orange - MUST be met
3475
- "conduct role-specific security awareness and skills training",
3476
- "example implementations include secure system administration courses, OWASP Top 10 training, and advanced social engineering training"
3477
- ],
3478
- coreRequirements: [ // Green - The "what"
3479
- "role-specific security awareness training",
3480
- "role-specific skills training",
3481
- "IT professional system administration courses",
3482
- "developer OWASP Top 10 training",
3483
- "high-profile role advanced social engineering training"
3484
- ],
3485
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3486
- "conduct role-specific security awareness training",
3487
- "conduct role-specific skills training",
3488
- "secure system administration courses for IT professionals",
3489
- "OWASP Top 10 vulnerability awareness and prevention training for web application developers",
3490
- "advanced social engineering awareness training for high-profile roles"
3491
- ],
3492
- implementationSuggestions: [ // Gray - Implementation suggestions
3493
- "security training and awareness tools",
3494
- "role-based training programs",
3495
- "specialized security courses",
3496
- "professional development programs"
3497
- ],
3498
- relatedSafeguards: ["14.1", "16.9"] },
3499
- "15.1": {
3500
- id: "15.1",
3501
- title: "Establish and Maintain an Inventory of Service Providers",
3502
- description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
3503
- implementationGroup: "IG1",
3504
- assetType: ["Users"],
3505
- securityFunction: ["Identify"],
3506
- governanceElements: [ // Orange - MUST be met
3507
- "establish and maintain an inventory of service providers",
3508
- "list all known service providers, include classifications, designate enterprise contact",
3509
- "review and update inventory annually or when significant enterprise changes occur"
3510
- ],
3511
- coreRequirements: [ // Green - The "what"
3512
- "service provider inventory establishment",
3513
- "comprehensive service provider listing",
3514
- "classification system implementation",
3515
- "enterprise contact designation"
3516
- ],
3517
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3518
- "establish inventory of service providers",
3519
- "maintain inventory of service providers",
3520
- "list all known service providers",
3521
- "include classifications",
3522
- "designate an enterprise contact for each service provider",
3523
- "review and update the inventory annually",
3524
- "when significant enterprise changes occur that could impact this safeguard"
3525
- ],
3526
- implementationSuggestions: [ // Gray - Implementation suggestions
3527
- "third-party risk management tools",
3528
- "service provider management platforms",
3529
- "vendor inventory systems",
3530
- "supplier relationship management tools"
3531
- ],
3532
- relatedSafeguards: ["2.1", "8.12", "15.2", "15.3", "15.4", "15.5", "15.6", "15.7"] },
3533
- "15.2": {
3534
- id: "15.2",
3535
- title: "Establish and Maintain a Service Provider Management Policy",
3536
- description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
3537
- implementationGroup: "IG2",
3538
- assetType: ["Users"],
3539
- securityFunction: ["Govern"],
3540
- governanceElements: [ // Orange - MUST be met
3541
- "establish and maintain a service provider management policy",
3542
- "ensure policy addresses classification, inventory, assessment, monitoring, and decommissioning",
3543
- "review and update policy annually or when significant enterprise changes occur"
3544
- ],
3545
- coreRequirements: [ // Green - The "what"
3546
- "service provider management policy establishment",
3547
- "comprehensive policy coverage",
3548
- "classification processes",
3549
- "inventory management processes",
3550
- "assessment processes",
3551
- "monitoring processes",
3552
- "decommissioning processes"
3553
- ],
3554
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3555
- "establish service provider management policy",
3556
- "maintain service provider management policy",
3557
- "ensure policy addresses classification",
3558
- "ensure policy addresses inventory",
3559
- "ensure policy addresses assessment",
3560
- "ensure policy addresses monitoring",
3561
- "ensure policy addresses decommissioning of service providers",
3562
- "review and update policy annually",
3563
- "when significant enterprise changes occur that could impact this safeguard"
3564
- ],
3565
- implementationSuggestions: [ // Gray - Implementation suggestions
3566
- "service provider management policy documentation",
3567
- "third-party risk management frameworks",
3568
- "vendor management policy templates",
3569
- "supplier governance documentation"
3570
- ],
3571
- relatedSafeguards: ["15.1", "15.3", "15.4", "15.5", "15.6", "15.7"] },
3572
- "15.3": {
3573
- id: "15.3",
3574
- title: "Classify Service Providers",
3575
- description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
3576
- implementationGroup: "IG2",
3577
- assetType: ["Users"],
3578
- securityFunction: ["Govern"],
3579
- governanceElements: [ // Orange - MUST be met
3580
- "classify service providers",
3581
- "classification may include data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, mitigated risk",
3582
- "update and review classifications annually or when significant enterprise changes occur"
3583
- ],
3584
- coreRequirements: [ // Green - The "what"
3585
- "service provider classification system",
3586
- "risk-based classification criteria",
3587
- "data sensitivity classification",
3588
- "regulatory compliance classification"
3589
- ],
3590
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3591
- "classify service providers",
3592
- "classification consideration may include one or more characteristics",
3593
- "such as data sensitivity",
3594
- "such as data volume",
3595
- "such as availability requirements",
3596
- "such as applicable regulations",
3597
- "such as inherent risk",
3598
- "such as mitigated risk",
3599
- "update and review classifications annually",
3600
- "when significant enterprise changes occur that could impact this safeguard"
3601
- ],
3602
- implementationSuggestions: [ // Gray - Implementation suggestions
3603
- "service provider management policy",
3604
- "risk classification frameworks",
3605
- "data sensitivity classification schemes",
3606
- "regulatory compliance matrices"
3607
- ],
3608
- relatedSafeguards: ["15.1", "15.2"] },
3609
- "15.4": {
3610
- id: "15.4",
3611
- title: "Ensure Service Provider Contracts Include Security Requirements",
3612
- description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
3613
