framework-mcp 2.5.6 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -9
- package/dist/core/safeguard-manager.js +4 -4
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js.map +1 -1
- package/dist/interfaces/http/http-server.js +3 -3
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/dist/shared/types.d.ts +49 -25
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js.map +1 -1
- package/package.json +8 -1
- package/swagger.json +9 -77
- package/.claude/agents/mcp-developer.md +0 -41
- package/.claude/agents/project-orchestrator.md +0 -43
- package/.claude/agents/version-consistency-reviewer.md +0 -50
- package/.claude/commands/speckit.analyze.md +0 -184
- package/.claude/commands/speckit.checklist.md +0 -294
- package/.claude/commands/speckit.clarify.md +0 -181
- package/.claude/commands/speckit.constitution.md +0 -82
- package/.claude/commands/speckit.implement.md +0 -135
- package/.claude/commands/speckit.plan.md +0 -89
- package/.claude/commands/speckit.specify.md +0 -258
- package/.claude/commands/speckit.tasks.md +0 -137
- package/.claude/commands/speckit.taskstoissues.md +0 -30
- package/.claude/config.json +0 -11
- package/.claude_config.json +0 -11
- package/.do/app.yaml +0 -78
- package/.github/dependabot.yml +0 -15
- package/.github/workflows/ci.yml +0 -90
- package/.github/workflows/release.yml +0 -30
- package/.mcp.json +0 -11
- package/.specify/memory/constitution.md +0 -50
- package/.specify/scripts/bash/check-prerequisites.sh +0 -166
- package/.specify/scripts/bash/common.sh +0 -156
- package/.specify/scripts/bash/create-new-feature.sh +0 -297
- package/.specify/scripts/bash/setup-plan.sh +0 -61
- package/.specify/scripts/bash/update-agent-context.sh +0 -799
- package/.specify/templates/agent-file-template.md +0 -28
- package/.specify/templates/checklist-template.md +0 -40
- package/.specify/templates/plan-template.md +0 -104
- package/.specify/templates/spec-template.md +0 -115
- package/.specify/templates/tasks-template.md +0 -251
- package/examples/example-usage.md +0 -293
- package/examples/llm-analysis-patterns.md +0 -553
- package/examples/vendors.csv +0 -9
- package/examples/vendors.json +0 -32
- package/scripts/validate-documentation.sh +0 -150
- package/src/core/safeguard-manager.ts +0 -4634
- package/src/index.ts +0 -17
- package/src/interfaces/http/http-server.ts +0 -262
- package/src/interfaces/mcp/mcp-server.ts +0 -165
- package/src/shared/types.ts +0 -300
- package/tsconfig.json +0 -23
|
@@ -1,4634 +0,0 @@
|
|
|
1
|
-
import { SafeguardElement, CacheEntry } from '../shared/types.js';
|
|
2
|
-
|
|
3
|
-
export class SafeguardManager {
|
|
4
|
-
private cache: Map<string, CacheEntry<any>>;
|
|
5
|
-
private safeguards: Record<string, SafeguardElement> = {};
|
|
6
|
-
private static readonly MAX_CACHE_SIZE = 1000; // Prevent unlimited cache growth
|
|
7
|
-
private static readonly CACHE_CLEANUP_INTERVAL = 30 * 60 * 1000; // 30 minutes
|
|
8
|
-
private safeguardKeysCache: string[] | null = null; // Pre-computed sorted keys
|
|
9
|
-
private lastCleanup: number = 0;
|
|
10
|
-
|
|
11
|
-
constructor() {
|
|
12
|
-
this.cache = new Map();
|
|
13
|
-
this.initializeSafeguards();
|
|
14
|
-
this.precomputeSafeguardKeys();
|
|
15
|
-
}
|
|
16
|
-
|
|
17
|
-
public getSafeguardDetails(safeguardId: string, includeExamples: boolean = false): SafeguardElement | null {
|
|
18
|
-
// Check cache first
|
|
19
|
-
const cacheKey = `${safeguardId}_${includeExamples}`;
|
|
20
|
-
const cached = this.getCachedSafeguardDetails(cacheKey);
|
|
21
|
-
if (cached) {
|
|
22
|
-
return cached;
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
const safeguard = this.safeguards[safeguardId];
|
|
26
|
-
if (!safeguard) {
|
|
27
|
-
return null;
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
// Add examples if requested
|
|
31
|
-
let result = { ...safeguard };
|
|
32
|
-
if (includeExamples) {
|
|
33
|
-
result = this.addImplementationExamples(result);
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
// Cache the result
|
|
37
|
-
this.cache.set(cacheKey, {
|
|
38
|
-
data: result,
|
|
39
|
-
timestamp: Date.now()
|
|
40
|
-
});
|
|
41
|
-
|
|
42
|
-
return result;
|
|
43
|
-
}
|
|
44
|
-
|
|
45
|
-
public listAvailableSafeguards(): string[] {
|
|
46
|
-
// Use pre-computed sorted keys for optimal performance
|
|
47
|
-
if (this.safeguardKeysCache) {
|
|
48
|
-
return [...this.safeguardKeysCache]; // Return copy to prevent external modification
|
|
49
|
-
}
|
|
50
|
-
|
|
51
|
-
// Fallback to original method if pre-computed cache not available
|
|
52
|
-
const safeguardList = Object.keys(this.safeguards).sort((a, b) => {
|
|
53
|
-
const [aMajor, aMinor] = a.split('.').map(Number);
|
|
54
|
-
const [bMajor, bMinor] = b.split('.').map(Number);
|
|
55
|
-
return aMajor - bMajor || aMinor - bMinor;
|
|
56
|
-
});
|
|
57
|
-
|
|
58
|
-
return safeguardList;
|
|
59
|
-
}
|
|
60
|
-
|
|
61
|
-
public getAllSafeguards(): Record<string, SafeguardElement> {
|
|
62
|
-
return { ...this.safeguards };
|
|
63
|
-
}
|
|
64
|
-
|
|
65
|
-
public validateSafeguardId(safeguardId: string): void {
|
|
66
|
-
if (!safeguardId || typeof safeguardId !== 'string') {
|
|
67
|
-
throw new Error('Safeguard ID is required and must be a string');
|
|
68
|
-
}
|
|
69
|
-
|
|
70
|
-
if (!/^[0-9]+\.[0-9]+$/.test(safeguardId)) {
|
|
71
|
-
throw new Error('Safeguard ID must be in format "X.Y" (e.g., "1.1", "5.1")');
|
|
72
|
-
}
|
|
73
|
-
|
|
74
|
-
if (!this.safeguards[safeguardId]) {
|
|
75
|
-
const availableSafeguards = this.listAvailableSafeguards();
|
|
76
|
-
throw new Error(`Safeguard ${safeguardId} not found. Available safeguards: ${availableSafeguards.join(', ')}`);
|
|
77
|
-
}
|
|
78
|
-
}
|
|
79
|
-
|
|
80
|
-
private getCachedSafeguardDetails(cacheKey: string): SafeguardElement | null {
|
|
81
|
-
// Clean up old cache entries periodically
|
|
82
|
-
this.performCacheCleanupIfNeeded();
|
|
83
|
-
|
|
84
|
-
const cached = this.cache.get(cacheKey);
|
|
85
|
-
|
|
86
|
-
if (cached && (Date.now() - cached.timestamp < 5 * 60 * 1000)) { // 5 minute cache
|
|
87
|
-
return cached.data;
|
|
88
|
-
}
|
|
89
|
-
|
|
90
|
-
return null;
|
|
91
|
-
}
|
|
92
|
-
|
|
93
|
-
private precomputeSafeguardKeys(): void {
|
|
94
|
-
// Pre-compute and cache the sorted safeguard keys for optimal listAvailableSafeguards() performance
|
|
95
|
-
this.safeguardKeysCache = Object.keys(this.safeguards).sort((a, b) => {
|
|
96
|
-
const [aMajor, aMinor] = a.split('.').map(Number);
|
|
97
|
-
const [bMajor, bMinor] = b.split('.').map(Number);
|
|
98
|
-
return aMajor - bMajor || aMinor - bMinor;
|
|
99
|
-
});
|
|
100
|
-
}
|
|
101
|
-
|
|
102
|
-
private performCacheCleanupIfNeeded(): void {
|
|
103
|
-
const now = Date.now();
|
|
104
|
-
|
|
105
|
-
// Check if cleanup is needed
|
|
106
|
-
if (now - this.lastCleanup < SafeguardManager.CACHE_CLEANUP_INTERVAL &&
|
|
107
|
-
this.cache.size < SafeguardManager.MAX_CACHE_SIZE) {
|
|
108
|
-
return;
|
|
109
|
-
}
|
|
110
|
-
|
|
111
|
-
// Remove expired entries
|
|
112
|
-
const expiredKeys: string[] = [];
|
|
113
|
-
for (const [key, entry] of this.cache.entries()) {
|
|
114
|
-
if (now - entry.timestamp > 5 * 60 * 1000) { // 5 minute expiry
|
|
115
|
-
expiredKeys.push(key);
|
|
116
|
-
}
|
|
117
|
-
}
|
|
118
|
-
|
|
119
|
-
for (const key of expiredKeys) {
|
|
120
|
-
this.cache.delete(key);
|
|
121
|
-
}
|
|
122
|
-
|
|
123
|
-
// If still too many entries, remove oldest ones
|
|
124
|
-
if (this.cache.size > SafeguardManager.MAX_CACHE_SIZE) {
|
|
125
|
-
const sortedEntries = Array.from(this.cache.entries())
|
|
126
|
-
.sort((a, b) => a[1].timestamp - b[1].timestamp);
|
|
127
|
-
|
|
128
|
-
const entriesToRemove = sortedEntries.slice(0, this.cache.size - SafeguardManager.MAX_CACHE_SIZE);
|
|
129
|
-
for (const [key] of entriesToRemove) {
|
|
130
|
-
this.cache.delete(key);
|
|
131
|
-
}
|
|
132
|
-
}
|
|
133
|
-
|
|
134
|
-
this.lastCleanup = now;
|
|
135
|
-
}
|
|
136
|
-
|
|
137
|
-
/**
|
|
138
|
-
* Get cache statistics for monitoring and debugging
|
|
139
|
-
*/
|
|
140
|
-
public getCacheStats(): { size: number; lastCleanup: number } {
|
|
141
|
-
return {
|
|
142
|
-
size: this.cache.size,
|
|
143
|
-
lastCleanup: this.lastCleanup
|
|
144
|
-
};
|
|
145
|
-
}
|
|
146
|
-
|
|
147
|
-
/**
|
|
148
|
-
* Clear the cache manually if needed
|
|
149
|
-
*/
|
|
150
|
-
public clearCache(): void {
|
|
151
|
-
this.cache.clear();
|
|
152
|
-
this.lastCleanup = Date.now();
|
|
153
|
-
}
|
|
154
|
-
|
|
155
|
-
private addImplementationExamples(safeguard: SafeguardElement): SafeguardElement {
|
|
156
|
-
// Add implementation examples based on safeguard type
|
|
157
|
-
const examples = this.getImplementationExamples(safeguard.id);
|
|
158
|
-
|
|
159
|
-
return {
|
|
160
|
-
...safeguard,
|
|
161
|
-
implementationSuggestions: [
|
|
162
|
-
...safeguard.implementationSuggestions,
|
|
163
|
-
...examples
|
|
164
|
-
]
|
|
165
|
-
};
|
|
166
|
-
}
|
|
167
|
-
|
|
168
|
-
private getImplementationExamples(safeguardId: string): string[] {
|
|
169
|
-
const exampleMap: Record<string, string[]> = {
|
|
170
|
-
"1.1": [
|
|
171
|
-
"Example: Use Lansweeper for automated asset discovery",
|
|
172
|
-
"Example: Implement ServiceNow CMDB for centralized tracking",
|
|
173
|
-
"Example: Deploy Microsoft SCCM for Windows asset management"
|
|
174
|
-
],
|
|
175
|
-
"5.1": [
|
|
176
|
-
"Example: Use Azure AD for centralized account management",
|
|
177
|
-
"Example: Implement Okta for identity lifecycle management",
|
|
178
|
-
"Example: Deploy JumpCloud for directory services"
|
|
179
|
-
],
|
|
180
|
-
"6.3": [
|
|
181
|
-
"Example: Enable Azure MFA for all external applications",
|
|
182
|
-
"Example: Implement Duo Security for multi-factor authentication",
|
|
183
|
-
"Example: Use Google Workspace SSO with MFA enforcement"
|
|
184
|
-
],
|
|
185
|
-
"7.1": [
|
|
186
|
-
"Example: Establish Nessus vulnerability scanning schedule",
|
|
187
|
-
"Example: Implement Qualys VMDR for continuous monitoring",
|
|
188
|
-
"Example: Use Rapid7 InsightVM for vulnerability management"
|
|
189
|
-
]
|
|
190
|
-
};
|
|
191
|
-
|
|
192
|
-
return exampleMap[safeguardId] || [];
|
|
193
|
-
}
|
|
194
|
-
|
|
195
|
-
private initializeSafeguards(): void {
|
|
196
|
-
this.safeguards = {
|
|
197
|
-
"1.1": {
|
|
198
|
-
id: "1.1",
|
|
199
|
-
title: "Establish and Maintain a Detailed Enterprise Asset Inventory",
|
|
200
|
-
description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.",
|
|
201
|
-
implementationGroup: "IG1",
|
|
202
|
-
assetType: ["Devices"],
|
|
203
|
-
securityFunction: ["Identify"],
|
|
204
|
-
governanceElements: [ // Orange - MUST be met
|
|
205
|
-
"Establish",
|
|
206
|
-
"Maintain",
|
|
207
|
-
"Review and update the inventory of all enterprise assets bi-annually, or more frequently"
|
|
208
|
-
],
|
|
209
|
-
coreRequirements: [ // Green - The "what"
|
|
210
|
-
"Asset inventory of all enterprise assets with the potential to store or process data"
|
|
211
|
-
],
|
|
212
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
213
|
-
"Network Address (IF STATIC)",
|
|
214
|
-
"Hardware Address",
|
|
215
|
-
"Machine Name",
|
|
216
|
-
"Enterprise asset owner",
|
|
217
|
-
"Department for each asset",
|
|
218
|
-
"Asset has been approved to connect to the network",
|
|
219
|
-
"End-User Devices",
|
|
220
|
-
"Mobile",
|
|
221
|
-
"Portable",
|
|
222
|
-
"Network Devices",
|
|
223
|
-
"IOT Devices",
|
|
224
|
-
"Servers",
|
|
225
|
-
"Connected to Infrastructure",
|
|
226
|
-
"Physically",
|
|
227
|
-
"Virtually",
|
|
228
|
-
"Remotely",
|
|
229
|
-
"Those within cloud environments",
|
|
230
|
-
"Regularly Connected Devices - NOT Under Control of Enterprise",
|
|
231
|
-
"Detailed",
|
|
232
|
-
"Accurate",
|
|
233
|
-
"Up-to-date",
|
|
234
|
-
"Potential to store or process data"
|
|
235
|
-
],
|
|
236
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
237
|
-
"For mobile end-user devices, MDM type tools can support this process, where appropriate"
|
|
238
|
-
],
|
|
239
|
-
relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"] },
|
|
240
|
-
"1.2": {
|
|
241
|
-
id: "1.2",
|
|
242
|
-
title: "Address Unauthorized Assets",
|
|
243
|
-
description: "Ensure that a process exists to address unauthorized assets on a weekly basis",
|
|
244
|
-
implementationGroup: "IG1",
|
|
245
|
-
assetType: ["Devices"],
|
|
246
|
-
securityFunction: ["Respond"],
|
|
247
|
-
governanceElements: [ // Orange - MUST be met
|
|
248
|
-
"Ensure that a process exists to address unauthorized assets on a weekly basis"
|
|
249
|
-
],
|
|
250
|
-
coreRequirements: [ // Green - The "what"
|
|
251
|
-
"Address Unauthorized Assets"
|
|
252
|
-
],
|
|
253
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
254
|
-
"Address Unauthorized Assets"
|
|
255
|
-
],
|
|
256
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
257
|
-
"The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
|
|
258
|
-
],
|
|
259
|
-
relatedSafeguards: ["1.1", "1.3"] },
|
|
260
|
-
"1.3": {
|
|
261
|
-
id: "1.3",
|
|
262
|
-
title: "Utilize an Active Discovery Tool",
|
|
263
|
-
description: "Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.",
|
|
264
|
-
implementationGroup: "IG2",
|
|
265
|
-
assetType: ["Devices"],
|
|
266
|
-
securityFunction: ["Detect"],
|
|
267
|
-
governanceElements: [ // Orange - MUST be met
|
|
268
|
-
"Utilize an active discovery tool",
|
|
269
|
-
"Configure the active discovery tool to execute daily, or more frequently"
|
|
270
|
-
],
|
|
271
|
-
coreRequirements: [ // Green - The "what"
|
|
272
|
-
"Active discovery tool"
|
|
273
|
-
],
|
|
274
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
275
|
-
"Utilize",
|
|
276
|
-
"Configure",
|
|
277
|
-
"Execute daily, or more frequently"
|
|
278
|
-
],
|
|
279
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
280
|
-
],
|
|
281
|
-
relatedSafeguards: ["1.1", "1.2", "1.4", "1.5"] },
|
|
282
|
-
"1.4": {
|
|
283
|
-
id: "1.4",
|
|
284
|
-
title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory",
|
|
285
|
-
description: "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.",
|
|
286
|
-
implementationGroup: "IG2",
|
|
287
|
-
assetType: ["Devices"],
|
|
288
|
-
securityFunction: ["Identify"],
|
|
289
|
-
governanceElements: [ // Orange - MUST be met
|
|
290
|
-
"Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory",
|
|
291
|
-
"Review and use logs to update the enterprise's asset inventory weekly, or more frequently"
|
|
292
|
-
],
|
|
293
|
-
coreRequirements: [ // Green - The "what"
|
|
294
|
-
"DHCP Logging on all DHCP servers",
|
|
295
|
-
"Or IPAM",
|
|
296