- implementationGroup: "IG2",
3614
- assetType: ["Users"],
3615
- securityFunction: ["Govern"],
3616
- governanceElements: [ // Orange - MUST be met
3617
- "ensure service provider contracts include security requirements",
3618
- "security requirements must be consistent with enterprise's service provider management policy",
3619
- "review service provider contracts annually to ensure contracts are not missing security requirements"
3620
- ],
3621
- coreRequirements: [ // Green - The "what"
3622
- "contract security requirements inclusion",
3623
- "minimum security program requirements",
3624
- "security incident and data breach notification requirements",
3625
- "data encryption requirements",
3626
- "data disposal commitments"
3627
- ],
3628
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3629
- "ensure service provider contracts include security requirements",
3630
- "example requirements may include minimum security program requirements",
3631
- "security incident and/or data breach notification and response",
3632
- "data encryption requirements",
3633
- "data disposal commitments",
3634
- "security requirements must be consistent with enterprise's service provider management policy",
3635
- "review service provider contracts annually",
3636
- "to ensure contracts are not missing security requirements"
3637
- ],
3638
- implementationSuggestions: [ // Gray - Implementation suggestions
3639
- "contract management systems",
3640
- "service provider management policy",
3641
- "legal contract templates",
3642
- "security requirement checklists"
3643
- ],
3644
- relatedSafeguards: ["15.1", "15.2"] },
3645
- "15.5": {
3646
- id: "15.5",
3647
- title: "Assess Service Providers",
3648
- description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
3649
- implementationGroup: "IG3",
3650
- assetType: ["Users"],
3651
- securityFunction: ["Govern"],
3652
- governanceElements: [ // Orange - MUST be met
3653
- "assess service providers consistent with enterprise's service provider management policy",
3654
- "assessment scope may vary based on classifications and may include SOC 2, PCI AoC, customized questionnaires, or other rigorous processes",
3655
- "reassess service providers annually at minimum or with new and renewed contracts"
3656
- ],
3657
- coreRequirements: [ // Green - The "what"
3658
- "service provider assessment processes",
3659
- "standardized assessment report reviews",
3660
- "customized questionnaire assessments",
3661
- "rigorous assessment methodologies"
3662
- ],
3663
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3664
- "assess service providers consistent with enterprise's service provider management policy",
3665
- "assessment scope may vary based on classifications",
3666
- "may include review of standardized assessment reports",
3667
- "such as Service Organization Control 2 (SOC 2)",
3668
- "Payment Card Industry (PCI) Attestation of Compliance (AoC)",
3669
- "customized questionnaires",
3670
- "other appropriately rigorous processes",
3671
- "reassess service providers annually at a minimum",
3672
- "or with new and renewed contracts"
3673
- ],
3674
- implementationSuggestions: [ // Gray - Implementation suggestions
3675
- "third-party risk management tools",
3676
- "service provider management policy",
3677
- "assessment questionnaire platforms",
3678
- "compliance monitoring systems"
3679
- ],
3680
- relatedSafeguards: ["15.1", "15.2"] },
3681
- "15.6": {
3682
- id: "15.6",
3683
- title: "Monitor Service Providers",
3684
- description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
3685
- implementationGroup: "IG3",
3686
- assetType: ["Data"],
3687
- securityFunction: ["Govern"],
3688
- governanceElements: [ // Orange - MUST be met
3689
- "monitor service providers consistent with enterprise's service provider management policy",
3690
- "monitoring may include periodic reassessment, release notes monitoring, and dark web monitoring"
3691
- ],
3692
- coreRequirements: [ // Green - The "what"
3693
- "service provider monitoring processes",
3694
- "periodic compliance reassessment",
3695
- "service provider release notes monitoring",
3696
- "dark web monitoring"
3697
- ],
3698
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3699
- "monitor service providers",
3700
- "consistent with enterprise's service provider management policy",
3701
- "monitoring may include periodic reassessment of service provider compliance",
3702
- "monitoring service provider release notes",
3703
- "dark web monitoring"
3704
- ],
3705
- implementationSuggestions: [ // Gray - Implementation suggestions
3706
- "third-party risk management tools",
3707
- "service provider management policy",
3708
- "dark web monitoring services",
3709
- "compliance monitoring platforms"
3710
- ],
3711
- relatedSafeguards: ["15.1", "15.2"] },
3712
- "15.7": {
3713
- id: "15.7",
3714
- title: "Securely Decommission Service Providers",
3715
- description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
3716
- implementationGroup: "IG3",
3717
- assetType: ["Data"],
3718
- securityFunction: ["Protect"],
3719
- governanceElements: [ // Orange - MUST be met
3720
- "securely decommission service providers",
3721
- "example considerations include user and service account deactivation, termination of data flows, secure disposal of enterprise data"
3722
- ],
3723
- coreRequirements: [ // Green - The "what"
3724
- "secure service provider decommissioning",
3725
- "user and service account deactivation",
3726
- "data flow termination",
3727
- "secure enterprise data disposal"
3728
- ],
3729
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3730
- "securely decommission service providers",
3731
- "example considerations include user and service account deactivation",
3732
- "termination of data flows",
3733
- "secure disposal of enterprise data within service provider systems"
3734
- ],
3735
- implementationSuggestions: [ // Gray - Implementation suggestions
3736
- "service provider management policy",
3737
- "data destruction procedures",
3738
- "account deactivation processes",
3739
- "secure decommissioning checklists"
3740
- ],
3741
- relatedSafeguards: ["15.1", "15.2"] },
3742
- "16.1": {
3743
- id: "16.1",
3744
- title: "Establish and Maintain a Secure Application Development Process",
3745
- description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
3746
- implementationGroup: "IG2",
3747
- assetType: ["Software"],
3748
- securityFunction: ["Govern"],
3749
- governanceElements: [ // Orange - MUST be met
3750
- "establish and maintain a secure application development process",
3751
- "review and update documentation annually or when significant enterprise changes occur that could impact this safeguard"
3752
- ],
3753
- coreRequirements: [ // Green - The "what"
3754
- "secure application development process",
3755
- "secure application design standards",
3756
- "secure coding practices",
3757
- "developer training",
3758
- "vulnerability management",
3759
- "security of third-party code",
3760
- "application security testing procedures"
3761
- ],
3762
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3763
- "address such items as secure application design standards",
3764
- "address such items as secure coding practices",
3765
- "address such items as developer training",
3766
- "address such items as vulnerability management",
3767
- "address such items as security of third-party code",
3768
- "address such items as application security testing procedures",
3769
- "review and update documentation annually",
3770
- "when significant enterprise changes occur"
3771
- ],
3772
- implementationSuggestions: [ // Gray - Implementation suggestions
3773
- "secure development lifecycle (SDLC) frameworks",
3774
- "application security policies",
3775
- "development process documentation",
3776
- "security training programs for developers"
3777
- ],
3778
- relatedSafeguards: ["16.2", "16.3", "16.4", "16.5", "16.6", "16.7", "16.8", "16.9", "16.10", "16.11", "16.12", "16.13", "16.14"] },
3779
- "16.2": {
3780
- id: "16.2",
3781
- title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
3782
- description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
3783
- implementationGroup: "IG2",
3784
- assetType: ["Software"],
3785
- securityFunction: ["Govern"],
3786
- governanceElements: [ // Orange - MUST be met
3787
- "establish and maintain a process to accept and address reports of software vulnerabilities",
3788
- "provide a means for external entities to report vulnerabilities",
3789
- "review and update documentation annually or when significant enterprise changes occur that could impact this safeguard"
3790
- ],
3791
- coreRequirements: [ // Green - The "what"
3792
- "process to accept and address software vulnerabilities",
3793
- "vulnerability handling policy",
3794
- "reporting process",
3795
- "responsible party for handling vulnerability reports",
3796
- "process for intake, assignment, remediation, and remediation testing",
3797
- "vulnerability tracking system",
3798
- "severity ratings",
3799
- "metrics for measuring timing"
3800
- ],
3801
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3802
- "vulnerability handling policy that identifies reporting process",
3803
- "process for intake",
3804
- "process for assignment",
3805
- "process for remediation",
3806
- "process for remediation testing",
3807
- "vulnerability tracking system that includes severity ratings",
3808
- "metrics for measuring timing for identification of vulnerabilities",
3809
- "metrics for measuring timing for analysis of vulnerabilities",
3810
- "metrics for measuring timing for remediation of vulnerabilities",
3811
- "externally-facing policy that helps to set expectations for outside stakeholders"
3812
- ],
3813
- implementationSuggestions: [ // Gray - Implementation suggestions
3814
- "vulnerability disclosure platforms",
3815
- "bug bounty programs",
3816
- "vulnerability management systems",
3817
- "incident response tools"
3818
- ],
3819
- relatedSafeguards: ["16.1", "16.3", "16.6"] },
3820
- "16.3": {
3821
- id: "16.3",
3822
- title: "Perform Root Cause Analysis on Security Vulnerabilities",
3823
- description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
3824
- implementationGroup: "IG2",
3825
- assetType: ["Software"],
3826
- securityFunction: ["Protect"],
3827
- governanceElements: [ // Orange - MUST be met
3828
- "perform root cause analysis on security vulnerabilities"
3829
- ],
3830
- coreRequirements: [ // Green - The "what"
3831
- "root cause analysis on security vulnerabilities",
3832
- "evaluating underlying issues that create vulnerabilities in code"
3833
- ],
3834
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3835
- "when reviewing vulnerabilities",
3836
- "root cause analysis is the task of evaluating underlying issues",
3837
- "allows development teams to move beyond just fixing individual vulnerabilities as they arise"
3838
- ],
3839
- implementationSuggestions: [ // Gray - Implementation suggestions
3840
- "code analysis tools",
3841
- "vulnerability assessment platforms",
3842
- "development team training on root cause analysis",
3843
- "systematic vulnerability review processes"
3844
- ],
3845
- relatedSafeguards: ["16.1", "16.2"] },
3846
- "16.4": {
3847
- id: "16.4",
3848
- title: "Establish and Manage an Inventory of Third-Party Software Components",
3849
- description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
3850
- implementationGroup: "IG2",
3851
- assetType: ["Software"],
3852
- securityFunction: ["Identify"],
3853
- governanceElements: [ // Orange - MUST be met
3854
- "establish and manage an updated inventory of third-party components used in development",
3855
- "evaluate the list at least monthly to identify any changes or updates to these components and validate that the component is still supported"
3856
- ],
3857
- coreRequirements: [ // Green - The "what"
3858
- "updated inventory of third-party components",
3859
- "bill of materials",
3860
- "components slated for future use",
3861
- "risks that each third-party component could pose",
3862
- "monthly evaluation",
3863
- "component support validation"
3864
- ],
3865
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3866
- "third-party components used in development",
3867
- "often referred to as bill of materials",
3868
- "components slated for future use",
3869
- "any risks that each third-party component could pose",
3870
- "identify any changes or updates to these components",
3871
- "validate that the component is still supported"
3872
- ],
3873
- implementationSuggestions: [ // Gray - Implementation suggestions
3874
- "software composition analysis (SCA) tools",
3875
- "dependency management systems",
3876
- "component vulnerability databases",
3877
- "automated inventory tracking tools"
3878
- ],
3879
- relatedSafeguards: ["16.1", "16.5"] },
3880
- "16.5": {
3881
- id: "16.5",
3882
- title: "Use Up-to-Date and Trusted Third-Party Software Components",
3883
- description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
3884
- implementationGroup: "IG2",
3885
- assetType: ["Software"],
3886
- securityFunction: ["Protect"],
3887
- governanceElements: [ // Orange - MUST be met
3888
- "use up-to-date and trusted third-party software components"