|
-
"This is an OR of the two above, but can be in conjunction"
|
|
297
|
-
],
|
|
298
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
299
|
-
"Review and Use Logs",
|
|
300
|
-
"Update asset inventory"
|
|
301
|
-
],
|
|
302
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
303
|
-
],
|
|
304
|
-
relatedSafeguards: ["1.1", "1.2", "1.3", "1.5"] },
|
|
305
|
-
"1.5": {
|
|
306
|
-
id: "1.5",
|
|
307
|
-
title: "Use a Passive Asset Discovery Tool",
|
|
308
|
-
description: "Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.",
|
|
309
|
-
implementationGroup: "IG3",
|
|
310
|
-
assetType: ["Devices"],
|
|
311
|
-
securityFunction: ["Detect"],
|
|
312
|
-
governanceElements: [ // Orange - MUST be met
|
|
313
|
-
"Use a passive discovery tool to identify assets connected to the enterprise's network",
|
|
314
|
-
"Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently"
|
|
315
|
-
],
|
|
316
|
-
coreRequirements: [ // Green - The "what"
|
|
317
|
-
"Passive Discovery Tool"
|
|
318
|
-
],
|
|
319
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
320
|
-
"Review and Use scans",
|
|
321
|
-
"Update asset inventory"
|
|
322
|
-
],
|
|
323
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
324
|
-
],
|
|
325
|
-
relatedSafeguards: ["1.1", "1.2", "1.3", "1.4"] },
|
|
326
|
-
"2.1": {
|
|
327
|
-
id: "2.1",
|
|
328
|
-
title: "Establish and Maintain a Software Inventory",
|
|
329
|
-
description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
|
|
330
|
-
implementationGroup: "IG1",
|
|
331
|
-
assetType: ["Software"],
|
|
332
|
-
securityFunction: ["Identify"],
|
|
333
|
-
governanceElements: [ // Orange - MUST be met
|
|
334
|
-
"Establish a Software Inventory",
|
|
335
|
-
"The software inventory must document the sub-taxonomical elements, where appropriate",
|
|
336
|
-
"Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
|
|
337
|
-
],
|
|
338
|
-
coreRequirements: [ // Green - The "what"
|
|
339
|
-
"Detailed inventory of all licensed software"
|
|
340
|
-
],
|
|
341
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
342
|
-
"Title",
|
|
343
|
-
"Publisher",
|
|
344
|
-
"Initial Install / Use Date",
|
|
345
|
-
"Business Purpose",
|
|
346
|
-
"URL",
|
|
347
|
-
"App Store(s)",
|
|
348
|
-
"App Version(s)",
|
|
349
|
-
"Deployment mechanism",
|
|
350
|
-
"Decomm. Date"
|
|
351
|
-
],
|
|
352
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
353
|
-
],
|
|
354
|
-
relatedSafeguards: ["1.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"] },
|
|
355
|
-
"2.2": {
|
|
356
|
-
id: "2.2",
|
|
357
|
-
title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
|
|
358
|
-
description: "Ensure that only currently supported software is designated as authorized in the software inventory",
|
|
359
|
-
implementationGroup: "IG1",
|
|
360
|
-
assetType: ["Software"],
|
|
361
|
-
securityFunction: ["Identify"],
|
|
362
|
-
governanceElements: [ // Orange - MUST be met
|
|
363
|
-
"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
|
|
364
|
-
],
|
|
365
|
-
coreRequirements: [ // Green - The "what"
|
|
366
|
-
"Currently supported software",
|
|
367
|
-
"Authorized in the software inventory"
|
|
368
|
-
],
|
|
369
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
370
|
-
"Determine if Authorized Software Is Currently Supported",
|
|
371
|
-
"Determine Necessity for Business",
|
|
372
|
-
"Document Exception detailing mitigating controls IF Unsupported",
|
|
373
|
-
"Document Residual risk acceptance IF Unsupported"
|
|
374
|
-
],
|
|
375
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
376
|
-
],
|
|
377
|
-
relatedSafeguards: ["2.1", "2.3", "2.4", "2.5", "2.6", "2.7"] },
|
|
378
|
-
"2.3": {
|
|
379
|
-
id: "2.3",
|
|
380
|
-
title: "Address Unauthorized Software",
|
|
381
|
-
description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
|
|
382
|
-
implementationGroup: "IG1",
|
|
383
|
-
assetType: ["Software"],
|
|
384
|
-
securityFunction: ["Respond"],
|
|
385
|
-
governanceElements: [ // Orange - MUST be met
|
|
386
|
-
"Ensure",
|
|
387
|
-
"Review monthly, or more frequently"
|
|
388
|
-
],
|
|
389
|
-
coreRequirements: [ // Green - The "what"
|
|
390
|
-
"unauthorized software is either removed from use on enterprise assets or receives a documented exception"
|
|
391
|
-
],
|
|
392
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
393
|
-
"Address Unauthorized Software",
|
|
394
|
-
"Remove from use",
|
|
395
|
-
"Document Exception"
|
|
396
|
-
],
|
|
397
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
398
|
-
],
|
|
399
|
-
relatedSafeguards: ["2.1", "2.2", "2.4", "2.5", "2.6", "2.7"] },
|
|
400
|
-
"2.4": {
|
|
401
|
-
id: "2.4",
|
|
402
|
-
title: "Utilize Automated Software Inventory Tools",
|
|
403
|
-
description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
|
|
404
|
-
implementationGroup: "IG2",
|
|
405
|
-
assetType: ["Software"],
|
|
406
|
-
securityFunction: ["Detect"],
|
|
407
|
-
governanceElements: [ // Orange - MUST be met
|
|
408
|
-
"Utilize",
|
|
409
|
-
"when possible"
|
|
410
|
-
],
|
|
411
|
-
coreRequirements: [ // Green - The "what"
|
|
412
|
-
"software inventory tools"
|
|
413
|
-
],
|
|
414
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
415
|
-
"Automate Discovery",
|
|
416
|
-
"Automate Documentation",
|
|
417
|
-
"Installed Software"
|
|
418
|
-
],
|
|
419
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
420
|
-
],
|
|
421
|
-
relatedSafeguards: ["2.1", "2.2", "2.3", "2.5", "2.6", "2.7"] },
|
|
422
|
-
"2.5": {
|
|
423
|
-
id: "2.5",
|
|
424
|
-
title: "Allowlist Authorized Software",
|
|
425
|
-
description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
|
|
426
|
-
implementationGroup: "IG2",
|
|
427
|
-
assetType: ["Software"],
|
|
428
|
-
securityFunction: ["Protect"],
|
|
429
|
-
governanceElements: [ // Orange - MUST be met
|
|
430
|
-
"Use",
|
|
431
|
-
"Ensure",
|
|
432
|
-
"Reassess bi-annually, or more frequently"
|
|
433
|
-
],
|
|
434
|
-
coreRequirements: [ // Green - The "what"
|
|
435
|
-
"technical controls",
|
|
436
|
-
"only authorized software can execute or be accessed"
|
|
437
|
-
],
|
|
438
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
439
|
-
"Technical Controls",
|
|
440
|
-
"Allow software to Execute",
|
|
441
|
-
"Allow software to be Accessed"
|
|
442
|
-
],
|
|
443
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
444
|
-
"Application Allowlisting"
|
|
445
|
-
],
|
|
446
|
-
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.6", "2.7"] },
|
|
447
|
-
"2.6": {
|
|
448
|
-
id: "2.6",
|
|
449
|
-
title: "Allowlist Authorized Libraries",
|
|
450
|
-
description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
|
|
451
|
-
implementationGroup: "IG2",
|
|
452
|
-
assetType: ["Software"],
|
|
453
|
-
securityFunction: ["Protect"],
|
|
454
|
-
governanceElements: [ // Orange - MUST be met
|
|
455
|
-
"Use",
|
|
456
|
-
"Ensure",
|
|
457
|
-
"Reassess bi-annually, or more frequently"
|
|
458
|
-
],
|
|
459
|
-
coreRequirements: [ // Green - The "what"
|
|
460
|
-
"only authorized software libraries",
|
|
461
|
-
"are allowed to load into a system process"
|
|
462
|
-
],
|
|
463
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
464
|
-
"Technical Controls",
|
|
465
|
-
"Block unauthorized libraries from loading into a system process"
|
|
466
|
-
],
|
|
467
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
468
|
-
"Specific .dll files",
|
|
469
|
-
"Specific .ocx files",
|
|
470
|
-
"Specific .so files"
|
|
471
|
-
],
|
|
472
|
-
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.7"] },
|
|
473
|
-
"2.7": {
|
|
474
|
-
id: "2.7",
|
|
475
|
-
title: "Allowlist Authorized Scripts",
|
|
476
|
-
description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
|
|
477
|
-
implementationGroup: "IG3",
|
|
478
|
-
assetType: ["Software"],
|
|
479
|
-
securityFunction: ["Protect"],
|
|
480
|
-
governanceElements: [ // Orange - MUST be met
|
|
481
|
-
"Use",
|
|
482
|
-
"Ensure",
|
|
483
|
-
"Reassess bi-annually, or more frequently"
|
|
484
|
-
],
|
|
485
|
-
coreRequirements: [ // Green - The "what"
|
|
486
|
-
"only authorized files are allowed to execute"
|
|
487
|
-
],
|
|
488
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
489
|
-
"Technical Controls",
|
|
490
|
-
"Block unauthorized scripts from executing",
|
|
491
|
-
],
|
|
492
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
493
|
-
"Digital signatures",
|
|
494
|
-
"Version control",
|
|
495
|
-
"Specific .ps1 files",
|
|
496
|
-
"Specific .py files"
|
|
497
|
-
],
|
|
498
|
-
relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6"] },
|
|
499
|
-
"3.1": {
|
|
500
|
-
id: "3.1",
|
|
501
|
-
title: "Establish and Maintain a Data Management Process",
|
|
502
|
-
description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
503
|
-
implementationGroup: "IG1",
|
|
504
|
-
assetType: ["Data"],
|
|
505
|
-
securityFunction: ["Govern"],
|
|
506
|
-
governanceElements: [ // Orange - MUST be met
|
|
507
|
-
"Establish",
|
|
508
|
-
"Maintain",
|
|
509
|
-
"Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
510
|
-
],
|
|
511
|
-
coreRequirements: [ // Green - The "what"
|
|
512
|
-
"documented data management process"
|
|
513
|
-
],
|
|
514
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
515
|
-
"Data Sensitivity",
|
|
516
|
-
"Data Owner",
|
|
517
|
-
"Data Handling",
|
|
518
|
-
"Data Retention Limits",
|
|
519
|
-
"Disposal Requirements",
|
|
520
|
-
"Retention Standards"
|
|
521
|
-
],
|
|
522
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
523
|
-
],
|
|
524
|
-
relatedSafeguards: ["3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] },
|
|
525
|
-
"3.2": {
|
|
526
|
-
id: "3.2",
|
|
527
|
-
title: "Establish and Maintain a Data Inventory",
|
|
528
|
-
description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
|
|
529
|
-
implementationGroup: "IG1",
|
|
530
|
-
assetType: ["Data"],
|
|
531
|
-
securityFunction: ["Identify"],
|
|
532
|
-
governanceElements: [ // Orange - MUST be met
|
|
533
|
-
"Establish",
|
|
534
|
-
"Maintain",
|
|
535
|
-
"Review and update inventory annually, at a minimum, with a priority on sensitive data"
|
|
536
|
-
],
|
|
537
|
-
coreRequirements: [ // Green - The "what"
|
|
538
|
-
"data inventory"
|
|
539
|
-
],
|
|
540
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
541
|
-
"Based on Data Management process",
|
|
542
|
-
"Sensitive Data at a Minimum"
|
|
543
|
-
],
|
|
544
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
545
|
-
],
|
|
546
|
-
relatedSafeguards: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] },
|
|
547
|
-
"3.3": {
|
|
548
|
-
id: "3.3",
|
|
549
|
-
title: "Configure Data Access Control Lists",
|
|
550
|
-
description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
|
|
551
|
-
implementationGroup: "IG1",
|
|
552
|
-
assetType: ["Data"],
|
|
553
|
-
securityFunction: ["Protect"],
|
|
554
|
-
governanceElements: [ // Orange - MUST be met
|
|
555
|
-
"Configure"
|
|
556
|
-
],
|
|
557
|
-
coreRequirements: [ // Green - The "what"
|
|
558
|
-
"data access control lists"
|
|
559
|
-
],
|
|
560
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
561
|
-
"Data Access control lists",
|
|
562
|
-
"Based on \"Need to Know\"",
|
|
563
|
-
"ACLS - \"aka\" Access Permissions",
|
|
564
|
-
"Local",
|
|
565
|
-
"Remote File Systems",
|
|
566
|
-
"Software",
|
|
567
|
-
"Databases"
|
|
568
|
-
],
|
|
569
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
570
|
-
],
|
|
571
|
-
relatedSafeguards: ["3.1", "3.2", "3.4", "3.5", "3.6", "5.1", "6.1", "6.2"] },
|
|
572
|
-
"3.4": {
|
|
573
|
-
id: "3.4",
|
|
574
|
-
title: "Enforce Data Retention",
|
|
575
|
-
description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
|
|
576
|
-
implementationGroup: "IG1",
|
|
577
|
-
assetType: ["Data"],
|
|
578
|
-
securityFunction: ["Protect"],
|
|
579
|
-
governanceElements: [ // Orange - MUST be met
|
|
580
|
-
"Retain",
|
|
581
|
-
"Enforce",
|
|
582
|
-
"must include both minimum and maximum timelines"
|
|
583
|
-
],
|
|
584
|
-
coreRequirements: [ // Green - The "what"
|
|
585
|
-
"data according to the enterprise's documented data management process",
|
|
586
|
-
"Data retention"
|
|
587
|
-
],
|
|
588
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
589
|
-
"Data Retention",
|
|
590
|
-
"Minimum Timelines",
|
|
591
|
-
"Maximum timelines"
|
|
592
|
-
],
|
|
593
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
594
|
-
],
|
|
595
|
-
relatedSafeguards: ["3.1", "3.2", "3.5", "3.6", "3.10"] },
|
|
596
|
-
"3.5": {
|
|
597
|
-
id: "3.5",
|
|
598
|
-
title: "Securely Dispose of Data",
|
|
599
|
-
description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
|
|
600
|
-
implementationGroup: "IG1",
|
|
601
|
-
assetType: ["Data"],
|
|
602
|
-
securityFunction: ["Protect"],
|
|
603
|
-
governanceElements: [ // Orange - MUST be met
|
|
604
|
-
"Disposal process and method are commensurate with the data sensitivity",
|
|
605
|
-
"Ensure"
|
|
606
|
-
],
|
|
607
|
-
coreRequirements: [ // Green - The "what"
|
|
608
|
-
"Securely Dispose of Data"
|
|
609
|
-
],
|
|
610
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
611
|
-
"Securely dispose of Data"
|
|
612
|
-
],
|
|
613
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
614
|
-
],
|
|
615
|
-
relatedSafeguards: ["3.1", "3.2", "3.4", "3.6", "3.10"] },
|
|
616
|
-
"3.6": {
|
|
617
|
-
id: "3.6",
|
|
618
|
-
title: "Encrypt Data on End-User Devices",
|
|
619
|
-
description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
|
|
620
|
-
implementationGroup: "IG1",
|
|
621
|
-
assetType: ["Data"],
|
|
622
|
-
securityFunction: ["Protect"],
|
|
623
|
-
governanceElements: [ // Orange - MUST be met
|
|
624
|
-
"Encrypt"
|
|
625
|
-
],
|
|
626
|
-
coreRequirements: [ // Green - The "what"
|
|
627
|
-
"data on end-user devices"
|
|
628
|
-
],
|
|
629
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
630
|
-
"Data on end-user devices",
|
|
631
|
-
"that contain Sensitive data"
|
|
632
|
-
],
|
|
633
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
634
|
-
"Windows Bitlocker",
|
|
635
|
-
"Apple FileVault",
|
|
636
|
-
"Linux dm-crypt"
|
|
637
|
-
],
|
|
638
|
-
relatedSafeguards: ["1.1", "3.1", "3.2", "3.7", "3.8", "3.9", "3.11"] },
|
|
639
|
-
"3.7": {
|
|
640
|
-
id: "3.7",
|
|
641
|
-
title: "Establish and Maintain a Data Classification Scheme",
|
|
642
|
-
description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
643
|
-
implementationGroup: "IG2",
|
|
644
|
-
assetType: ["Data"],
|
|
645
|
-
securityFunction: ["Identify"],
|
|
646
|
-
governanceElements: [ // Orange - MUST be met
|
|
647
|