3889
- ],
3890
- coreRequirements: [ // Green - The "what"
3891
- "up-to-date third-party software components",
3892
- "trusted third-party software components",
3893
- "established and proven frameworks and libraries",
3894
- "adequate security",
3895
- "trusted sources",
3896
- "vulnerability evaluation before use"
3897
- ],
3898
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3899
- "when possible choose established and proven frameworks and libraries",
3900
- "that provide adequate security",
3901
- "acquire these components from trusted sources",
3902
- "evaluate the software for vulnerabilities before use"
3903
- ],
3904
- implementationSuggestions: [ // Gray - Implementation suggestions
3905
- "software composition analysis (SCA) tools",
3906
- "trusted software repositories",
3907
- "vulnerability scanning tools",
3908
- "component security assessment processes"
3909
- ],
3910
- relatedSafeguards: ["16.1", "16.4", "16.11", "7.1"] },
3911
- "16.6": {
3912
- id: "16.6",
3913
- title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
3914
- description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
3915
- implementationGroup: "IG2",
3916
- assetType: ["Software"],
3917
- securityFunction: ["Govern"],
3918
- governanceElements: [ // Orange - MUST be met
3919
- "establish and maintain a severity rating system and process for application vulnerabilities",
3920
- "review and update the system and process annually"
3921
- ],
3922
- coreRequirements: [ // Green - The "what"
3923
- "severity rating system",
3924
- "process for application vulnerabilities",
3925
- "prioritizing the order in which discovered vulnerabilities are fixed",
3926
- "minimum level of security acceptability for releasing code or applications",
3927
- "systematic way of triaging vulnerabilities"
3928
- ],
3929
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3930
- "facilitates prioritizing the order in which discovered vulnerabilities are fixed",
3931
- "setting a minimum level of security acceptability for releasing code or applications",
3932
- "severity ratings bring a systematic way of triaging vulnerabilities",
3933
- "improves risk management",
3934
- "helps ensure the most severe bugs are fixed first"
3935
- ],
3936
- implementationSuggestions: [ // Gray - Implementation suggestions
3937
- "CVSS scoring systems",
3938
- "vulnerability management platforms",
3939
- "risk assessment frameworks",
3940
- "prioritization workflows"
3941
- ],
3942
- relatedSafeguards: ["16.1", "16.2"] },
3943
- "16.7": {
3944
- id: "16.7",
3945
- title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
3946
- description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
3947
- implementationGroup: "IG2",
3948
- assetType: ["Software"],
3949
- securityFunction: ["Protect"],
3950
- governanceElements: [ // Orange - MUST be met
3951
- "use standard, industry-recommended hardening configuration templates for application infrastructure components",
3952
- "do not allow in-house developed software to weaken configuration hardening"
3953
- ],
3954
- coreRequirements: [ // Green - The "what"
3955
- "standard hardening configuration templates",
3956
- "application infrastructure components",
3957
- "underlying servers",
3958
- "databases",
3959
- "web servers",
3960
- "cloud containers",
3961
- "Platform as a Service (PaaS) components",
3962
- "SaaS components"
3963
- ],
3964
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3965
- "industry-recommended hardening configuration templates",
3966
- "includes underlying servers, databases, and web servers",
3967
- "applies to cloud containers",
3968
- "applies to Platform as a Service (PaaS) components",
3969
- "applies to SaaS components"
3970
- ],
3971
- implementationSuggestions: [ // Gray - Implementation suggestions
3972
- "configuration baseline tools",
3973
- "infrastructure as code (IaC) templates",
3974
- "security hardening guides",
3975
- "automated configuration management"
3976
- ],
3977
- relatedSafeguards: ["16.1"] },
3978
- "16.8": {
3979
- id: "16.8",
3980
- title: "Separate Production and Non-Production Systems",
3981
- description: "Maintain separate environments for production and non-production systems",
3982
- implementationGroup: "IG2",
3983
- assetType: ["network"],
3984
- securityFunction: ["Protect"],
3985
- governanceElements: [ // Orange - MUST be met
3986
- "maintain separate environments for production and non-production systems"
3987
- ],
3988
- coreRequirements: [ // Green - The "what"
3989
- "separate environments",
3990
- "production systems",
3991
- "non-production systems"
3992
- ],
3993
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
3994
- "separate environments for production systems",
3995
- "separate environments for non-production systems"
3996
- ],
3997
- implementationSuggestions: [ // Gray - Implementation suggestions
3998
- "network segmentation tools",
3999
- "environment isolation technologies",
4000
- "access control systems",
4001
- "deployment pipeline controls"
4002
- ],
4003
- relatedSafeguards: ["16.1"] },
4004
- "16.9": {
4005
- id: "16.9",
4006
- title: "Train Developers in Application Security Concepts and Secure Coding",
4007
- description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
4008
- implementationGroup: "IG2",
4009
- assetType: ["Users"],
4010
- securityFunction: ["Protect"],
4011
- governanceElements: [ // Orange - MUST be met
4012
- "ensure that all software development personnel receive training in writing secure code",
4013
- "conduct training at least annually"
4014
- ],
4015
- coreRequirements: [ // Green - The "what"
4016
- "training in writing secure code",
4017
- "specific development environment and responsibilities",
4018
- "general security principles",
4019
- "application security standard practices",
4020
- "promote security within the development team",
4021
- "build a culture of security among the developers"
4022
- ],
4023
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4024
- "all software development personnel receive training",
4025
- "for their specific development environment and responsibilities",
4026
- "training can include general security principles",
4027
- "training can include application security standard practices",
4028
- "design in a way to promote security within the development team",
4029
- "build a culture of security among the developers"
4030
- ],
4031
- implementationSuggestions: [ // Gray - Implementation suggestions
4032
- "security training and awareness tools",
4033
- "secure coding training programs",
4034
- "developer security certifications",
4035
- "hands-on security workshops"
4036
- ],
4037
- relatedSafeguards: ["16.1", "14.1", "14.9"] },
4038
- "16.10": {
4039
- id: "16.10",
4040
- title: "Apply Secure Design Principles in Application Architectures",
4041
- description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
4042
- implementationGroup: "IG2",
4043
- assetType: ["Software"],
4044
- securityFunction: ["Protect"],
4045
- governanceElements: [ // Orange - MUST be met
4046
- "apply secure design principles in application architectures"
4047
- ],
4048
- coreRequirements: [ // Green - The "what"
4049
- "secure design principles",
4050
- "concept of least privilege",
4051
- "enforcing mediation to validate every operation",
4052
- "never trust user input",
4053
- "explicit error checking for all input",
4054
- "minimizing the application infrastructure attack surface"
4055
- ],
4056
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4057
- "concept of least privilege",
4058
- "enforcing mediation",
4059
- "validate every operation that the user makes",
4060
- "promoting the concept of never trust user input",
4061
- "ensuring that explicit error checking is performed and documented for all input",
4062
- "including for size, data type, and acceptable ranges or formats",
4063
- "turning off unprotected ports and services",
4064
- "removing unnecessary programs and files",
4065
- "renaming or removing default accounts"
4066
- ],
4067
- implementationSuggestions: [ // Gray - Implementation suggestions
4068
- "secure architecture frameworks",
4069
- "input validation libraries",
4070
- "access control systems",
4071
- "security design patterns"
4072
- ],
4073
- relatedSafeguards: ["16.1"] },
4074
- "16.11": {
4075
- id: "16.11",
4076
- title: "Leverage Vetted Modules or Services for Application Security Components",
4077
- description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
4078
- implementationGroup: "IG2",
4079
- assetType: ["Software"],
4080
- securityFunction: ["Identify"],
4081
- governanceElements: [ // Orange - MUST be met
4082
- "leverage vetted modules or services for application security components",
4083
- "use only standardized, currently accepted, and extensively reviewed encryption algorithms"
4084
- ],
4085
- coreRequirements: [ // Green - The "what"
4086
- "vetted modules or services",
4087
- "application security components",
4088
- "identity management",
4089
- "encryption",
4090
- "auditing and logging",
4091
- "platform features in critical security functions",
4092
- "identification, authentication, and authorization mechanisms",
4093
- "secure audit logs"
4094
- ],
4095
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4096
- "such as identity management, encryption, and auditing and logging",
4097
- "using platform features in critical security functions will reduce developers' workload",
4098
- "minimize the likelihood of design or implementation errors",
4099
- "modern operating systems provide effective mechanisms for identification, authentication, and authorization",
4100
- "make those mechanisms available to applications",
4101
- "operating systems also provide mechanisms to create and maintain secure audit logs"
4102
- ],
4103
- implementationSuggestions: [ // Gray - Implementation suggestions
4104
- "established security libraries",
4105
- "platform security services",
4106
- "cryptographic modules",
4107
- "operating system security features"
4108
- ],
4109
- relatedSafeguards: ["16.1", "16.5"] },
4110
- "16.12": {
4111
- id: "16.12",
4112
- title: "Implement Code-Level Security Checks",
4113
- description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
4114
- implementationGroup: "IG3",
4115
- assetType: ["Software"],
4116
- securityFunction: ["Protect"],
4117
- governanceElements: [ // Orange - MUST be met
4118
- "apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
4119
- ],
4120
- coreRequirements: [ // Green - The "what"
4121
- "static analysis tools",
4122
- "dynamic analysis tools",
4123
- "application life cycle",
4124
- "secure coding practices verification"
4125
- ],
4126
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4127
- "apply static analysis tools within the application life cycle",
4128
- "apply dynamic analysis tools within the application life cycle",
4129
- "verify that secure coding practices are being followed"
4130
- ],
4131
- implementationSuggestions: [ // Gray - Implementation suggestions
4132
- "code analysis tools",
4133
- "static application security testing (SAST)",
4134
- "dynamic application security testing (DAST)",
4135
- "interactive application security testing (IAST)"
4136
- ],
4137
- relatedSafeguards: ["16.1"] },
4138
- "16.13": {
4139
- id: "16.13",
4140
- title: "Conduct Application Penetration Testing",
4141
- description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
4142
- implementationGroup: "IG3",
4143
- assetType: ["Software"],
4144
- securityFunction: ["Detect"],
4145
- governanceElements: [ // Orange - MUST be met
4146
- "conduct application penetration testing"
4147
- ],
4148
- coreRequirements: [ // Green - The "what"
4149
- "application penetration testing",
4150
- "authenticated penetration testing for critical applications",
4151
- "business logic vulnerabilities",
4152
- "manual manipulation of application",
4153
- "authenticated and unauthenticated user testing"
4154
- ],
4155
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4156
- "for critical applications",
4157
- "authenticated penetration testing is better suited to finding business logic vulnerabilities",
4158
- "than code scanning and automated security testing",
4159
- "penetration testing relies on the skill of the tester",
4160
- "to manually manipulate an application as an authenticated and unauthenticated user"
4161
- ],
4162
- implementationSuggestions: [ // Gray - Implementation suggestions
4163
- "application security testing tools",
4164
- "penetration testing frameworks",
4165
- "security testing methodologies",
4166
- "skilled penetration testers"
4167
- ],
4168
- relatedSafeguards: ["16.1"] },
4169
- "16.14": {
4170
- id: "16.14",
4171
- title: "Conduct Threat Modeling",
4172
- description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
4173
- implementationGroup: "IG3",
4174
- assetType: ["Software"],
4175
- securityFunction: ["Protect"],
4176
- governanceElements: [ // Orange - MUST be met
4177
- "conduct threat modeling"
4178
- ],
4179
- coreRequirements: [ // Green - The "what"
4180
- "threat modeling",
4181
- "identifying and addressing application security design flaws",
4182
- "before code is created",
4183
- "specially trained individuals",
4184