-
"Establish",
|
|
648
|
-
"Maintain",
|
|
649
|
-
"Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
|
|
650
|
-
],
|
|
651
|
-
coreRequirements: [ // Green - The "what"
|
|
652
|
-
"data classification scheme"
|
|
653
|
-
],
|
|
654
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
655
|
-
"Classify their data according to labels"
|
|
656
|
-
],
|
|
657
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
658
|
-
"Sensitive",
|
|
659
|
-
"Confidential",
|
|
660
|
-
"Public"
|
|
661
|
-
],
|
|
662
|
-
relatedSafeguards: ["3.1", "3.2", "3.3", "3.8", "3.9", "3.10", "3.11", "3.12"] },
|
|
663
|
-
"3.8": {
|
|
664
|
-
id: "3.8",
|
|
665
|
-
title: "Document Data Flows",
|
|
666
|
-
description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
667
|
-
implementationGroup: "IG2",
|
|
668
|
-
assetType: ["Data"],
|
|
669
|
-
securityFunction: ["Identify"],
|
|
670
|
-
governanceElements: [ // Orange - MUST be met
|
|
671
|
-
"Document data flows"
|
|
672
|
-
],
|
|
673
|
-
coreRequirements: [ // Green - The "what"
|
|
674
|
-
"Document Data Flows"
|
|
675
|
-
],
|
|
676
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
677
|
-
"Enterprise Data Flows",
|
|
678
|
-
"Service Provider Data Flows"
|
|
679
|
-
],
|
|
680
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
681
|
-
],
|
|
682
|
-
relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"] },
|
|
683
|
-
"3.9": {
|
|
684
|
-
id: "3.9",
|
|
685
|
-
title: "Encrypt Data on Removable Media",
|
|
686
|
-
description: "Encrypt Data on Removable Media",
|
|
687
|
-
implementationGroup: "IG2",
|
|
688
|
-
assetType: ["Data"],
|
|
689
|
-
securityFunction: ["Protect"],
|
|
690
|
-
governanceElements: [ // Orange - MUST be met
|
|
691
|
-
"Encrypt"
|
|
692
|
-
],
|
|
693
|
-
coreRequirements: [ // Green - The "what"
|
|
694
|
-
"Encrypt Data on Removable Media"
|
|
695
|
-
],
|
|
696
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
697
|
-
"Data on Removable Media",
|
|
698
|
-
],
|
|
699
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
700
|
-
],
|
|
701
|
-
relatedSafeguards: ["3.1", "3.6", "3.7", "3.10", "3.11"] },
|
|
702
|
-
"3.10": {
|
|
703
|
-
id: "3.10",
|
|
704
|
-
title: "Encrypt Sensitive Data in Transit",
|
|
705
|
-
description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
|
|
706
|
-
implementationGroup: "IG2",
|
|
707
|
-
assetType: ["Data"],
|
|
708
|
-
securityFunction: ["Protect"],
|
|
709
|
-
governanceElements: [ // Orange - MUST be met
|
|
710
|
-
"Encrypt"
|
|
711
|
-
],
|
|
712
|
-
coreRequirements: [ // Green - The "what"
|
|
713
|
-
"Encrypt sensitive data in transit"
|
|
714
|
-
],
|
|
715
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
716
|
-
"Sensitive data in transit"
|
|
717
|
-
],
|
|
718
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
719
|
-
"TLS",
|
|
720
|
-
"OpenSSH"
|
|
721
|
-
],
|
|
722
|
-
relatedSafeguards: ["3.1", "3.7", "3.8", "3.11", "13.1", "13.2"] },
|
|
723
|
-
"3.11": {
|
|
724
|
-
id: "3.11",
|
|
725
|
-
title: "Encrypt Sensitive Data at Rest",
|
|
726
|
-
description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
|
|
727
|
-
implementationGroup: "IG2",
|
|
728
|
-
assetType: ["Data"],
|
|
729
|
-
securityFunction: ["Protect"],
|
|
730
|
-
governanceElements: [ // Orange - MUST be met
|
|
731
|
-
"Encrypt",
|
|
732
|
-
"Minimum Requirement"
|
|
733
|
-
],
|
|
734
|
-
coreRequirements: [ // Green - The "what"
|
|
735
|
-
"Encrypt sensitive data at rest"
|
|
736
|
-
],
|
|
737
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
738
|
-
"Sensitive Data At Rest",
|
|
739
|
-
"Servers",
|
|
740
|
-
"Applications",
|
|
741
|
-
"Databases",
|
|
742
|
-
"Storage Layer (server side) encryption"
|
|
743
|
-
],
|
|
744
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
745
|
-
"Application layer (client-side) encryption",
|
|
746
|
-
"Where access to the data storage device(s) does not permit access to the plain-text data"
|
|
747
|
-
],
|
|
748
|
-
relatedSafeguards: ["3.1", "3.6", "3.7", "3.9", "3.10", "11.1"] },
|
|
749
|
-
"3.12": {
|
|
750
|
-
id: "3.12",
|
|
751
|
-
title: "Segment Data Processing and Storage Based on Sensitivity",
|
|
752
|
-
description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
|
|
753
|
-
implementationGroup: "IG2",
|
|
754
|
-
assetType: ["Data"],
|
|
755
|
-
securityFunction: ["Protect"],
|
|
756
|
-
governanceElements: [ // Orange - MUST be met
|
|
757
|
-
"Do not process sensitive data on enterprise assets intended for lower sensitivity data"
|
|
758
|
-
],
|
|
759
|
-
coreRequirements: [ // Green - The "what"
|
|
760
|
-
"Segment Data Processing",
|
|
761
|
-
"Segment Data Storage",
|
|
762
|
-
"Based on Sensitivity"
|
|
763
|
-
],
|
|
764
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
765
|
-
],
|
|
766
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
767
|
-
],
|
|
768
|
-
relatedSafeguards: ["3.1", "3.7", "12.1", "12.2", "12.3"] },
|
|
769
|
-
"3.13": {
|
|
770
|
-
id: "3.13",
|
|
771
|
-
title: "Deploy a Data Loss Prevention Solution",
|
|
772
|
-
description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
|
|
773
|
-
implementationGroup: "IG3",
|
|
774
|
-
assetType: ["Data"],
|
|
775
|
-
securityFunction: ["Protect"],
|
|
776
|
-
governanceElements: [ // Orange - MUST be met
|
|
777
|
-
"Implement"
|
|
778
|
-
],
|
|
779
|
-
coreRequirements: [ // Green - The "what"
|
|
780
|
-
"automated tool to identify all sensitive data"
|
|
781
|
-
],
|
|
782
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
783
|
-
"Identify all sensitive Data",
|
|
784
|
-
"Stored",
|
|
785
|
-
"Processed",
|
|
786
|
-
"Transmitted",
|
|
787
|
-
"Onsite Data",
|
|
788
|
-
"Remote Service Provider",
|
|
789
|
-
"Update Data Inventory"
|
|
790
|
-
],
|
|
791
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
792
|
-
"Host-based Data loss Prevention (DLP) tool"
|
|
793
|
-
],
|
|
794
|
-
relatedSafeguards: ["3.1", "3.7", "3.8", "3.10", "3.11"] },
|
|
795
|
-
"3.14": {
|
|
796
|
-
id: "3.14",
|
|
797
|
-
title: "Log Sensitive Data Access",
|
|
798
|
-
description: "Log sensitive data access, including modification and disposal.",
|
|
799
|
-
implementationGroup: "IG3",
|
|
800
|
-
assetType: ["Data"],
|
|
801
|
-
securityFunction: ["Detect"],
|
|
802
|
-
governanceElements: [ // Orange - MUST be met
|
|
803
|
-
"Log"
|
|
804
|
-
],
|
|
805
|
-
coreRequirements: [ // Green - The "what"
|
|
806
|
-
"Log sensitive data access, including modification and disposal"
|
|
807
|
-
],
|
|
808
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
809
|
-
],
|
|
810
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
811
|
-
],
|
|
812
|
-
relatedSafeguards: ["3.1", "3.7", "3.8", "8.1", "8.2"] },
|
|
813
|
-
"4.1": {
|
|
814
|
-
id: "4.1",
|
|
815
|
-
title: "Establish and Maintain a Secure Configuration Process",
|
|
816
|
-
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
817
|
-
implementationGroup: "IG1",
|
|
818
|
-
assetType: ["Docuemntation"],
|
|
819
|
-
securityFunction: ["Govern"],
|
|
820
|
-
governanceElements: [ // Orange - MUST be met
|
|
821
|
-
"Establish",
|
|
822
|
-
"Maintain",
|
|
823
|
-
"Review and update documentation",
|
|
824
|
-
"Annually",
|
|
825
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
826
|
-
],
|
|
827
|
-
coreRequirements: [ // Green - The "what"
|
|
828
|
-
"documented secure configuration process"
|
|
829
|
-
],
|
|
830
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
831
|
-
"Enterprise assets",
|
|
832
|
-
"Software",
|
|
833
|
-
"End-user devices",
|
|
834
|
-
"Mobile",
|
|
835
|
-
"Portable",
|
|
836
|
-
"Non-computing/IoT devices",
|
|
837
|
-
"Servers",
|
|
838
|
-
"OS"
|
|
839
|
-
],
|
|
840
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
841
|
-
],
|
|
842
|
-
relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"] },
|
|
843
|
-
"4.2": {
|
|
844
|
-
id: "4.2",
|
|
845
|
-
title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
|
|
846
|
-
description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
847
|
-
implementationGroup: "IG1",
|
|
848
|
-
assetType: ["Documentation"],
|
|
849
|
-
securityFunction: ["Govern"],
|
|
850
|
-
governanceElements: [ // Orange - MUST be met
|
|
851
|
-
"Establish",
|
|
852
|
-
"Maintain",
|
|
853
|
-
"Review and update documentation",
|
|
854
|
-
"Annually",
|
|
855
|
-
"When significant enterprise changes occur that could impact this Safeguard"
|
|
856
|
-
],
|
|
857
|
-
coreRequirements: [ // Green - The "what"
|
|
858
|
-
"documented secure configuration process"
|
|
859
|
-
],
|
|
860
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
861
|
-
"Network devices"
|
|
862
|
-
],
|
|
863
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
864
|
-
],
|
|
865
|
-
relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"] },
|
|
866
|
-
"4.3": {
|
|
867
|
-
id: "4.3",
|
|
868
|
-
title: "Configure Automatic Session Locking on Enterprise Assets",
|
|
869
|
-
description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
|
|
870
|
-
implementationGroup: "IG1",
|
|
871
|
-
assetType: ["Devices"],
|
|
872
|
-
securityFunction: ["Protect"],
|
|
873
|
-
governanceElements: [ // Orange - MUST be met
|
|
874
|
-
"Configure",
|
|
875
|
-
"Period must not exceed for 15 Minutes",
|
|
876
|
-
"Period must not exceed for 2 Minutes"
|
|
877
|
-
],
|
|
878
|
-
coreRequirements: [ // Green - The "what"
|
|
879
|
-
"automatic session locking on enterprise assets"
|
|
880
|
-
],
|
|
881
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
882
|
-
"Period of inactivity",
|
|
883
|
-
"General Purpose OSs",
|
|
884
|
-
"Mobile end-user devices"
|
|
885
|
-
],
|
|
886
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
887
|
-
],
|
|
888
|
-
relatedSafeguards: ["4.1"] },
|
|
889
|
-
"4.4": {
|
|
890
|
-
id: "4.4",
|
|
891
|
-
title: "Implement and Manage a Firewall on Servers",
|
|
892
|
-
description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
|
|
893
|
-
implementationGroup: "IG1",
|
|
894
|
-
assetType: ["Devices"],
|
|
895
|
-
securityFunction: ["Protect"],
|
|
896
|
-
governanceElements: [ // Orange - MUST be met
|
|
897
|
-
"Implement",
|
|
898
|
-
"Manage",
|
|
899
|
-
"Where Supported"
|
|
900
|
-
],
|
|
901
|
-
coreRequirements: [ // Green - The "what"
|
|
902
|
-
"firewall on servers"
|
|
903
|
-
],
|
|
904
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
905
|
-
"Server Firewall"
|
|
906
|
-
],
|
|
907
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
908
|
-
"Virtual Firewall",
|
|
909
|
-
"OS Firewall",
|
|
910
|
-
"Third Party Firewall",
|
|
911
|
-
],
|
|
912
|
-
relatedSafeguards: ["4.1"] },
|
|
913
|
-
"4.5": {
|
|
914
|
-
id: "4.5",
|
|
915
|
-
title: "Implement and Manage a Firewall on End-User Devices",
|
|
916
|
-
description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
|
|
917
|
-
implementationGroup: "IG1",
|
|
918
|
-
assetType: ["Devices"],
|
|
919
|
-
securityFunction: ["Protect"],
|
|
920
|
-
governanceElements: [ // Orange - MUST be met
|
|
921
|
-
"Implement",
|
|
922
|
-
"Manage"
|
|
923
|
-
],
|
|
924
|
-
coreRequirements: [ // Green - The "what"
|
|
925
|
-
"host-based firewall or port-filtering tool on end-user devices"
|
|
926
|
-
],
|
|
927
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
928
|
-
"Default Deny Rule that drops all traffic",
|
|
929
|
-
"Except Explicitly Allowed",
|
|
930
|
-
"Services",
|
|
931
|
-
"Ports"
|
|
932
|
-
],
|
|
933
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
934
|
-
"Firewall",
|
|
935
|
-
"Configuration Management Tool"
|
|
936
|
-
],
|
|
937
|
-
relatedSafeguards: ["4.1"] },
|
|
938
|
-
"4.6": {
|
|
939
|
-
id: "4.6",
|
|
940
|
-
title: "Securely Manage Enterprise Assets and Software",
|
|
941
|
-
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
942
|
-
implementationGroup: "IG1",
|
|
943
|
-
assetType: ["Devices"],
|
|
944
|
-
securityFunction: ["Protect"],
|
|
945
|
-
governanceElements: [ // Orange - MUST be met
|
|
946
|
-
"Do not use insecure management protocols",
|
|
947
|
-
"Unless operationally essential"
|
|
948
|
-
],
|
|
949
|
-
coreRequirements: [ // Green - The "what"
|
|
950
|
-
"Securely manage enterprise assets and software"
|
|
951
|
-
],
|
|
952
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
953
|
-
"Securely manage enterprise assets and software",
|
|
954
|
-
"Do not use insecure management protocols unless operationally essential"
|
|
955
|
-
],
|
|
956
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
957
|
-
"Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
|
|
958
|
-
"Accessing administrative interfaces over secure network protocols",
|
|
959
|
-
"SSH instead of TELNET",
|
|
960
|
-
"HTTPS instead of HTTP",
|
|
961
|
-
],
|
|
962
|
-
relatedSafeguards: ["4.1", "12.3"] },
|
|
963
|
-
"4.7": {
|
|
964
|
-
id: "4.7",
|
|
965
|
-
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
966
|
-
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
967
|
-
implementationGroup: "IG1",
|
|
968
|
-
assetType: ["Users"],
|
|
969
|
-
securityFunction: ["Protect"],
|
|
970
|
-
governanceElements: [ // Orange - MUST be met
|
|
971
|
-
"Manage"
|
|
972
|
-
],
|
|
973
|
-
coreRequirements: [ // Green - The "what"
|
|
974
|
-
"default accounts"
|
|
975
|
-
],
|
|
976
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
977
|
-
"Enterprise assets",
|
|
978
|
-
"Software"
|
|
979
|
-
],
|
|
980
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
981
|
-
"Disabling them",
|
|
982
|
-
"making them Unusable",
|
|
983
|
-
"Root, Administrator, or other pre-configured vendor accounts"
|
|
984
|
-
],
|
|
985
|
-
relatedSafeguards: ["4.1"] },
|
|
986
|
-
"4.8": {
|
|
987
|
-
id: "4.8",
|
|
988
|
-
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
989
|
-
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
990
|
-
implementationGroup: "IG2",
|
|
991
|
-
assetType: ["Devices", "Software"],
|
|
992
|
-
securityFunction: ["Protect"],
|
|
993
|
-
governanceElements: [ // Orange - MUST be met
|
|
994
|
-
"Uninstall",
|
|
995
|
-
"Disable"
|
|
996
|
-
],
|
|
997
|
-
coreRequirements: [ // Green - The "what"
|
|
998
|
-
"unnecessary services"
|
|
999
|
-
],
|
|
1000
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1001
|
-
"Enterprise assets",
|
|
1002
|
-
"Software"
|
|
1003
|
-
],
|
|
1004
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1005
|
-
"Unused File Sharing Services",
|
|
1006
|
-
"Web Application Module",
|
|
1007
|
-
"Service Function"
|
|
1008
|
-
],
|
|
1009
|
-
relatedSafeguards: ["4.1"] },
|
|
1010
|
-
"4.9": {
|
|
1011
|
-
id: "4.9",
|
|
1012
|
-
title: "Configure Trusted DNS Servers on Enterprise Assets",
|
|
1013
|
-