- "evaluate application design",
4185
- "gauge security risks for each entry point and access level",
4186
- "map out the application, architecture, and infrastructure"
4187
- ],
4188
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4189
- "threat modeling is the process of identifying and addressing application security design flaws within a design",
4190
- "before code is created",
4191
- "conducted through specially trained individuals",
4192
- "who evaluate the application design and gauge security risks",
4193
- "for each entry point and access level",
4194
- "the goal is to map out the application, architecture, and infrastructure in a structured way",
4195
- "to understand its weaknesses"
4196
- ],
4197
- implementationSuggestions: [ // Gray - Implementation suggestions
4198
- "threat modeling frameworks",
4199
- "security design review processes",
4200
- "threat modeling tools",
4201
- "security architecture documentation"
4202
- ],
4203
- relatedSafeguards: ["16.1"] },
4204
- "17.1": {
4205
- id: "17.1",
4206
- title: "Designate Personnel to Manage Incident Handling",
4207
- description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4208
- implementationGroup: "IG1",
4209
- assetType: ["Users"],
4210
- securityFunction: ["Respond"],
4211
- governanceElements: [ // Orange - MUST be met
4212
- "designate one key person and at least one backup who will manage the enterprise's incident handling process",
4213
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4214
- ],
4215
- coreRequirements: [ // Green - The "what"
4216
- "one key person to manage incident handling",
4217
- "at least one backup person",
4218
- "coordination of incident response and recovery efforts",
4219
- "documentation of incident response and recovery efforts",
4220
- "management personnel for incident handling process"
4221
- ],
4222
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4223
- "management personnel are responsible for coordination and documentation",
4224
- "can consist of employees internal to the enterprise",
4225
- "can consist of service providers",
4226
- "can consist of a hybrid approach",
4227
- "if using a service provider, designate at least one person internal to the enterprise to oversee any third-party work"
4228
- ],
4229
- implementationSuggestions: [ // Gray - Implementation suggestions
4230
- "incident response team structures",
4231
- "incident management roles and responsibilities",
4232
- "coordination tools and processes",
4233
- "documentation templates"
4234
- ],
4235
- relatedSafeguards: ["17.4"] },
4236
- "17.2": {
4237
- id: "17.2",
4238
- title: "Establish and Maintain Contact Information for Reporting Security Incidents",
4239
- description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
4240
- implementationGroup: "IG1",
4241
- assetType: ["Users"],
4242
- securityFunction: ["Respond"],
4243
- governanceElements: [ // Orange - MUST be met
4244
- "establish and maintain contact information for reporting security incidents",
4245
- "information must be available to all workforce members"
4246
- ],
4247
- coreRequirements: [ // Green - The "what"
4248
- "contact information for reporting security incidents",
4249
- "available to all workforce members",
4250
- "various contact methods",
4251
- "regularly updated contact information"
4252
- ],
4253
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4254
- "should include various contact methods (e.g., phone, email)",
4255
- "be regularly updated",
4256
- "consider the availability of these contact methods in different circumstances",
4257
- "such as when primary communication systems are compromised"
4258
- ],
4259
- implementationSuggestions: [ // Gray - Implementation suggestions
4260
- "incident reporting hotlines",
4261
- "emergency contact lists",
4262
- "multiple communication channels",
4263
- "contact information distribution methods"
4264
- ],
4265
- relatedSafeguards: ["17.3", "17.4"] },
4266
- "17.3": {
4267
- id: "17.3",
4268
- title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
4269
- description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4270
- implementationGroup: "IG1",
4271
- assetType: ["Users"],
4272
- securityFunction: ["Govern"],
4273
- governanceElements: [ // Orange - MUST be met
4274
- "establish and maintain a documented enterprise process for the workforce to report security incidents",
4275
- "ensure the process is publicly available to all of the workforce",
4276
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4277
- ],
4278
- coreRequirements: [ // Green - The "what"
4279
- "documented enterprise process for reporting incidents",
4280
- "reporting timeframe",
4281
- "personnel to report to",
4282
- "mechanism for reporting",
4283
- "minimum information to be reported"
4284
- ],
4285
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4286
- "the process includes reporting timeframe",
4287
- "the process includes personnel to report to",
4288
- "the process includes mechanism for reporting",
4289
- "the process includes the minimum information to be reported"
4290
- ],
4291
- implementationSuggestions: [ // Gray - Implementation suggestions
4292
- "incident reporting procedures",
4293
- "reporting forms and templates",
4294
- "workforce training materials",
4295
- "process communication methods"
4296
- ],
4297
- relatedSafeguards: ["17.2", "17.4", "14.6"] },
4298
- "17.4": {
4299
- id: "17.4",
4300
- title: "Establish and Maintain an Incident Response Process",
4301
- description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4302
- implementationGroup: "IG2",
4303
- assetType: ["Users"],
4304
- securityFunction: ["Govern"],
4305
- governanceElements: [ // Orange - MUST be met
4306
- "establish and maintain a documented incident response process",
4307
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4308
- ],
4309
- coreRequirements: [ // Green - The "what"
4310
- "documented incident response process",
4311
- "roles and responsibilities",
4312
- "compliance requirements",
4313
- "communication plan"
4314
- ],
4315
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4316
- "that addresses roles and responsibilities",
4317
- "that addresses compliance requirements",
4318
- "that addresses a communication plan"
4319
- ],
4320
- implementationSuggestions: [ // Gray - Implementation suggestions
4321
- "incident response playbooks",
4322
- "process documentation templates",
4323
- "compliance frameworks",
4324
- "communication protocols"
4325
- ],
4326
- relatedSafeguards: ["17.1", "17.3", "17.5", "17.6", "17.7", "17.8", "17.9"] },
4327
- "17.5": {
4328
- id: "17.5",
4329
- title: "Assign Key Roles and Responsibilities",
4330
- description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4331
- implementationGroup: "IG2",
4332
- assetType: ["Users"],
4333
- securityFunction: ["Respond"],
4334
- governanceElements: [ // Orange - MUST be met
4335
- "assign key roles and responsibilities for incident response",
4336
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4337
- ],
4338
- coreRequirements: [ // Green - The "what"
4339
- "key roles and responsibilities for incident response",
4340
- "staff from legal",
4341
- "staff from IT",
4342
- "staff from information security",
4343
- "staff from facilities",
4344
- "staff from public relations",
4345
- "staff from human resources",
4346
- "incident responders",
4347
- "analysts"
4348
- ],
4349
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4350
- "including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts"
4351
- ],
4352
- implementationSuggestions: [ // Gray - Implementation suggestions
4353
- "incident response team structures",
4354
- "role definition templates",
4355
- "responsibility matrices",
4356
- "cross-functional team coordination"
4357
- ],
4358
- relatedSafeguards: ["17.4"] },
4359
- "17.6": {
4360
- id: "17.6",
4361
- title: "Define Mechanisms for Communicating During Incident Response",
4362
- description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4363
- implementationGroup: "IG2",
4364
- assetType: ["Users"],
4365
- securityFunction: ["Respond"],
4366
- governanceElements: [ // Orange - MUST be met
4367
- "determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
4368
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4369
- ],
4370
- coreRequirements: [ // Green - The "what"
4371
- "primary mechanisms for communicating during incident response",
4372
- "secondary mechanisms for communicating during incident response",
4373
- "mechanisms to communicate during security incident",
4374
- "mechanisms to report during security incident"
4375
- ],
4376
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4377
- "mechanisms can include phone calls",
4378
- "mechanisms can include emails",
4379
- "mechanisms can include secure chat",
4380
- "mechanisms can include notification letters",
4381
- "keep in mind that certain mechanisms, such as emails, can be affected during a security incident"
4382
- ],
4383
- implementationSuggestions: [ // Gray - Implementation suggestions
4384
- "communication platforms",
4385
- "backup communication methods",
4386
- "secure messaging systems",
4387
- "notification systems"
4388
- ],
4389
- relatedSafeguards: ["17.4"] },
4390
- "17.7": {
4391
- id: "17.7",
4392
- title: "Conduct Routine Incident Response Exercises",
4393
- description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
4394
- implementationGroup: "IG2",
4395
- assetType: ["Users"],
4396
- securityFunction: ["Recover"],
4397
- governanceElements: [ // Orange - MUST be met
4398
- "plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
4399
- "conduct testing on an annual basis, at a minimum"
4400
- ],
4401
- coreRequirements: [ // Green - The "what"
4402
- "routine incident response exercises",
4403
- "scenarios for key personnel",
4404
- "prepare for responding to real-world incidents",
4405
- "test communication channels",
4406
- "test decision-making",
4407
- "test workflows"
4408
- ],
4409
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4410
- "key personnel involved in the incident response process",
4411
- "to prepare for responding to real-world incidents",
4412
- "exercises need to test communication channels, decision-making, and workflows"
4413
- ],
4414
- implementationSuggestions: [ // Gray - Implementation suggestions
4415
- "tabletop exercises",
4416
- "simulation scenarios",
4417
- "exercise planning frameworks",
4418
- "testing schedules and protocols"
4419
- ],
4420
- relatedSafeguards: ["17.4"] },
4421
- "17.8": {
4422
- id: "17.8",
4423
- title: "Conduct Post-Incident Reviews",
4424
- description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
4425
- implementationGroup: "IG2",
4426
- assetType: ["Users"],
4427
- securityFunction: ["Recover"],
4428
- governanceElements: [ // Orange - MUST be met
4429
- "conduct post-incident reviews"
4430
- ],
4431
- coreRequirements: [ // Green - The "what"
4432
- "post-incident reviews",
4433
- "prevent incident recurrence",
4434
- "identifying lessons learned",
4435
- "follow-up action"
4436
- ],
4437
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4438
- "post-incident reviews help prevent incident recurrence",
4439
- "through identifying lessons learned and follow-up action"
4440
- ],
4441
- implementationSuggestions: [ // Gray - Implementation suggestions
4442
- "post-incident review templates",
4443
- "lessons learned documentation",
4444
- "improvement action plans",
4445
- "review meeting processes"
4446
- ],
4447
- relatedSafeguards: ["17.4"] },
4448
- "17.9": {
4449
- id: "17.9",
4450
- title: "Establish and Maintain Security Incident Thresholds",
4451
- description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
4452
- implementationGroup: "IG3",
4453
- assetType: ["Users"],
4454
- securityFunction: ["Recover"],
4455
- governanceElements: [ // Orange - MUST be met
4456
- "establish and maintain security incident thresholds",
4457
- "review annually or when significant enterprise changes occur that could impact this safeguard"
4458
- ],
4459
- coreRequirements: [ // Green - The "what"
4460
- "security incident thresholds",
4461
- "differentiating between an incident and an event",
4462
- "incident classification criteria"
4463
- ],
4464
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4465
- "including, at a minimum, differentiating between an incident and an event",
4466
- "examples can include abnormal activity",
4467
- "examples can include security vulnerability",
4468
- "examples can include security weakness",
4469
- "examples can include data breach",
4470
- "examples can include privacy incident"
4471
- ],
4472
- implementationSuggestions: [ // Gray - Implementation suggestions
4473
- "incident classification frameworks",
4474
- "threshold definition templates",
4475
- "severity rating systems",
4476
- "incident categorization tools"
4477
- ],
4478
- relatedSafeguards: ["17.4"] },
4479
- "18.1": {
4480
- id: "18.1",
4481
- title: "Establish and Maintain a Penetration Testing Program",
4482
- description: "Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements",
4483
- implementationGroup: "IG2",
4484
- assetType: ["network"],
4485
- securityFunction: ["Govern"],
4486
- governanceElements: [ // Orange - MUST be met