description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
|
|
1014
|
-
implementationGroup: "IG2",
|
|
1015
|
-
assetType: ["Devices"],
|
|
1016
|
-
securityFunction: ["Protect"],
|
|
1017
|
-
governanceElements: [ // Orange - MUST be met
|
|
1018
|
-
"Configure"
|
|
1019
|
-
],
|
|
1020
|
-
coreRequirements: [ // Green - The "what"
|
|
1021
|
-
"trusted DNS servers"
|
|
1022
|
-
],
|
|
1023
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1024
|
-
"Enterprise assets"
|
|
1025
|
-
],
|
|
1026
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1027
|
-
"Configuring assets to use enterprise-controlled DNS servers",
|
|
1028
|
-
"Reputable externally accessible DNS servers"
|
|
1029
|
-
],
|
|
1030
|
-
relatedSafeguards: ["4.1", "8.6", "9.2"] },
|
|
1031
|
-
"4.10": {
|
|
1032
|
-
id: "4.10",
|
|
1033
|
-
title: "Enforce Automatic Device Lockout on Portable End-User Devices",
|
|
1034
|
-
description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
|
|
1035
|
-
implementationGroup: "IG2",
|
|
1036
|
-
assetType: ["Devices"],
|
|
1037
|
-
securityFunction: ["Protect"],
|
|
1038
|
-
governanceElements: [ // Orange - MUST be met
|
|
1039
|
-
"Enforce",
|
|
1040
|
-
"Where supported",
|
|
1041
|
-
"Do not allow more than 20 Failed Authentication Attempts",
|
|
1042
|
-
"No more than 10 Failed Authentication Attempts"
|
|
1043
|
-
],
|
|
1044
|
-
coreRequirements: [ // Green - The "what"
|
|
1045
|
-
"automatic device lockout"
|
|
1046
|
-
],
|
|
1047
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1048
|
-
"After a Predetermined threshold of local failed authentication attempts",
|
|
1049
|
-
"On Portable end-user devices",
|
|
1050
|
-
"Such as Laptops",
|
|
1051
|
-
"Such as Tablets and smartphones"
|
|
1052
|
-
],
|
|
1053
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1054
|
-
"Microsoft® InTune Device Lock",
|
|
1055
|
-
"Apple® Configuration Profile maxFailedAttempts",
|
|
1056
|
-
"Configuration Management Tool"
|
|
1057
|
-
],
|
|
1058
|
-
relatedSafeguards: ["4.1"] },
|
|
1059
|
-
"4.11": {
|
|
1060
|
-
id: "4.11",
|
|
1061
|
-
title: "Enforce Remote Wipe Capability on Portable End-User Devices",
|
|
1062
|
-
description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
|
|
1063
|
-
implementationGroup: "IG2",
|
|
1064
|
-
assetType: ["Devices"],
|
|
1065
|
-
securityFunction: ["Protect"],
|
|
1066
|
-
governanceElements: [ // Orange - MUST be met
|
|
1067
|
-
"When deemed appropriate"
|
|
1068
|
-
],
|
|
1069
|
-
coreRequirements: [ // Green - The "what"
|
|
1070
|
-
"Remotely wipe enterprise data"
|
|
1071
|
-
],
|
|
1072
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1073
|
-
"Portable end-user devices"
|
|
1074
|
-
],
|
|
1075
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1076
|
-
"Lost devices",
|
|
1077
|
-
"Stolen devices",
|
|
1078
|
-
"When an individual no longer supports the enterprise"
|
|
1079
|
-
],
|
|
1080
|
-
relatedSafeguards: ["4.1"] },
|
|
1081
|
-
"4.12": {
|
|
1082
|
-
id: "4.12",
|
|
1083
|
-
title: "Separate Enterprise Workspaces on Mobile End-User Devices",
|
|
1084
|
-
description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
|
|
1085
|
-
implementationGroup: "IG3",
|
|
1086
|
-
assetType: ["Data"],
|
|
1087
|
-
securityFunction: ["Protect"],
|
|
1088
|
-
governanceElements: [ // Orange - MUST be met
|
|
1089
|
-
"Ensure",
|
|
1090
|
-
"Where Supported"
|
|
1091
|
-
],
|
|
1092
|
-
coreRequirements: [ // Green - The "what"
|
|
1093
|
-
"separate enterprise workspaces are used on mobile end-user devices"
|
|
1094
|
-
],
|
|
1095
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1096
|
-
"Enterprise Applications and Enterprise Data",
|
|
1097
|
-
"Seperate from Personal Applications and Personal Data"
|
|
1098
|
-
],
|
|
1099
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1100
|
-
"Apple® Configuration Profile",
|
|
1101
|
-
"AndroidTM Work Profile"
|
|
1102
|
-
],
|
|
1103
|
-
relatedSafeguards: ["4.1"] },
|
|
1104
|
-
"5.1": {
|
|
1105
|
-
id: "5.1",
|
|
1106
|
-
title: "Establish and Maintain an Inventory of Accounts",
|
|
1107
|
-
description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
1108
|
-
implementationGroup: "IG1",
|
|
1109
|
-
assetType: ["Users"],
|
|
1110
|
-
securityFunction: ["Identify"],
|
|
1111
|
-
governanceElements: [ // Orange - MUST be met
|
|
1112
|
-
"Establish and maintain",
|
|
1113
|
-
"Must include",
|
|
1114
|
-
"Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
|
|
1115
|
-
],
|
|
1116
|
-
coreRequirements: [ // Green - The "what"
|
|
1117
|
-
"Inventory of Accounts"
|
|
1118
|
-
],
|
|
1119
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1120
|
-
"User Accounts",
|
|
1121
|
-
"Administrator Accounts",
|
|
1122
|
-
"Service Accounts",
|
|
1123
|
-
"Name",
|
|
1124
|
-
"Username",
|
|
1125
|
-
"Start Stop Dates",
|
|
1126
|
-
"Department"
|
|
1127
|
-
],
|
|
1128
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1129
|
-
],
|
|
1130
|
-
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"] },
|
|
1131
|
-
"5.2": {
|
|
1132
|
-
id: "5.2",
|
|
1133
|
-
title: "Use Unique Passwords",
|
|
1134
|
-
description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
|
|
1135
|
-
implementationGroup: "IG1",
|
|
1136
|
-
assetType: ["Users"],
|
|
1137
|
-
securityFunction: ["Protect"],
|
|
1138
|
-
governanceElements: [ // Orange - MUST be met
|
|
1139
|
-
"Use",
|
|
1140
|
-
"At a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
|
|
1141
|
-
],
|
|
1142
|
-
coreRequirements: [ // Green - The "what"
|
|
1143
|
-
"Unique Passwords"
|
|
1144
|
-
],
|
|
1145
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1146
|
-
"All Enterprise Assets"
|
|
1147
|
-
],
|
|
1148
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1149
|
-
],
|
|
1150
|
-
relatedSafeguards: ["5.1"] },
|
|
1151
|
-
"5.3": {
|
|
1152
|
-
id: "5.3",
|
|
1153
|
-
title: "Disable Dormant Accounts",
|
|
1154
|
-
description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
|
|
1155
|
-
implementationGroup: "IG1",
|
|
1156
|
-
assetType: ["Users"],
|
|
1157
|
-
securityFunction: ["Protect"],
|
|
1158
|
-
governanceElements: [ // Orange - MUST be met
|
|
1159
|
-
"after a period of 45 days of inactivity",
|
|
1160
|
-
"where supported"
|
|
1161
|
-
],
|
|
1162
|
-
coreRequirements: [ // Green - The "what"
|
|
1163
|
-
"Dormant Accounts"
|
|
1164
|
-
],
|
|
1165
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1166
|
-
"Dormant Accounts"
|
|
1167
|
-
],
|
|
1168
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1169
|
-
],
|
|
1170
|
-
relatedSafeguards: ["5.1"] },
|
|
1171
|
-
"5.4": {
|
|
1172
|
-
id: "5.4",
|
|
1173
|
-
title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
|
|
1174
|
-
description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
|
|
1175
|
-
implementationGroup: "IG1",
|
|
1176
|
-
assetType: ["Users"],
|
|
1177
|
-
securityFunction: ["Protect"],
|
|
1178
|
-
governanceElements: [ // Orange - MUST be met
|
|
1179
|
-
"Restrict"
|
|
1180
|
-
],
|
|
1181
|
-
coreRequirements: [ // Green - The "what"
|
|
1182
|
-
"Administrator Privileges",
|
|
1183
|
-
"Dedicated Admin Accounts"
|
|
1184
|
-
],
|
|
1185
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1186
|
-
"Enterprise assets",
|
|
1187
|
-
"User's primary, non-privileged account",
|
|
1188
|
-
"General Computing Activities"
|
|
1189
|
-
],
|
|
1190
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1191
|
-
"Such as",
|
|
1192
|
-
"Internet browsing",
|
|
1193
|
-
"Email",
|
|
1194
|
-
"Productivity suite use"
|
|
1195
|
-
],
|
|
1196
|
-
relatedSafeguards: ["4.1", "5.1"] },
|
|
1197
|
-
"5.5": {
|
|
1198
|
-
id: "5.5",
|
|
1199
|
-
title: "Establish and Maintain an Inventory of Service Accounts",
|
|
1200
|
-
description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
|
|
1201
|
-
implementationGroup: "IG2",
|
|
1202
|
-
assetType: ["Users"],
|
|
1203
|
-
securityFunction: ["Identify"],
|
|
1204
|
-
governanceElements: [ // Orange - MUST be met
|
|
1205
|
-
"Establish and maintain",
|
|
1206
|
-
"at a minimum, must contain",
|
|
1207
|
-
"Perform service account reviews to validate that all active accounts are authorized",
|
|
1208
|
-
"recurring schedule at a minimum quarterly, or more frequently"
|
|
1209
|
-
],
|
|
1210
|
-
coreRequirements: [ // Green - The "what"
|
|
1211
|
-
"Inventory of Service Accounts"
|
|
1212
|
-
],
|
|
1213
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1214
|
-
"Department Owner",
|
|
1215
|
-
"Review date",
|
|
1216
|
-
"Purpose"
|
|
1217
|
-
],
|
|
1218
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1219
|
-
],
|
|
1220
|
-
relatedSafeguards: ["5.1"] },
|
|
1221
|
-
"5.6": {
|
|
1222
|
-
id: "5.6",
|
|
1223
|
-
title: "Centralize Account Management",
|
|
1224
|
-
description: "Centralize account management through a directory or identity service.",
|
|
1225
|
-
implementationGroup: "IG2",
|
|
1226
|
-
assetType: ["Users"],
|
|
1227
|
-
securityFunction: ["Govern"],
|
|
1228
|
-
governanceElements: [ // Orange - MUST be met
|
|
1229
|
-
"Centralize"
|
|
1230
|
-
],
|
|
1231
|
-
coreRequirements: [ // Green - The "what"
|
|
1232
|
-
"Account Management"
|
|
1233
|
-
],
|
|
1234
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1235
|
-
"Directory Service",
|
|
1236
|
-
"Identity Service"
|
|
1237
|
-
],
|
|
1238
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1239
|
-
],
|
|
1240
|
-
relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"] },
|
|
1241
|
-
"6.1": {
|
|
1242
|
-
id: "6.1",
|
|
1243
|
-
title: "Establish an Access Granting Process",
|
|
1244
|
-
description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
|
|
1245
|
-
implementationGroup: "IG1",
|
|
1246
|
-
assetType: ["Documentation"],
|
|
1247
|
-
securityFunction: ["Govern"],
|
|
1248
|
-
governanceElements: [ // Orange - MUST be met
|
|
1249
|
-
"Establish",
|
|
1250
|
-
"Follow"
|
|
1251
|
-
],
|
|
1252
|
-
coreRequirements: [ // Green - The "what"
|
|
1253
|
-
"documented process",
|
|
1254
|
-
"granting access to enterprise assets"
|
|
1255
|
-
],
|
|
1256
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1257
|
-
"upon new hire",
|
|
1258
|
-
"role change of a user",
|
|
1259
|
-
"Enterprise assets"
|
|
1260
|
-
],
|
|
1261
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1262
|
-
],
|
|
1263
|
-
relatedSafeguards: ["5.1", "6.7", "6.8"] },
|
|
1264
|
-
"6.2": {
|
|
1265
|
-
id: "6.2",
|
|
1266
|
-
title: "Establish an Access Revoking Process",
|
|
1267
|
-
description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
|
|
1268
|
-
implementationGroup: "IG1",
|
|
1269
|
-
assetType: ["Documentation"],
|
|
1270
|
-
securityFunction: ["Govern"],
|
|
1271
|
-
governanceElements: [ // Orange - MUST be met
|
|
1272
|
-
"Establish",
|
|
1273
|
-
"Follow",
|
|
1274
|
-
"Disabling Accounts, instead of Deleting accounts, may be necessary to preserve audit trails"
|
|
1275
|
-
],
|
|
1276
|
-
coreRequirements: [ // Green - The "what"
|
|
1277
|
-
"Access Revoking Process"
|
|
1278
|
-
],
|
|
1279
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1280
|
-
"Role Change",
|
|
1281
|
-
"Termination",
|
|
1282
|
-
"Rights revocation",
|
|
1283
|
-
"Enterprise assets",
|
|
1284
|
-
"Disabling accounts immediately"
|
|
1285
|
-
],
|
|
1286
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1287
|
-
"Preferably Automated"
|
|
1288
|
-
],
|
|
1289
|
-
relatedSafeguards: ["5.1", "6.7"] },
|
|
1290
|
-
"6.3": {
|
|
1291
|
-
id: "6.3",
|
|
1292
|
-
title: "Require MFA for Externally-Exposed Applications",
|
|
1293
|
-
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
|
|
1294
|
-
implementationGroup: "IG1",
|
|
1295
|
-
assetType: ["Users"],
|
|
1296
|
-
securityFunction: ["Protect"],
|
|
1297
|
-
governanceElements: [ // Orange - MUST be met
|
|
1298
|
-
"Require",
|
|
1299
|
-
"Enforce",
|
|
1300
|
-
"Where Supported"
|
|
1301
|
-
],
|
|
1302
|
-
coreRequirements: [ // Green - The "what"
|
|
1303
|
-
"all externally-exposed enterprise or third-party applications to enforce MFA",
|
|
1304
|
-
"MFA - Multi Factor Authentication"
|
|
1305
|
-
],
|
|
1306
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1307
|
-
"MFA for all externally exposed enterprise or third-party applications"
|
|
1308
|
-
],
|
|
1309
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1310
|
-
"Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard"
|
|
1311
|
-
],
|
|
1312
|
-
relatedSafeguards: ["2.1", "4.1"] },
|
|
1313
|
-
"6.4": {
|
|
1314
|
-
id: "6.4",
|
|
1315
|
-
title: "Require MFA for Remote Network Access",
|
|
1316
|
-
description: "Require MFA for remote network access.",
|
|
1317
|
-
implementationGroup: "IG1",
|
|
1318
|
-
assetType: ["Users"],
|
|
1319
|
-
securityFunction: ["Protect"],
|
|
1320
|
-
governanceElements: [ // Orange - MUST be met
|
|
1321
|
-
"Require"
|
|
1322
|
-
],
|
|
1323
|
-
coreRequirements: [ // Green - The "what"
|
|
1324
|
-
"MFA for remote network access"
|
|
1325
|
-
],
|
|
1326
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1327
|
-
"MFA for Remote Network Access"
|
|
1328
|
-
],
|
|
1329
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1330
|
-
],
|
|
1331
|
-
relatedSafeguards: ["4.2", "12.7"] },
|
|
1332
|
-
"6.5": {
|
|
1333
|
-
id: "6.5",
|
|
1334
|
-
title: "Require MFA for Administrative Access",
|
|
1335
|
-
description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
|
|
1336
|
-
implementationGroup: "IG1",
|
|
1337
|
-
assetType: ["Users"],
|
|
1338
|
-
securityFunction: ["Protect"],
|
|
1339
|
-
governanceElements: [ // Orange - MUST be met
|
|
1340
|
-
"Require",
|
|
1341
|
-
"Where Supported"
|
|
1342
|
-
],
|
|
1343
|
-
coreRequirements: [ // Green - The "what"
|
|
1344
|
-
"MFA on all administrative access accounts"
|
|
1345
|
-
],
|
|
1346
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1347
|
-
"All Admin Access Accounts",
|
|
1348
|
-
"All enterprise assets",
|
|
1349
|
-
"Onsite Management accounts or Service Provider Admin Accounts"
|
|
1350
|
-
],
|
|
1351
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1352
|
-
],
|
|
1353
|
-
relatedSafeguards: ["4.1"] },
|
|
1354
|
-
"6.6": {
|
|
1355
|
-
id: "6.6",
|
|
1356
|
-
title: "Establish and Maintain an Inventory of Authentication and Authorization Systems",
|
|
1357
|
-
description: "Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.",
|
|
1358
|
-
implementationGroup: "IG2",
|
|
1359
|
-
assetType: ["Software"],
|
|
1360
|
-
securityFunction: ["Identify"],
|
|
1361
|
-
governanceElements: [ // Orange - MUST be met
|
|
1362
|
-
"Establish",
|
|
1363
|
-
"maintain",
|
|
1364
|
-
"Review and update inventory",
|
|
1365
|
-
"At a minimum, monthly or more frequenlty"
|
|
1366
|
-
],
|
|
1367
|
-
coreRequirements: [ // Green - The "what"
|
|
1368
|
-
"inventory of the enterprise's authentication and authorization systems"
|
|
1369
|
-
],
|
|
1370
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1371
|
-
"hosted on-site",
|
|
1372
|
-
"hosted at a remote service provider"
|
|
1373
|
-
],
|
|
1374
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1375
|
-
],
|
|
1376
|
-
relatedSafeguards: ["1.1", "2.1", "3.3", "5.6", "6.7"] },
|
|
1377
|
-
"6.7": {
|
|
1378
|
-
id: "6.7",
|
|
1379
|
-
title: "Centralize Access Control",
|
|
1380
|
-
description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
|
|
1381
|
-
implementationGroup: "IG2",
|
|
1382
|
-
assetType: ["Users"],
|
|
1383
|
-
securityFunction: ["Protect"],
|
|
1384
|
-
governanceElements: [ // Orange - MUST be met
|
|
1385
|
-
"Centralize",
|
|
1386
|
-
"Where Supported"
|
|
1387
|
-
],
|
|
1388
|
-
coreRequirements: [ // Green - The "what"
|
|
1389
|
-
"access control"
|
|
1390
|
-
],
|
|
1391
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1392
|
-
"through a directory service or SSO provider",
|
|
1393
|
-
"Directory Service or SSO Provider",
|
|
1394
|
-
"All enterprise assets"
|
|
1395
|
-
],
|
|
1396
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1397
|
-
],
|
|
1398
|
-
relatedSafeguards: ["4.1", "5.1", "5.6", "6.1", "6.2", "6.6", "12.5", "12.7"] },
|
|
1399
|
-
"6.8": {
|
|
1400
|
-
id: "6.8",
|
|
1401
|
-
title: "Define and Maintain Role-Based Access Control",
|
|
1402
|
-
description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
|
|
1403
|
-
implementationGroup: "IG3",
|
|
1404
|
-
assetType: ["Users"],
|
|
1405
|
-
securityFunction: ["Govern"],
|
|
1406
|
-
governanceElements: [ // Orange - MUST be met
|
|
1407
|
-
"Define",
|
|
1408
|
-
"maintain",
|
|
1409
|
-
"Necessary",
|
|
1410
|
-
"Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule",
|
|
1411
|
-
"At a mimimum Annually, or more Frequently"
|
|
1412
|
-
],
|
|
1413
|
-
coreRequirements: [ // Green - The "what"
|
|
1414
|
-
"role-based access control"
|
|
1415
|
-
],
|
|
1416
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1417
|
-
"Access rights",
|
|
1418
|
-
"Each Role",
|
|
1419
|
-
"Neccesary to Successfully carry out its assigned duties",
|
|
1420
|
-
"Determining",
|
|
1421
|
-
"Documenting"
|
|
1422
|
-
],
|
|
1423
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1424
|
-
],
|
|
1425
|
-
relatedSafeguards: ["3.3", "4.1", "6.1"] },
|
|
1426
|
-
"7.1": {
|
|
1427
|
-
id: "7.1",
|
|
1428
|
-
title: "Establish and Maintain a Vulnerability Management Process",
|
|
1429
|
-
description: "Establish and maintain a documented vulnerability management process for enterprise assets",
|
|
1430
|
-
implementationGroup: "IG1",
|
|
1431
|
-
assetType: ["documentation"],
|
|
1432
|
-
securityFunction: ["Govern"],
|
|
1433
|
-
governanceElements: [ // Orange - MUST be met
|
|
1434
|
-
"Establish",
|
|
1435
|
-
"Maintain",
|
|
1436
|
-
"review and update documentation annually",
|
|
1437
|
-
"update when significant enterprise changes occur"
|
|
1438
|
-
],
|
|
1439
|
-
coreRequirements: [ // Green - The "what"
|
|
1440
|
-
"vulnerability management process",
|
|
1441
|
-
"documented",
|
|
1442
|
-
],
|
|
1443
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1444
|
-
"Enterprise Assets"
|
|
1445
|
-
],
|
|
1446
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1447
|
-
],
|
|
1448
|
-
relatedSafeguards: ["1.1", "2.1", "7.2", "7.3", "7.4", "7.5", "7.6", "7.7"] },
|
|
1449
|
-
"7.2": {
|
|
1450
|
-
id: "7.2",
|
|
1451
|
-
title: "Establish and Maintain a Remediation Process",
|
|
1452
|
-
description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
|
|
1453
|
-
implementationGroup: "IG1",
|
|
1454
|
-
assetType: ["Software"],
|
|
1455
|
-
securityFunction: ["Respond"],
|
|
1456
|
-
governanceElements: [ // Orange - MUST be met
|
|
1457
|
-
"establish remediation process",
|
|
1458
|
-
"maintain remediation process",
|
|
1459
|
-
"SLA for security vulnerabilities",
|
|
1460
|
-
"vulnerability remediation governance"
|
|
1461
|
-
],
|
|
1462
|
-
coreRequirements: [ // Green - The "what"
|
|
1463
|
-
"remediation process",
|
|
1464
|
-
"service level agreement",
|
|
1465
|
-
"security vulnerability handling",
|
|
1466
|
-
"remediation timeline management"
|
|
1467
|
-
],
|
|
1468
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1469
|
-
"vulnerability prioritization",
|
|
1470
|
-
"remediation timelines",
|
|
1471
|
-
"escalation procedures",
|
|
1472
|
-
"patch management integration",
|
|
1473
|
-
"risk-based remediation",
|
|
1474
|
-
"remediation tracking",
|
|
1475
|
-
"verification procedures"
|
|
1476
|
-
],
|
|
1477
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1478
|
-
"vulnerability management platforms",
|
|
1479
|
-
"patch management systems",
|
|
1480
|
-
"remediation workflow tools",
|
|
1481
|
-
"SLA tracking systems",
|
|
1482
|
-
"risk scoring frameworks"
|
|
1483
|
-
],
|
|
1484
|
-
relatedSafeguards: ["7.1", "7.3", "7.4", "7.5", "7.6", "7.7"] },
|
|
1485
|
-
"7.3": {
|
|
1486
|
-
id: "7.3",
|
|
1487
|
-
title: "Perform Automated Operating System Patch Management",
|
|
1488
|
-
description: "Perform automated operating system patch management on enterprise assets",
|
|
1489
|
-
implementationGroup: "IG1",
|
|
1490
|
-
assetType: ["Devices"],
|
|
1491
|
-
securityFunction: ["Protect"],
|
|
1492
|
-
governanceElements: [ // Orange - MUST be met
|
|
1493
|
-
"perform automated OS patch management",
|
|
1494
|
-
"enterprise assets coverage",
|
|
1495
|
-
"automated patching requirement",
|
|
1496
|
-
"patch management governance"
|
|
1497
|
-
],
|
|
1498
|
-
coreRequirements: [ // Green - The "what"
|
|
1499
|
-
"automated operating system patching",
|
|
1500
|
-
"enterprise asset coverage",
|
|
1501
|
-
"patch deployment automation",
|
|
1502
|
-
"OS security updates"
|
|
1503
|
-
],
|
|
1504
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1505
|
-
"patch deployment scheduling",
|
|
1506
|
-
"patch testing procedures",
|
|
1507
|
-
"rollback capabilities",
|
|
1508
|
-
"patch compliance monitoring",
|
|
1509
|
-
"emergency patching procedures",
|
|
1510
|
-
"patch approval workflows",
|
|
1511
|
-
"system restart management"
|
|
1512
|
-
],
|
|
1513
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1514
|
-
"Windows Update Services",
|
|
1515
|
-
"patch management platforms",
|
|
1516
|
-
"configuration management tools",
|
|
1517
|
-
"automated patching solutions",
|
|
1518
|
-
"system center tools"
|
|
1519
|
-
],
|
|
1520
|
-
relatedSafeguards: ["1.1", "4.1", "7.1", "7.2", "7.4", "7.5"] },
|
|
1521
|
-
"7.4": {
|
|
1522
|
-
id: "7.4",
|
|
1523
|
-
title: "Perform Automated Application Patch Management",
|
|
1524
|
-
description: "Perform automated application patch management on enterprise assets",
|
|
1525
|
-
implementationGroup: "IG1",
|
|
1526
|
-
assetType: ["Software"],
|
|
1527
|
-
securityFunction: ["Protect"],
|
|
1528
|
-
governanceElements: [ // Orange - MUST be met
|
|
1529
|
-
"perform automated application patching",
|
|
1530
|
-
"enterprise assets coverage",
|
|
1531
|
-
"automated application updates",
|
|
1532
|
-
"application patch governance"
|
|
1533
|
-
],
|
|
1534
|
-
coreRequirements: [ // Green - The "what"
|
|
1535
|
-
"automated application patching",
|
|
1536
|
-
"enterprise asset coverage",
|
|
1537
|
-
"application security updates",
|
|
1538
|
-
"patch deployment automation"
|
|
1539
|
-
],
|
|
1540
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1541
|
-
"application update management",
|
|
1542
|
-
"third-party software updates",
|
|
1543
|
-
"browser plugin updates",
|
|
1544
|
-
"security patch prioritization",
|
|
1545
|
-
"application compatibility testing",
|
|
1546
|
-
"update rollback procedures",
|
|
1547
|
-
"vendor patch notifications"
|
|
1548
|
-
],
|
|
1549
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1550
|
-
"application update managers",
|
|
1551
|
-
"third-party patch solutions",
|
|
1552
|
-
"automated deployment tools",
|
|
1553
|
-
"software inventory integration",
|
|
1554
|
-
"patch compliance scanners"
|
|
1555
|
-
],
|
|
1556
|
-
relatedSafeguards: ["2.1", "2.2", "7.1", "7.2", "7.3", "7.5"] },
|
|
1557
|
-
"7.5": {
|
|
1558
|
-
id: "7.5",
|
|
1559
|
-
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
1560
|
-
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
1561
|
-
implementationGroup: "IG2",
|
|
1562
|
-
assetType: ["Devices", "Software"],
|
|
1563
|
-
securityFunction: ["Detect"],
|
|
1564
|
-
governanceElements: [ // Orange - MUST be met
|
|
1565
|
-
"perform automated vulnerability scans",
|
|
1566
|
-
"internal enterprise assets",
|
|
1567
|
-
"quarterly or more frequent basis",
|
|
1568
|
-
"vulnerability scanning governance"
|
|
1569
|
-
],
|
|
1570
|
-
coreRequirements: [ // Green - The "what"
|
|
1571
|
-
"automated vulnerability scanning",
|
|
1572
|
-
"internal asset coverage",
|
|
1573
|
-
"quarterly scan frequency",
|
|
1574
|
-
"vulnerability detection"
|
|
1575
|
-
],
|
|
1576
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1577
|
-
"network vulnerability scanning",
|
|
1578
|
-
"host-based vulnerability scanning",
|
|
1579
|
-
"application vulnerability scanning",
|
|
1580
|
-
"database vulnerability scanning",
|
|
1581
|
-
"scan scheduling",
|
|
1582
|
-
"scan result analysis",
|
|
1583
|
-
"false positive management"
|
|
1584
|
-
],
|
|
1585
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1586
|
-
"vulnerability scanners",
|
|
1587
|
-
"network security scanners",
|
|
1588
|
-
"application security scanners",
|
|
1589
|
-
"automated scanning platforms",
|
|
1590
|
-
"vulnerability management systems"
|
|
1591
|
-
],
|
|
1592
|
-
relatedSafeguards: ["1.1", "2.1", "7.1", "7.2", "7.3", "7.4", "7.6", "7.7"] },
|
|
1593
|
-
"7.6": {
|
|
1594
|
-
id: "7.6",
|
|
1595
|
-
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
1596
|
-
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
1597
|
-
implementationGroup: "IG2",
|
|
1598
|
-
assetType: ["Devices", "Software"],
|
|
1599
|
-
securityFunction: ["Detect"],
|
|
1600
|
-
governanceElements: [ // Orange - MUST be met
|
|
1601
|
-
"perform automated vulnerability scans",
|
|
1602
|
-
"externally-exposed enterprise assets",
|
|
1603
|
-
"internal or external scanning service",
|
|
1604
|
-
"external asset scanning governance"
|
|
1605
|
-
],
|
|
1606
|
-
coreRequirements: [ // Green - The "what"
|
|
1607
|
-
"automated vulnerability scanning",
|
|
1608
|
-
"externally-exposed assets",
|
|
1609
|
-
"external vulnerability detection",
|
|
1610
|
-
"internet-facing asset scanning"
|
|
1611
|
-
],
|
|
1612
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1613
|
-
"external network scanning",
|
|
1614
|
-
"web application scanning",
|
|
1615
|
-
"exposed service scanning",
|
|
1616
|
-
"cloud asset scanning",
|
|
1617
|
-
"external IP monitoring",
|
|
1618
|
-
"internet exposure assessment",
|
|
1619
|
-
"attack surface analysis"
|
|
1620
|
-
],
|
|
1621
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1622
|
-
"external vulnerability scanners",
|
|
1623
|
-
"cloud security scanning",
|
|
1624
|
-
"web application scanners",
|
|
1625
|
-
"internet asset discovery",
|
|
1626
|
-
"third-party scanning services"
|
|
1627
|
-
],
|
|
1628
|
-
relatedSafeguards: ["1.1", "2.1", "7.1", "7.2", "7.5", "7.7"] },
|
|
1629
|
-
"7.7": {
|
|
1630
|
-
id: "7.7",
|
|
1631
|
-
title: "Remediate Detected Vulnerabilities",
|
|
1632
|
-
description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
|
|
1633
|
-
implementationGroup: "IG2",
|
|
1634
|
-
assetType: ["Software"],
|
|
1635
|
-
securityFunction: ["Respond"],
|
|
1636
|
-
governanceElements: [ // Orange - MUST be met
|
|
1637
|
-
"remediate detected vulnerabilities",
|
|
1638
|
-
"software vulnerability remediation",
|
|
1639
|
-
"monthly or more frequent basis",
|
|
1640
|
-
"vulnerability remediation governance"
|
|
1641
|
-
],
|
|
1642
|
-
coreRequirements: [ // Green - The "what"
|
|
1643
|
-
"vulnerability remediation",
|
|
1644
|
-
"detected vulnerability handling",
|
|
1645
|
-
"monthly remediation cycles",
|
|
1646
|
-
"software security updates"
|
|
1647
|
-
],
|
|
1648
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1649
|
-
"vulnerability assessment",
|
|
1650
|
-
"risk-based prioritization",
|
|
1651
|
-
"patch deployment",
|
|
1652
|
-
"compensating controls",
|
|
1653
|
-
"remediation verification",
|
|
1654
|
-
"remediation tracking",
|
|
1655
|
-
"exception management"
|
|
1656
|
-
],
|
|
1657
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1658
|
-
"vulnerability management platforms",
|
|
1659
|
-
"automated remediation tools",
|
|
1660
|
-
"patch management integration",
|
|
1661
|
-
"remediation workflow systems",
|
|
1662
|
-
"risk assessment tools"
|
|
1663
|
-
],
|
|
1664
|
-
relatedSafeguards: ["7.1", "7.2", "7.3", "7.4", "7.5", "7.6"] },
|
|
1665
|
-
"8.1": {
|
|
1666
|
-
id: "8.1",
|
|
1667
|
-
title: "Establish and Maintain an Audit Log Management Process",
|
|
1668
|
-
description: "Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
1669
|
-
implementationGroup: "IG1",
|
|
1670
|
-
assetType: ["enterprise assets", "Data"],
|
|
1671
|
-
securityFunction: ["Govern"],
|
|
1672
|
-
governanceElements: [
|
|
1673
|
-
"establish and maintain",
|
|
1674
|
-
"documented audit log management process",
|
|
1675
|
-
"review and update documentation annually",
|
|
1676
|
-
"when significant enterprise changes occur that could impact this Safeguard"
|
|
1677
|
-
],
|
|
1678
|
-
coreRequirements: [
|
|
1679
|
-
"enterprise's logging requirements",
|
|
1680
|
-
"collection, review, and retention of audit logs",
|
|
1681
|
-
"enterprise assets"
|
|
1682
|
-
],
|
|
1683
|
-
subTaxonomicalElements: [
|
|
1684
|
-
"collection",
|
|
1685
|
-
"review",
|
|
1686
|
-
"retention",
|
|
1687
|
-
"annually",
|
|
1688
|
-
"minimum"
|
|
1689
|
-
],
|
|
1690
|
-
implementationSuggestions: [
|
|
1691
|
-
"log management policy/process",
|
|
1692
|
-
"documentation"
|
|
1693
|
-
],
|
|
1694
|
-
relatedSafeguards: ["8.2", "8.3", "8.5", "8.6", "8.7", "8.8", "8.9", "8.10", "8.11", "8.12"] },
|
|
1695
|
-
"8.2": {
|
|
1696
|
-
id: "8.2",
|
|
1697
|
-
title: "Collect Audit Logs",
|
|
1698
|
-
description: "Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.",
|
|
1699
|
-
implementationGroup: "IG1",
|
|
1700
|
-
assetType: ["enterprise assets", "Data"],
|
|
1701
|
-
securityFunction: ["Detect"],
|
|
1702
|
-
governanceElements: [
|
|
1703
|
-
"per the enterprise's audit log management process"