4487
- "establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise"
4488
- ],
4489
- coreRequirements: [ // Green - The "what"
4490
- "penetration testing program",
4491
- "scope including network, web application, API, hosted services, and physical premise controls",
4492
- "frequency requirements",
4493
- "limitations including acceptable hours and excluded attack types",
4494
- "point of contact information",
4495
- "remediation procedures for routing findings internally",
4496
- "retrospective requirements"
4497
- ],
4498
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4499
- "appropriate to the size, complexity, industry, and maturity of the enterprise",
4500
- "penetration testing program characteristics include scope",
4501
- "such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls",
4502
- "characteristics include frequency",
4503
- "characteristics include limitations, such as acceptable hours, and excluded attack types",
4504
- "characteristics include point of contact information",
4505
- "characteristics include remediation, such as how findings will be routed internally",
4506
- "characteristics include retrospective requirements"
4507
- ],
4508
- implementationSuggestions: [ // Gray - Implementation suggestions
4509
- "penetration testing frameworks",
4510
- "program documentation templates",
4511
- "scope definition guidelines",
4512
- "testing frequency schedules"
4513
- ],
4514
- relatedSafeguards: ["18.2", "18.3", "18.4", "18.5"] },
4515
- "18.2": {
4516
- id: "18.2",
4517
- title: "Perform Periodic External Penetration Tests",
4518
- description: "Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box",
4519
- implementationGroup: "IG2",
4520
- assetType: ["network"],
4521
- securityFunction: ["Detect"],
4522
- governanceElements: [ // Orange - MUST be met
4523
- "perform periodic external penetration tests based on program requirements, no less than annually",
4524
- "external penetration testing must include enterprise and environmental reconnaissance to detect exploitable information",
4525
- "penetration testing requires specialized skills and experience and must be conducted through a qualified party"
4526
- ],
4527
- coreRequirements: [ // Green - The "what"
4528
- "periodic external penetration tests",
4529
- "enterprise reconnaissance",
4530
- "environmental reconnaissance",
4531
- "detect exploitable information",
4532
- "specialized skills and experience",
4533
- "qualified party to conduct testing"
4534
- ],
4535
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4536
- "based on program requirements",
4537
- "no less than annually",
4538
- "to detect exploitable information",
4539
- "the testing may be clear box or opaque box"
4540
- ],
4541
- implementationSuggestions: [ // Gray - Implementation suggestions
4542
- "external penetration testing services",
4543
- "reconnaissance tools and techniques",
4544
- "qualified penetration testing vendors",
4545
- "clear box and opaque box methodologies"
4546
- ],
4547
- relatedSafeguards: ["18.1", "18.3", "18.4"] },
4548
- "18.3": {
4549
- id: "18.3",
4550
- title: "Remediate Penetration Test Findings",
4551
- description: "Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding",
4552
- implementationGroup: "IG2",
4553
- assetType: ["network"],
4554
- securityFunction: ["Protect"],
4555
- governanceElements: [ // Orange - MUST be met
4556
- "remediate penetration test findings based on the enterprise's documented vulnerability remediation process"
4557
- ],
4558
- coreRequirements: [ // Green - The "what"
4559
- "remediate penetration test findings",
4560
- "documented vulnerability remediation process",
4561
- "timeline for remediation",
4562
- "level of effort determination",
4563
- "impact assessment",
4564
- "prioritization of findings"
4565
- ],
4566
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4567
- "this should include determining a timeline and level of effort",
4568
- "based on the impact and prioritization of each identified finding"
4569
- ],
4570
- implementationSuggestions: [ // Gray - Implementation suggestions
4571
- "vulnerability remediation workflows",
4572
- "finding prioritization frameworks",
4573
- "remediation tracking systems",
4574
- "impact assessment methodologies"
4575
- ],
4576
- relatedSafeguards: ["18.1", "18.2", "18.5"] },
4577
- "18.4": {
4578
- id: "18.4",
4579
- title: "Validate Security Measures",
4580
- description: "Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing",
4581
- implementationGroup: "IG3",
4582
- assetType: ["network"],
4583
- securityFunction: ["Protect"],
4584
- governanceElements: [ // Orange - MUST be met
4585
- "validate security measures after each penetration test"
4586
- ],
4587
- coreRequirements: [ // Green - The "what"
4588
- "validate security measures",
4589
- "modify rulesets if necessary",
4590
- "modify capabilities if necessary",
4591
- "detect techniques used during testing"
4592
- ],
4593
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4594
- "after each penetration test",
4595
- "if deemed necessary",
4596
- "to detect the techniques used during testing"
4597
- ],
4598
- implementationSuggestions: [ // Gray - Implementation suggestions
4599
- "security control validation frameworks",
4600
- "detection rule tuning processes",
4601
- "capability enhancement procedures",
4602
- "technique analysis methodologies"
4603
- ],
4604
- relatedSafeguards: ["18.1", "18.2", "18.5"] },
4605
- "18.5": {
4606
- id: "18.5",
4607
- title: "Perform Periodic Internal Penetration Tests",
4608
- description: "Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box",
4609
- implementationGroup: "IG3",
4610
- assetType: ["network"],
4611
- securityFunction: ["Detect"],
4612
- governanceElements: [ // Orange - MUST be met
4613
- "perform periodic internal penetration tests based on program requirements, no less than annually"
4614
- ],
4615
- coreRequirements: [ // Green - The "what"
4616
- "periodic internal penetration tests",
4617
- "program requirements compliance",
4618
- "annual testing frequency minimum"
4619
- ],
4620
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
4621
- "based on program requirements",
4622
- "no less than annually",
4623
- "the testing may be clear box or opaque box"
4624
- ],
4625
- implementationSuggestions: [ // Gray - Implementation suggestions
4626
- "internal penetration testing tools",
4627
- "internal testing methodologies",
4628
- "clear box and opaque box approaches",
4629
- "internal security assessment frameworks"
4630
- ],
4631
- relatedSafeguards: ["18.1", "18.3", "18.4"] }
4632
- };
4633
- }
4634
- }