|
|
1704
|
-
],
|
|
1705
|
-
coreRequirements: [
|
|
1706
|
-
"collect audit logs",
|
|
1707
|
-
"logging enabled",
|
|
1708
|
-
"enterprise assets"
|
|
1709
|
-
],
|
|
1710
|
-
subTaxonomicalElements: [
|
|
1711
|
-
"enabled"
|
|
1712
|
-
],
|
|
1713
|
-
implementationSuggestions: [
|
|
1714
|
-
"log management tool",
|
|
1715
|
-
"OS dependent"
|
|
1716
|
-
],
|
|
1717
|
-
relatedSafeguards: ["8.1"] },
|
|
1718
|
-
"8.3": {
|
|
1719
|
-
id: "8.3",
|
|
1720
|
-
title: "Ensure Adequate Audit Log Storage",
|
|
1721
|
-
description: "Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.",
|
|
1722
|
-
implementationGroup: "IG1",
|
|
1723
|
-
assetType: ["Data"],
|
|
1724
|
-
securityFunction: ["Protect"],
|
|
1725
|
-
governanceElements: [
|
|
1726
|
-
"comply with the enterprise's audit log management process"
|
|
1727
|
-
],
|
|
1728
|
-
coreRequirements: [
|
|
1729
|
-
"logging destinations maintain adequate storage"
|
|
1730
|
-
],
|
|
1731
|
-
subTaxonomicalElements: [
|
|
1732
|
-
"adequate storage",
|
|
1733
|
-
"maintain",
|
|
1734
|
-
"comply",
|
|
1735
|
-
"logging destinations"
|
|
1736
|
-
],
|
|
1737
|
-
implementationSuggestions: [
|
|
1738
|
-
"log management tool",
|
|
1739
|
-
"potentially OS dependent"
|
|
1740
|
-
],
|
|
1741
|
-
relatedSafeguards: ["8.1", "8.9", "8.10"] },
|
|
1742
|
-
"8.4": {
|
|
1743
|
-
id: "8.4",
|
|
1744
|
-
title: "Standardize Time Synchronization",
|
|
1745
|
-
description: "Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.",
|
|
1746
|
-
implementationGroup: "IG2",
|
|
1747
|
-
assetType: ["enterprise assets", "Data"],
|
|
1748
|
-
securityFunction: ["Protect"],
|
|
1749
|
-
governanceElements: [
|
|
1750
|
-
"standardize time synchronization"
|
|
1751
|
-
],
|
|
1752
|
-
coreRequirements: [
|
|
1753
|
-
"configure at least two synchronized time sources",
|
|
1754
|
-
"enterprise assets",
|
|
1755
|
-
"where supported"
|
|
1756
|
-
],
|
|
1757
|
-
subTaxonomicalElements: [
|
|
1758
|
-
"at least two",
|
|
1759
|
-
"synchronized",
|
|
1760
|
-
"time sources",
|
|
1761
|
-
"where supported"
|
|
1762
|
-
],
|
|
1763
|
-
implementationSuggestions: [
|
|
1764
|
-
"secure configuration policy/process",
|
|
1765
|
-
"potentially OS dependent"
|
|
1766
|
-
],
|
|
1767
|
-
relatedSafeguards: ["4.1"] },
|
|
1768
|
-
"8.5": {
|
|
1769
|
-
id: "8.5",
|
|
1770
|
-
title: "Collect Detailed Audit Logs",
|
|
1771
|
-
description: "Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.",
|
|
1772
|
-
implementationGroup: "IG2",
|
|
1773
|
-
assetType: ["enterprise assets", "Data"],
|
|
1774
|
-
securityFunction: ["Detect"],
|
|
1775
|
-
governanceElements: [
|
|
1776
|
-
"configure detailed audit logging"
|
|
1777
|
-
],
|
|
1778
|
-
coreRequirements: [
|
|
1779
|
-
"enterprise assets containing sensitive data",
|
|
1780
|
-
"forensic investigation"
|
|
1781
|
-
],
|
|
1782
|
-
subTaxonomicalElements: [
|
|
1783
|
-
"event source",
|
|
1784
|
-
"date",
|
|
1785
|
-
"username",
|
|
1786
|
-
"timestamp",
|
|
1787
|
-
"source addresses",
|
|
1788
|
-
"destination addresses",
|
|
1789
|
-
"other useful elements"
|
|
1790
|
-
],
|
|
1791
|
-
implementationSuggestions: [
|
|
1792
|
-
"log management tool",
|
|
1793
|
-
"log management policy/process",
|
|
1794
|
-
"potentially OS dependent"
|
|
1795
|
-
],
|
|
1796
|
-
relatedSafeguards: ["8.1", "1.1", "3.2"] },
|
|
1797
|
-
"8.6": {
|
|
1798
|
-
id: "8.6",
|
|
1799
|
-
title: "Collect DNS Query Audit Logs",
|
|
1800
|
-
description: "Collect DNS query audit logs on enterprise assets, where appropriate and supported.",
|
|
1801
|
-
implementationGroup: "IG2",
|
|
1802
|
-
assetType: ["enterprise assets", "Data"],
|
|
1803
|
-
securityFunction: ["Detect"],
|
|
1804
|
-
governanceElements: [
|
|
1805
|
-
"where appropriate and supported"
|
|
1806
|
-
],
|
|
1807
|
-
coreRequirements: [
|
|
1808
|
-
"collect DNS query audit logs",
|
|
1809
|
-
"enterprise assets"
|
|
1810
|
-
],
|
|
1811
|
-
subTaxonomicalElements: [
|
|
1812
|
-
"DNS query logs",
|
|
1813
|
-
"where appropriate",
|
|
1814
|
-
"where supported"
|
|
1815
|
-
],
|
|
1816
|
-
implementationSuggestions: [
|
|
1817
|
-
"log management tool",
|
|
1818
|
-
"secure configuration policy/process",
|
|
1819
|
-
"potentially OS dependent"
|
|
1820
|
-
],
|
|
1821
|
-
relatedSafeguards: ["8.1", "4.9"] },
|
|
1822
|
-
"8.7": {
|
|
1823
|
-
id: "8.7",
|
|
1824
|
-
title: "Collect URL Request Audit Logs",
|
|
1825
|
-
description: "Collect URL request audit logs on enterprise assets, where appropriate and supported.",
|
|
1826
|
-
implementationGroup: "IG2",
|
|
1827
|
-
assetType: ["enterprise assets", "Data"],
|
|
1828
|
-
securityFunction: ["Detect"],
|
|
1829
|
-
governanceElements: [
|
|
1830
|
-
"where appropriate and supported"
|
|
1831
|
-
],
|
|
1832
|
-
coreRequirements: [
|
|
1833
|
-
"collect URL request audit logs",
|
|
1834
|
-
"enterprise assets"
|
|
1835
|
-
],
|
|
1836
|
-
subTaxonomicalElements: [
|
|
1837
|
-
"URL request audit logs",
|
|
1838
|
-
"where appropriate",
|
|
1839
|
-
"where supported"
|
|
1840
|
-
],
|
|
1841
|
-
implementationSuggestions: [
|
|
1842
|
-
"log management tool",
|
|
1843
|
-
"secure configuration policy/process",
|
|
1844
|
-
"potentially OS dependent"
|
|
1845
|
-
],
|
|
1846
|
-
relatedSafeguards: ["8.1"] },
|
|
1847
|
-
"8.8": {
|
|
1848
|
-
id: "8.8",
|
|
1849
|
-
title: "Collect Command-Line Audit Logs",
|
|
1850
|
-
description: "Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.",
|
|
1851
|
-
implementationGroup: "IG2",
|
|
1852
|
-
assetType: ["Data"],
|
|
1853
|
-
securityFunction: ["Detect"],
|
|
1854
|
-
governanceElements: [
|
|
1855
|
-
"collect command-line audit logs"
|
|
1856
|
-
],
|
|
1857
|
-
coreRequirements: [
|
|
1858
|
-
"command-line audit logs"
|
|
1859
|
-
],
|
|
1860
|
-
subTaxonomicalElements: [
|
|
1861
|
-
"PowerShell",
|
|
1862
|
-
"BASH",
|
|
1863
|
-
"remote administrative terminals"
|
|
1864
|
-
],
|
|
1865
|
-
implementationSuggestions: [
|
|
1866
|
-
"log management tool",
|
|
1867
|
-
"secure configuration policy/process",
|
|
1868
|
-
"OS dependent"
|
|
1869
|
-
],
|
|
1870
|
-
relatedSafeguards: ["8.1"] },
|
|
1871
|
-
"8.9": {
|
|
1872
|
-
id: "8.9",
|
|
1873
|
-
title: "Centralize Audit Logs",
|
|
1874
|
-
description: "Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources.",
|
|
1875
|
-
implementationGroup: "IG2",
|
|
1876
|
-
assetType: ["enterprise assets", "Data"],
|
|
1877
|
-
securityFunction: ["Detect"],
|
|
1878
|
-
governanceElements: [
|
|
1879
|
-
"in accordance with documented audit log management process",
|
|
1880
|
-
"to the extent possible"
|
|
1881
|
-
],
|
|
1882
|
-
coreRequirements: [
|
|
1883
|
-
"centralize audit log collection and retention",
|
|
1884
|
-
"enterprise assets"
|
|
1885
|
-
],
|
|
1886
|
-
subTaxonomicalElements: [
|
|
1887
|
-
"audit log collection",
|
|
1888
|
-
"audit log retention",
|
|
1889
|
-
"to the extent possible"
|
|
1890
|
-
],
|
|
1891
|
-
implementationSuggestions: [
|
|
1892
|
-
"SIEM tool",
|
|
1893
|
-
"log analytics and centralization tool",
|
|
1894
|
-
"OS dependent"
|
|
1895
|
-
],
|
|
1896
|
-
relatedSafeguards: ["8.1", "8.3", "12.5", "13.1"] },
|
|
1897
|
-
"8.10": {
|
|
1898
|
-
id: "8.10",
|
|
1899
|
-
title: "Retain Audit Logs",
|
|
1900
|
-
description: "Retain audit logs across enterprise assets for a minimum of 90 days.",
|
|
1901
|
-
implementationGroup: "IG2",
|
|
1902
|
-
assetType: ["enterprise assets", "Data"],
|
|
1903
|
-
securityFunction: ["Protect"],
|
|
1904
|
-
governanceElements: [
|
|
1905
|
-
"minimum of 90 days"
|
|
1906
|
-
],
|
|
1907
|
-
coreRequirements: [
|
|
1908
|
-
"retain audit logs",
|
|
1909
|
-
"enterprise assets"
|
|
1910
|
-
],
|
|
1911
|
-
subTaxonomicalElements: [
|
|
1912
|
-
"minimum of 90 days"
|
|
1913
|
-
],
|
|
1914
|
-
implementationSuggestions: [
|
|
1915
|
-
"log analytics and centralization tool"
|
|
1916
|
-
],
|
|
1917
|
-
relatedSafeguards: ["8.1", "8.3"] },
|
|
1918
|
-
"8.11": {
|
|
1919
|
-
id: "8.11",
|
|
1920
|
-
title: "Conduct Audit Log Reviews",
|
|
1921
|
-
description: "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.",
|
|
1922
|
-
implementationGroup: "IG2",
|
|
1923
|
-
assetType: ["Data"],
|
|
1924
|
-
securityFunction: ["Detect"],
|
|
1925
|
-
governanceElements: [
|
|
1926
|
-
"conduct reviews on a weekly, or more frequent, basis"
|
|
1927
|
-
],
|
|
1928
|
-
coreRequirements: [
|
|
1929
|
-
"detect anomalies or abnormal events",
|
|
1930
|
-
"potential threat"
|
|
1931
|
-
],
|
|
1932
|
-
subTaxonomicalElements: [
|
|
1933
|
-
"weekly",
|
|
1934
|
-
"more frequent",
|
|
1935
|
-
"anomalies",
|
|
1936
|
-
"abnormal events"
|
|
1937
|
-
],
|
|
1938
|
-
implementationSuggestions: [
|
|
1939
|
-
"log analytics and centralization tool"
|
|
1940
|
-
],
|
|
1941
|
-
relatedSafeguards: ["8.1", "8.12"] },
|
|
1942
|
-
"8.12": {
|
|
1943
|
-
id: "8.12",
|
|
1944
|
-
title: "Collect Service Provider Logs",
|
|
1945
|
-
description: "Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.",
|
|
1946
|
-
implementationGroup: "IG3",
|
|
1947
|
-
assetType: ["Data"],
|
|
1948
|
-
securityFunction: ["Detect"],
|
|
1949
|
-
governanceElements: [
|
|
1950
|
-
"where supported"
|
|
1951
|
-
],
|
|
1952
|
-
coreRequirements: [
|
|
1953
|
-
"collect service provider logs"
|
|
1954
|
-
],
|
|
1955
|
-
subTaxonomicalElements: [
|
|
1956
|
-
"authentication events",
|
|
1957
|
-
"authorization events",
|
|
1958
|
-
"data creation events",
|
|
1959
|
-
"disposal events",
|
|
1960
|
-
"user management events"
|
|
1961
|
-
],
|
|
1962
|
-
implementationSuggestions: [
|
|
1963
|
-
"log analytics and centralization tool",
|
|
1964
|
-
"secure configuration policy/process"
|
|
1965
|
-
],
|
|
1966
|
-
relatedSafeguards: ["8.1", "8.11", "15.1"] },
|
|
1967
|
-
"9.1": {
|
|
1968
|
-
id: "9.1",
|
|
1969
|
-
title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
|
|
1970
|
-
description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
|
|
1971
|
-
implementationGroup: "IG1",
|
|
1972
|
-
assetType: ["Software"],
|
|
1973
|
-
securityFunction: ["Protect"],
|
|
1974
|
-
governanceElements: [ // Orange - MUST be met
|
|
1975
|
-
"ensure only fully supported browsers and email clients are allowed to execute",
|
|
1976
|
-
"only using the latest version provided through the vendor"
|
|
1977
|
-
],
|
|
1978
|
-
coreRequirements: [ // Green - The "what"
|
|
1979
|
-
"fully supported browsers only",
|
|
1980
|
-
"fully supported email clients only",
|
|
1981
|
-
"latest vendor versions only",
|
|
1982
|
-
"execution restriction enforcement"
|
|
1983
|
-
],
|
|
1984
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1985
|
-
"ensure only fully supported",
|
|
1986
|
-
"browsers and email clients",
|
|
1987
|
-
"are allowed to execute",
|
|
1988
|
-
"in the enterprise",
|
|
1989
|
-
"only using the latest version",
|
|
1990
|
-
"provided through the vendor"
|
|
1991
|
-
],
|
|
1992
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1993
|
-
"enterprise and software asset management tools",
|
|
1994
|
-
"application allowlisting",
|
|
1995
|
-
"software inventory systems",
|
|
1996
|
-
"automated patch management"
|
|
1997
|
-
],
|
|
1998
|
-
relatedSafeguards: ["2.1", "4.1", "7.4"] },
|
|
1999
|
-
"9.2": {
|
|
2000
|
-
id: "9.2",
|
|
2001
|
-
title: "Use DNS Filtering Services",
|
|
2002
|
-
description: "Use DNS filtering services on all end-user devices, including remote and on-premise assets, to block access to known malicious domains",
|
|
2003
|
-
implementationGroup: "IG1",
|
|
2004
|
-
assetType: ["Devices", "network"],
|
|
2005
|
-
securityFunction: ["Protect"],
|
|
2006
|
-
governanceElements: [ // Orange - MUST be met
|
|
2007
|
-
"use DNS filtering services on all end-user devices",
|
|
2008
|
-
"including remote and on-premise assets",
|
|
2009
|
-
"to block access to known malicious domains"
|
|
2010
|
-
],
|
|
2011
|
-
coreRequirements: [ // Green - The "what"
|
|
2012
|
-
"DNS filtering services deployment",
|
|
2013
|
-
"all end-user device coverage",
|
|
2014
|
-
"malicious domain blocking",
|
|
2015
|
-
"remote and on-premise asset inclusion"
|
|
2016
|
-
],
|
|
2017
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2018
|
-
"use DNS filtering services",
|
|
2019
|
-
"on all end-user devices",
|
|
2020
|
-
"including remote assets",
|
|
2021
|
-
"including on-premise assets",
|
|
2022
|
-
"to block access",
|
|
2023
|
-
"to known malicious domains"
|
|
2024
|
-
],
|
|
2025
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2026
|
-
"DNS filtering services",
|
|
2027
|
-
"secure DNS servers",
|
|
2028
|
-
"DNS security platforms",
|
|
2029
|
-
"cloud-based DNS filtering"
|
|
2030
|
-
],
|
|
2031
|
-
relatedSafeguards: ["4.1", "4.9"] },
|
|
2032
|
-
"9.3": {
|
|
2033
|
-
id: "9.3",
|
|
2034
|
-
title: "Maintain and Enforce Network-Based URL Filters",
|
|
2035
|
-
description: "Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets",
|
|
2036
|
-
implementationGroup: "IG2",
|
|
2037
|
-
assetType: ["network"],
|
|
2038
|
-
securityFunction: ["Protect"],
|
|
2039
|
-
governanceElements: [ // Orange - MUST be met
|
|
2040
|
-
"enforce and update network-based URL filters",
|
|
2041
|
-
"to limit enterprise asset from connecting to potentially malicious or unapproved websites",
|
|
2042
|
-
"enforce filters for all enterprise assets"
|
|
2043
|
-
],
|
|
2044
|
-
coreRequirements: [ // Green - The "what"
|
|
2045
|
-
"network-based URL filters",
|
|
2046
|
-
"enterprise asset connection limiting",
|
|
2047
|
-
"malicious website blocking",
|
|
2048
|
-
"unapproved website blocking"
|
|
2049
|
-
],
|
|
2050
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2051
|
-
"enforce network-based URL filters",
|
|
2052
|
-
"update network-based URL filters",
|
|
2053
|
-
"limit enterprise asset from connecting",
|
|
2054
|
-
"to potentially malicious websites",
|
|
2055
|
-
"to unapproved websites",
|
|
2056
|
-
"enforce filters for all enterprise assets"
|
|
2057
|
-
],
|
|
2058
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2059
|
-
"URL filtering tools",
|
|
2060
|
-
"category-based filtering",
|
|
2061
|
-
"reputation-based filtering",
|
|
2062
|
-
"block lists",
|
|
2063
|
-
"web content filtering"
|
|
2064
|
-
],
|
|
2065
|
-
relatedSafeguards: ["4.1"] },
|
|
2066
|
-
"9.4": {
|
|
2067
|
-
id: "9.4",
|
|
2068
|
-
title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
|
|
2069
|
-
description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
2070
|
-
implementationGroup: "IG2",
|
|
2071
|
-
assetType: ["Software"],
|
|
2072
|
-
securityFunction: ["Protect"],
|
|
2073
|
-
governanceElements: [ // Orange - MUST be met
|
|
2074
|
-
"restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
2075
|
-
"either through uninstalling or disabling"
|
|
2076
|
-
],
|
|
2077
|
-
coreRequirements: [ // Green - The "what"
|
|
2078
|
-
"browser plugin restrictions",
|
|
2079
|
-
"email client plugin restrictions",
|
|
2080
|
-
"browser extension restrictions",
|
|
2081
|
-
"add-on application restrictions"
|
|
2082
|
-
],
|
|
2083
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2084
|
-
"restrict through uninstalling or disabling",
|
|
2085
|
-
"unauthorized browser plugins",
|
|
2086
|
-
"unnecessary browser plugins",
|
|
2087
|
-
"unauthorized email client plugins",
|
|
2088
|
-
"unnecessary email client plugins",
|
|
2089
|
-
"unauthorized browser extensions",
|
|
2090
|
-
"unnecessary browser extensions",
|
|
2091
|
-
"unauthorized add-on applications",
|
|
2092
|
-
"unnecessary add-on applications"
|
|
2093
|
-
],
|
|
2094
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2095
|
-
"configuration management tools",
|
|
2096
|
-
"browser management systems",
|
|
2097
|
-
"application control policies",
|
|
2098
|
-
"extension management platforms"
|
|
2099
|
-
],
|
|
2100
|
-
relatedSafeguards: ["4.1"] },
|
|
2101
|
-
"9.5": {
|
|
2102
|
-
id: "9.5",
|
|
2103
|
-
title: "Implement DMARC",
|
|
2104
|
-
description: "To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards",
|
|
2105
|
-
implementationGroup: "IG2",
|
|
2106
|
-
assetType: ["network"],
|
|
2107
|
-
securityFunction: ["Protect"],
|
|
2108
|
-
governanceElements: [ // Orange - MUST be met
|
|
2109
|
-
"implement DMARC policy and verification",
|
|
2110
|
-
"to lower the chance of spoofed or modified emails from valid domains",
|
|
2111
|
-
"starting with implementing SPF and DKIM standards"
|
|
2112
|
-
],
|
|
2113
|
-
coreRequirements: [ // Green - The "what"
|
|
2114
|
-
"DMARC policy implementation",
|
|
2115
|
-
"DMARC verification implementation",
|
|
2116
|
-
"SPF standard implementation",
|
|
2117
|
-
"DKIM standard implementation"
|
|
2118
|
-
],
|
|
2119
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2120
|
-
"implement DMARC policy",
|
|
2121
|
-
"implement DMARC verification",
|
|
2122
|
-
"to lower the chance of spoofed emails",
|
|
2123
|
-
"to lower the chance of modified emails",
|
|
2124
|
-
"from valid domains",
|
|
2125
|
-
"starting with implementing SPF",
|
|
2126
|
-
"starting with implementing DKIM",
|
|
2127
|
-
"Sender Policy Framework standards",
|
|
2128
|
-
"DomainKeys Identified Mail standards"
|
|
2129
|
-
],
|
|
2130
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2131
|
-
"DMARC management tools",
|
|
2132
|
-
"email authentication services",
|
|
2133
|
-
"SPF record management",
|
|
2134
|
-
"DKIM signature management"
|
|
2135
|
-
],
|
|
2136
|
-
relatedSafeguards: ["4.1"] },
|
|
2137
|
-
"9.6": {
|
|
2138
|
-
id: "9.6",
|
|
2139
|
-
title: "Block Unnecessary File Types",
|
|
2140
|
-
description: "Block unnecessary file types attempting to enter the enterprise's email gateway",
|
|
2141
|
-
implementationGroup: "IG2",
|
|
2142
|
-
assetType: ["network"],
|
|
2143
|
-
securityFunction: ["Protect"],
|
|
2144
|
-
governanceElements: [ // Orange - MUST be met
|
|
2145
|
-
"block unnecessary file types attempting to enter the enterprise's email gateway"
|
|
2146
|
-
],
|
|
2147
|
-
coreRequirements: [ // Green - The "what"
|
|
2148
|
-
"unnecessary file type blocking",
|
|
2149
|
-
"email gateway protection",
|
|
2150
|
-
"file type filtering"
|
|
2151
|
-
],
|
|
2152
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2153
|
-
"block unnecessary file types",
|
|
2154
|
-
"attempting to enter",
|
|
2155
|
-
"the enterprise's email gateway"
|
|
2156
|
-
],
|
|
2157
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2158
|
-
"email security tools",
|
|
2159
|
-
"email gateway filtering",
|
|
2160
|
-
"file type blocking systems",
|
|
2161
|
-
"email content filtering"
|
|
2162
|
-
],
|
|
2163
|
-
relatedSafeguards: ["4.1"] },
|
|
2164
|
-
"9.7": {
|
|
2165
|
-
id: "9.7",
|
|
2166
|
-
title: "Deploy and Maintain Email Server Anti-Malware Protections",
|
|
2167
|
-
description: "Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing",
|
|
2168
|
-
implementationGroup: "IG1",
|
|
2169
|
-
assetType: ["network"],
|
|
2170
|
-
securityFunction: ["Protect"],
|
|
2171
|
-
governanceElements: [ // Orange - MUST be met
|
|
2172
|
-
"deploy and maintain email server anti-malware protections",
|
|
2173
|
-
"such as attachment scanning and/or sandboxing"
|
|
2174
|
-
],
|
|
2175
|
-
coreRequirements: [ // Green - The "what"
|
|
2176
|
-
"email server anti-malware protections",
|
|
2177
|
-
"attachment scanning capabilities",
|
|
2178
|
-
"sandboxing capabilities",
|
|
2179
|
-
"deployment and maintenance"
|
|
2180
|
-
],
|
|
2181
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2182
|
-
"deploy email server anti-malware protections",
|
|
2183
|
-
"maintain email server anti-malware protections",
|
|
2184
|
-
"such as attachment scanning",
|
|
2185
|
-
"such as sandboxing",
|
|
2186
|
-
"attachment scanning and/or sandboxing"
|
|
2187
|
-
],
|
|
2188
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2189
|
-
"email security tools",
|
|
2190
|
-
"anti-malware platforms",
|
|
2191
|
-
"attachment scanning systems",
|
|
2192
|
-
"email sandboxing solutions"
|
|
2193
|
-
],
|
|
2194
|
-
relatedSafeguards: ["4.1", "10.1"] },
|
|
2195
|
-
"10.1": {
|
|
2196
|
-
id: "10.1",
|
|
2197
|
-
title: "Deploy and Maintain Anti-Malware Software",
|
|
2198
|
-
description: "Deploy and maintain anti-malware software on all enterprise assets",
|
|
2199
|
-
implementationGroup: "IG1",
|
|
2200
|
-
assetType: ["Devices"],
|
|
2201
|
-
securityFunction: ["Detect"],
|
|
2202
|
-
governanceElements: [ // Orange - MUST be met
|
|
2203
|
-
"deploy anti-malware software",
|
|
2204
|
-
"maintain anti-malware software",
|
|
2205
|
-
"all enterprise assets coverage",
|
|
2206
|
-
"anti-malware software management"
|
|
2207
|
-
],
|
|
2208
|
-
coreRequirements: [ // Green - The "what"
|
|
2209
|
-
"anti-malware software deployment",
|
|
2210
|
-
"anti-malware software maintenance",
|
|
2211
|
-
"enterprise assets protection",
|
|
2212
|
-
"malware detection capabilities"
|
|
2213
|
-
],
|
|
2214
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2215
|
-
"deploy",
|
|
2216
|
-
"maintain",
|
|
2217
|
-
"anti-malware software",
|
|
2218
|
-
"all enterprise assets"
|
|
2219
|
-
],
|
|
2220
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2221
|
-
"endpoint protection platforms",
|
|
2222
|
-
"anti-virus solutions",
|
|
2223
|
-
"endpoint detection and response",
|
|
2224
|
-
"malware protection tools",
|
|
2225
|
-
"security software management"
|
|
2226
|
-
],
|
|
2227
|
-
relatedSafeguards: ["4.1", "10.2", "10.4", "10.6", "10.7", "13.5"] },
|
|
2228
|
-
"10.2": {
|
|
2229
|
-
id: "10.2",
|
|
2230
|
-
title: "Configure Automatic Anti-Malware Signature Updates",
|
|
2231
|
-
description: "Configure automatic updates for anti-malware signature files on all enterprise assets",
|
|
2232
|
-
implementationGroup: "IG1",
|
|
2233
|
-
assetType: ["Devices"],
|
|
2234
|
-
securityFunction: ["Protect"],
|
|
2235
|
-
governanceElements: [ // Orange - MUST be met
|
|
2236
|
-
"configure automatic updates",
|
|
2237
|
-
"anti-malware signature files",
|
|
2238
|
-
"all enterprise assets coverage",
|
|
2239
|
-
"signature update management"
|
|
2240
|
-
],
|
|
2241
|
-
coreRequirements: [ // Green - The "what"
|
|
2242
|
-
"automatic updates configuration",
|
|
2243
|
-
"anti-malware signature files",
|
|
2244
|
-
"enterprise assets coverage"
|
|
2245
|
-
],
|
|
2246
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2247
|
-
"configure",
|
|
2248
|
-
"automatic updates",
|
|
2249
|
-
"anti-malware signature files",
|
|
2250
|
-
"all enterprise assets"
|
|
2251
|
-
],
|
|
2252
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2253
|
-
"anti-malware software can auto update potentially"
|
|
2254
|
-
],
|
|
2255
|
-
relatedSafeguards: ["10.1"] },
|
|
2256
|
-
"10.3": {
|
|
2257
|
-
id: "10.3",
|
|
2258
|
-
title: "Disable Autorun and Autoplay for Removable Media",
|
|
2259
|
-
description: "Disable autorun and autoplay auto-execute functionality for removable media",
|
|
2260
|
-
implementationGroup: "IG1",
|
|
2261
|
-
assetType: ["Devices"],
|
|
2262
|
-
securityFunction: ["Protect"],
|
|
2263
|
-
governanceElements: [ // Orange - MUST be met
|
|
2264
|
-
"disable autorun functionality",
|
|
2265
|
-
"disable autoplay functionality",
|
|
2266
|
-
"auto-execute prevention",
|
|
2267
|
-
"removable media security"
|
|
2268
|
-
],
|
|
2269
|
-
coreRequirements: [ // Green - The "what"
|
|
2270
|
-
"autorun disabling",
|
|
2271
|
-
"autoplay disabling",
|
|
2272
|
-
"auto-execute prevention",
|
|
2273
|
-
"removable media protection"
|
|
2274
|
-
],
|
|
2275
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2276
|
-
"disable",
|
|
2277
|
-
"autorun",
|
|
2278
|
-
"autoplay",
|
|
2279
|
-
"auto-execute functionality",
|
|
2280
|
-
"removable media"
|
|
2281
|
-
],
|
|
2282
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2283
|
-
"group policy settings",
|
|
2284
|
-
"registry modifications",
|
|
2285
|
-
"configuration management tools",
|
|
2286
|
-
"secure configuration policy/process"
|
|
2287
|
-
],
|
|
2288
|
-
relatedSafeguards: ["4.1"] },
|
|
2289
|
-
"10.4": {
|
|
2290
|
-
id: "10.4",
|
|
2291
|
-
title: "Configure Automatic Anti-Malware Scanning of Removable Media",
|
|
2292
|
-
description: "Configure anti-malware software to automatically scan removable media",
|
|
2293
|
-
implementationGroup: "IG2",
|
|
2294
|
-
assetType: ["Devices"],
|
|
2295
|
-
securityFunction: ["Detect"],
|
|
2296
|
-
governanceElements: [ // Orange - MUST be met
|
|
2297
|
-
"configure anti-malware software",
|
|
2298
|
-
"automatic scanning configuration",
|
|
2299
|
-
"removable media scanning",
|
|
2300
|
-
"scanning policy management"
|
|
2301
|
-
],
|
|
2302
|
-
coreRequirements: [ // Green - The "what"
|
|
2303
|
-
"anti-malware software configuration",
|
|
2304
|
-
"automatic scanning",
|
|
2305
|
-
"removable media protection",
|
|
2306
|
-
"malware detection on media"
|
|
2307
|
-
],
|
|
2308
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2309
|
-
"configure",
|
|
2310
|
-
"anti-malware software",
|
|
2311
|
-
"automatically scan",
|
|
2312
|
-
"removable media"
|
|
2313
|
-
],
|
|
2314
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2315
|
-
"anti-malware software configuration policy/process",
|
|
2316
|
-
"endpoint scanning policies",
|
|
2317
|
-
"media scanning tools",
|
|
2318
|
-
"automated threat detection"
|
|
2319
|
-
],
|
|
2320
|
-
relatedSafeguards: ["10.1"] },
|
|
2321
|
-
"10.5": {
|
|
2322
|
-
id: "10.5",
|
|
2323
|
-
title: "Enable Anti-Exploitation Features",
|
|
2324
|
-
description: "Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™",
|
|
2325
|
-
implementationGroup: "IG2",
|
|
2326
|
-
assetType: ["Devices"],
|
|
2327
|
-
securityFunction: ["Protect"],
|
|
2328
|
-
governanceElements: [ // Orange - MUST be met
|
|
2329
|
-
"enable anti-exploitation features",
|
|
2330
|
-
"enterprise assets coverage",
|
|
2331
|
-
"software protection",
|
|
2332
|
-
"where possible implementation"
|
|
2333
|
-
],
|
|
2334
|
-
coreRequirements: [ // Green - The "what"
|
|
2335
|
-
"anti-exploitation features",
|
|
2336
|
-
"enterprise assets protection",
|
|
2337
|
-
"software security",
|
|
2338
|
-
"exploit prevention"
|
|
2339
|
-
],
|
|
2340
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2341
|
-
"enable",
|
|
2342
|
-
"anti-exploitation features",
|
|
2343
|
-
"enterprise assets",
|
|
2344
|
-
"software",
|
|
2345
|
-
"where possible"
|
|
2346
|
-
],
|
|
2347
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2348
|
-
"Microsoft® Data Execution Prevention (DEP)",
|
|
2349
|
-
"Windows® Defender Exploit Guard (WDEG)",
|
|
2350
|
-
"Apple® System Integrity Protection (SIP)",
|
|
2351
|
-
"Gatekeeper™",
|
|
2352
|
-
"configuration management tool"
|
|
2353
|
-
],
|
|
2354
|
-
relatedSafeguards: ["4.1"] },
|
|
2355
|
-
"10.6": {
|
|
2356
|
-
id: "10.6",
|
|
2357
|
-
title: "Centrally Manage Anti-Malware Software",
|
|
2358
|
-
description: "Centrally manage anti-malware software",
|
|
2359
|
-
implementationGroup: "IG2",
|
|
2360
|
-
assetType: ["Devices"],
|
|
2361
|
-
securityFunction: ["Protect"],
|
|
2362
|
-
governanceElements: [ // Orange - MUST be met
|
|
2363
|
-
"centrally manage anti-malware",
|
|
2364
|
-
"centralized management process",
|
|
2365
|
-
"anti-malware software governance",
|
|
2366
|
-
"management infrastructure"
|
|
2367
|
-
],
|
|
2368
|
-
coreRequirements: [ // Green - The "what"
|
|
2369
|
-
"centralized management",
|
|
2370
|
-
"anti-malware software",
|
|
2371
|
-
"management capabilities",
|
|
2372
|
-
"centralized control"
|
|
2373
|
-
],
|
|
2374
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2375
|
-
"centrally manage",
|
|
2376
|
-
"anti-malware software"
|
|
2377
|
-
],
|
|
2378
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2379
|
-
"anti-malware software configuration policy/process",
|
|
2380
|
-
"centralized management platforms",
|
|
2381
|
-
"security management consoles",
|
|
2382
|
-
"enterprise security tools"
|
|
2383
|
-
],
|
|
2384
|
-
relatedSafeguards: ["10.1"] },
|
|
2385
|
-
"10.7": {
|
|
2386
|
-
id: "10.7",
|
|
2387
|
-
title: "Use Behavior-Based Anti-Malware Software",
|
|
2388
|
-
description: "Use behavior-based anti-malware software",
|
|
2389
|
-
implementationGroup: "IG2",
|
|
2390
|
-
assetType: ["Devices"],
|
|
2391
|
-
securityFunction: ["Detect"],
|
|
2392
|
-
governanceElements: [ // Orange - MUST be met
|
|
2393
|
-
"use behavior-based anti-malware",
|
|
2394
|
-
"behavioral analysis implementation",
|
|
2395
|
-
"advanced threat detection",
|
|
2396
|
-
"behavior-based protection"
|
|
2397
|
-
],
|
|
2398
|
-
coreRequirements: [ // Green - The "what"
|
|
2399
|
-
"behavior-based anti-malware software",
|
|
2400
|
-
"behavioral analysis",
|
|
2401
|
-
"advanced malware detection",
|
|
2402
|
-
"dynamic threat identification"
|
|
2403
|
-
],
|
|
2404
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2405
|
-
"use",
|
|
2406
|
-
"behavior-based",
|
|
2407
|
-
"anti-malware software"
|
|
2408
|
-
],
|
|
2409
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2410
|
-
"anti-malware software configuration policy/process",
|
|
2411
|
-
"behavioral analysis tools",
|
|
2412
|
-
"advanced endpoint detection",
|
|
2413
|
-
"machine learning security"
|
|
2414
|
-
],
|
|
2415
|
-
relatedSafeguards: ["10.1"] },
|
|
2416
|
-
"11.1": {
|
|
2417
|
-
id: "11.1",
|
|
2418
|
-
title: "Establish and Maintain a Data Recovery Process",
|
|
2419
|
-
description: "Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
2420
|
-
implementationGroup: "IG1",
|
|
2421
|
-
assetType: ["Data"],
|
|
2422
|
-
securityFunction: ["Govern"],
|
|
2423
|
-
governanceElements: [ // Orange - MUST be met
|
|
2424
|
-
"establish documented data recovery process",
|
|
2425
|
-
"maintain documented data recovery process",
|
|
2426
|
-
"review and update documentation annually",
|
|
2427
|
-
"when significant enterprise changes occur that could impact this Safeguard"
|
|
2428
|
-
],
|
|
2429
|
-
coreRequirements: [ // Green - The "what"
|
|
2430
|
-
"documented data recovery process",
|
|
2431
|
-
"scope of data recovery activities",
|
|
2432
|
-
"recovery prioritization",
|
|
2433
|
-
"security of backup data"
|
|
2434
|
-
],
|
|
2435
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2436
|
-
"establish",
|
|
2437
|
-
"maintain",
|
|
2438
|
-
"documented data recovery process",
|
|
2439
|
-
"scope of data recovery activities",
|
|
2440
|
-
"recovery prioritization",
|
|
2441
|
-
"security of backup data",
|
|
2442
|
-
"review and update documentation",
|
|
2443
|
-
"annually",
|
|
2444
|
-
"when significant enterprise changes occur"
|
|
2445
|
-
],
|
|
2446
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2447
|
-
"data recovery policy/process",
|
|
2448
|
-
"business continuity documentation",
|
|
2449
|
-
"recovery procedures manual",
|
|
2450
|
-
"backup and recovery strategy"
|
|
2451
|
-
],
|
|
2452
|
-
relatedSafeguards: ["3.2", "3.4", "3.5", "3.8", "11.2", "11.3", "11.4", "11.5"] },
|
|
2453
|
-
"11.2": {
|
|
2454
|
-
id: "11.2",
|
|
2455
|
-
title: "Perform Automated Backups",
|
|
2456
|
-
description: "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data",
|
|
2457
|
-
implementationGroup: "IG1",
|
|
2458
|
-
assetType: ["Data"],
|
|
2459
|
-
securityFunction: ["Recover"],
|
|
2460
|
-
governanceElements: [ // Orange - MUST be met
|
|
2461
|
-
"perform automated backups",
|
|
2462
|
-
"in-scope enterprise assets",
|
|
2463
|
-
"run backups weekly or more frequently",
|
|
2464
|
-
"based on sensitivity of data"
|
|
2465
|
-
],
|
|
2466
|
-
coreRequirements: [ // Green - The "what"
|
|
2467
|
-
"automated backups",
|
|
2468
|
-
"in-scope enterprise assets",
|
|
2469
|
-
"backup frequency requirements",
|
|
2470
|
-
"data sensitivity considerations"
|
|
2471
|
-
],
|
|
2472
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2473
|
-
"perform",
|
|
2474
|
-
"automated backups",
|
|
2475
|
-
"in-scope enterprise assets",
|
|
2476
|
-
"run backups",
|
|
2477
|
-
"weekly",
|
|
2478
|
-
"more frequently",
|
|
2479
|
-
"based on sensitivity of the data"
|
|
2480
|
-
],
|
|
2481
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2482
|
-
"data backup and recovery tool",
|
|
2483
|
-
"automated backup systems",
|
|
2484
|
-
"backup scheduling software",
|
|
2485
|
-
"enterprise backup solutions"
|
|
2486
|
-
],
|
|
2487
|
-
relatedSafeguards: ["1.1", "2.1", "11.1"] },
|
|
2488
|
-
"11.3": {
|
|
2489
|
-
id: "11.3",
|
|
2490
|
-
title: "Protect Recovery Data",
|
|
2491
|
-
description: "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements",
|
|
2492
|
-
implementationGroup: "IG1",
|
|
2493
|
-
assetType: ["Data"],
|
|
2494
|
-
securityFunction: ["Protect"],
|
|
2495
|
-
governanceElements: [ // Orange - MUST be met
|
|
2496
|
-
"protect recovery data",
|
|
2497
|
-
"equivalent controls to original data",
|
|
2498
|
-
"reference encryption or data separation",
|
|
2499
|
-
"based on requirements"
|
|
2500
|
-
],
|
|
2501
|
-
coreRequirements: [ // Green - The "what"
|
|
2502
|
-
"recovery data protection",
|
|
2503
|
-
"equivalent controls",
|
|
2504
|
-
"original data protection parity",
|
|
2505
|
-
"requirements-based implementation"
|
|
2506
|
-
],
|
|
2507
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2508
|
-
"protect",
|
|
2509
|
-
"recovery data",
|
|
2510
|
-
"equivalent controls to the original data",
|
|
2511
|
-
"reference encryption",
|
|
2512
|
-
"data separation",
|
|
2513
|
-
"based on requirements"
|
|
2514
|
-
],
|
|
2515
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2516
|
-
"data backup and recovery tool",
|
|
2517
|
-
"backup encryption systems",
|
|
2518
|
-
"secure backup storage",
|
|
2519
|
-
"data separation technologies"
|
|
2520
|
-
],
|
|
2521
|
-
relatedSafeguards: ["3.3", "3.10", "3.11", "11.1"] },
|
|
2522
|
-
"11.4": {
|
|
2523
|
-
id: "11.4",
|
|
2524
|
-
title: "Establish and Maintain an Isolated Instance of Recovery Data",
|
|
2525
|
-
description: "Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services",
|
|
2526
|
-
implementationGroup: "IG1",
|
|
2527
|
-
assetType: ["Data"],
|
|
2528
|
-
securityFunction: ["Recover"],
|
|
2529
|
-
governanceElements: [ // Orange - MUST be met
|
|
2530
|
-
"establish isolated instance of recovery data",
|
|
2531
|
-
"maintain isolated instance of recovery data",
|
|
2532
|
-
"version controlling backup destinations",
|
|
2533
|
-
"example implementations include offline, cloud, or off-site systems or services"
|
|
2534
|
-
],
|
|
2535
|
-
coreRequirements: [ // Green - The "what"
|
|
2536
|
-
"isolated instance of recovery data",
|
|
2537
|
-
"backup destination control",
|
|
2538
|
-
"recovery data isolation",
|
|
2539
|
-
"implementation flexibility"
|
|
2540
|
-
],
|
|
2541
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2542
|
-
"establish",
|
|
2543
|
-
"maintain",
|
|
2544
|
-
"isolated instance of recovery data",
|
|
2545
|
-
"version controlling backup destinations",
|
|
2546
|
-
"offline",
|
|
2547
|
-
"cloud",
|
|
2548
|
-
"off-site systems",
|
|
2549
|
-
"services"
|
|
2550
|
-
],
|
|
2551
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2552
|
-
"data backup and recovery tool",
|
|
2553
|
-
"offline backup systems",
|
|
2554
|
-
"cloud backup services",
|
|
2555
|
-
"off-site storage solutions",
|
|
2556
|
-
"version controlling backup destinations"
|
|
2557
|
-
],
|
|
2558
|
-
relatedSafeguards: ["11.1"] },
|
|
2559
|
-
"11.5": {
|
|
2560
|
-
id: "11.5",
|
|
2561
|
-
title: "Test Data Recovery",
|
|
2562
|
-
description: "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets",
|
|
2563
|
-
implementationGroup: "IG2",
|
|
2564
|
-
assetType: ["Data"],
|
|
2565
|
-
securityFunction: ["Recover"],
|
|
2566
|
-
governanceElements: [ // Orange - MUST be met
|
|
2567
|
-
"test backup recovery quarterly or more frequently",
|
|
2568
|
-
"sampling of in-scope enterprise assets",
|
|
2569
|
-
"recovery testing requirements",
|
|
2570
|
-
"testing frequency management"
|
|
2571
|
-
],
|
|
2572
|
-
coreRequirements: [ // Green - The "what"
|
|
2573
|
-
"backup recovery testing",
|
|
2574
|
-
"quarterly testing frequency",
|
|
2575
|
-
"in-scope enterprise assets sampling",
|
|
2576
|
-
"recovery validation"
|
|
2577
|
-
],
|
|
2578
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2579
|
-
"test backup recovery",
|
|
2580
|
-
"quarterly",
|
|
2581
|
-
"more frequently",
|
|
2582
|
-
"sampling",
|
|
2583
|
-
"in-scope enterprise assets"
|
|
2584
|
-
],
|
|
2585
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2586
|
-
"data recovery policy/process",
|
|
2587
|
-
"data backup and recovery tool",
|
|
2588
|
-
"recovery testing procedures",
|
|
2589
|
-
"backup validation systems"
|
|
2590
|
-
],
|
|
2591
|
-
relatedSafeguards: ["11.1"] },
|
|
2592
|
-
"12.1": {
|
|
2593
|
-
id: "12.1",
|
|
2594
|
-
title: "Ensure Network Infrastructure is Up-to-Date",
|
|
2595
|
-
description: "Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support",
|
|
2596
|
-
implementationGroup: "IG1",
|
|
2597
|
-
assetType: ["network"],
|
|
2598
|
-
securityFunction: ["Protect"],
|
|
2599
|
-
governanceElements: [ // Orange - MUST be met
|
|
2600
|
-
"ensure network infrastructure is kept up-to-date",
|
|
2601
|
-
"review software versions monthly or more frequently",
|
|
2602
|
-
"verify software support",
|
|
2603
|
-
"network infrastructure maintenance"
|
|
2604
|
-
],
|
|
2605
|
-
coreRequirements: [ // Green - The "what"
|
|
2606
|
-
"network infrastructure up-to-date",
|
|
2607
|
-
"latest stable release of software",
|
|
2608
|
-
"currently supported network-as-a-service offerings",
|
|
2609
|
-
"software version review"
|
|
2610
|
-
],
|
|
2611
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2612
|
-
"ensure",
|
|
2613
|
-
"network infrastructure is kept up-to-date",
|
|
2614
|
-
"running the latest stable release of software",
|
|
2615
|
-
"using currently supported network-as-a-service (NaaS) offerings",
|
|
2616
|
-
"review software versions",
|
|
2617
|
-
"monthly",
|
|
2618
|
-
"more frequently",
|
|
2619
|
-
"verify software support"
|
|
2620
|
-
],
|
|
2621
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2622
|
-
"enterprise and software asset management tool",
|
|
2623
|
-
"network management systems",
|
|
2624
|
-
"automated patching tools",
|
|
2625
|
-
"network-as-a-service platforms"
|
|
2626
|
-
],
|
|
2627
|
-
relatedSafeguards: ["4.2", "7.3"] },
|
|
2628
|
-
"12.2": {
|
|
2629
|
-
id: "12.2",
|
|
2630
|
-
title: "Establish and Maintain a Secure Network Architecture",
|
|
2631
|
-
description: "Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components",
|
|
2632
|
-
implementationGroup: "IG2",
|
|
2633
|
-
assetType: ["network"],
|
|
2634
|
-
securityFunction: ["Protect"],
|
|
2635
|
-
governanceElements: [ // Orange - MUST be met
|
|
2636
|
-
"design secure network architecture",
|
|
2637
|
-
"maintain secure network architecture",
|
|
2638
|
-
"must address segmentation, least privilege, and availability at minimum",
|
|
2639
|
-
"secure network architecture requirements"
|
|
2640
|
-
],
|
|
2641
|
-
coreRequirements: [ // Green - The "what"
|
|
2642
|
-
"secure network architecture",
|
|
2643
|
-
"segmentation",
|
|
2644
|
-
"least privilege (POLP)",
|
|
2645
|
-
"availability"
|
|
2646
|
-
],
|
|
2647
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2648
|
-
"design",
|
|
2649
|
-
"maintain",
|
|
2650
|
-
"secure network architecture",
|
|
2651
|
-
"must address",
|
|
2652
|
-
"segmentation",
|
|
2653
|
-
"least privilege",
|
|
2654
|
-
"availability",
|
|
2655
|
-
"at a minimum"
|
|
2656
|
-
],
|
|
2657
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2658
|
-
"secure network management and design policy/process",
|
|
2659
|
-
"documentation",
|
|
2660
|
-
"policy",
|
|
2661
|
-
"design components",
|
|
2662
|
-
"network architecture tools"
|
|
2663
|
-
],
|
|
2664
|
-
relatedSafeguards: ["3.3", "3.10", "4.2", "12.4", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"] },
|
|
2665
|
-
"12.3": {
|
|
2666
|
-
id: "12.3",
|
|
2667
|
-
title: "Securely Manage Network Infrastructure",
|
|
2668
|
-
description: "Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as code, and the use of secure network protocols, such as SSH and HTTPS",
|
|
2669
|
-
implementationGroup: "IG2",
|
|
2670
|
-
assetType: ["network"],
|
|
2671
|
-
securityFunction: ["Protect"],
|
|
2672
|
-
governanceElements: [ // Orange - MUST be met
|
|
2673
|
-
"securely manage network infrastructure",
|
|
2674
|
-
"secure network protocols usage",
|
|
2675
|
-
"infrastructure security management",
|
|
2676
|
-
"secure management practices"
|
|
2677
|
-
],
|
|
2678
|
-
coreRequirements: [ // Green - The "what"
|
|
2679
|
-
"secure network management",
|
|
2680
|
-
"version-controlled infrastructure-as-code",
|
|
2681
|
-
"secure network protocols",
|
|
2682
|
-
"infrastructure security"
|
|
2683
|
-
],
|
|
2684
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2685
|
-
"securely manage",
|
|
2686
|
-
"network infrastructure",
|
|
2687
|
-
"version-controlled infrastructure-as-code",
|
|
2688
|
-
"use of secure network protocols",
|
|
2689
|
-
"SSH",
|
|
2690
|
-
"HTTPS"
|
|
2691
|
-
],
|
|
2692
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2693
|
-
"secure network management and design policy/process",
|
|
2694
|
-
"network management and monitoring tool",
|
|
2695
|
-
"infrastructure-as-code platforms",
|
|
2696
|
-
"secure protocol implementations"
|
|
2697
|
-
],
|
|
2698
|
-
relatedSafeguards: ["4.2", "12.6"] },
|
|
2699
|
-
"12.4": {
|
|
2700
|
-
id: "12.4",
|
|
2701
|
-
title: "Establish and Maintain Architecture Diagram(s)",
|
|
2702
|
-
description: "Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
2703
|
-
implementationGroup: "IG2",
|
|
2704
|
-
assetType: ["documentation"],
|
|
2705
|
-
securityFunction: ["Govern"],
|
|
2706
|
-
governanceElements: [ // Orange - MUST be met
|
|
2707
|
-
"establish architecture diagrams",
|
|
2708
|
-
"maintain architecture diagrams",
|
|
2709
|
-
"review and update documentation annually",
|
|
2710
|
-
"when significant enterprise changes occur that could impact this Safeguard"
|
|
2711
|
-
],
|
|
2712
|
-
coreRequirements: [ // Green - The "what"
|
|
2713
|
-
"architecture diagrams",
|
|
2714
|
-
"network system documentation",
|
|
2715
|
-
"documentation review and updates",
|
|
2716
|
-
"enterprise change management"
|
|
2717
|
-
],
|
|
2718
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2719
|
-
"establish",
|
|
2720
|
-
"maintain",
|
|
2721
|
-
"architecture diagrams",
|
|
2722
|
-
"other network system documentation",
|
|
2723
|
-
"review and update documentation",
|
|
2724
|
-
"annually",
|
|
2725
|
-
"when significant enterprise changes occur"
|
|
2726
|
-
],
|
|
2727
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2728
|
-
"secure network management and design policy/process",
|
|
2729
|
-
"network architecture diagramming tool",
|
|
2730
|
-
"documentation management systems",
|
|
2731
|
-
"architecture visualization tools"
|
|
2732
|
-
],
|
|
2733
|
-
relatedSafeguards: ["3.8", "4.2", "12.2"] },
|
|
2734
|
-
"12.5": {
|
|
2735
|
-
id: "12.5",
|
|
2736
|
-
title: "Centralize Network Authentication, Authorization, and Auditing (AAA)",
|
|
2737
|
-
description: "Centralize network AAA",
|
|
2738
|
-
implementationGroup: "IG2",
|
|
2739
|
-
assetType: ["network"],
|
|
2740
|
-
securityFunction: ["Protect"],
|
|
2741
|
-
governanceElements: [ // Orange - MUST be met
|
|
2742
|
-
"centralize network AAA",
|
|
2743
|
-
"network authentication centralization",
|
|
2744
|
-
"network authorization centralization",
|
|
2745
|
-
"network auditing centralization"
|
|
2746
|
-
],
|
|
2747
|
-
coreRequirements: [ // Green - The "what"
|
|
2748
|
-
"network AAA centralization",
|
|
2749
|
-
"authentication",
|
|
2750
|
-
"authorization",
|
|
2751
|
-
"auditing"
|
|
2752
|
-
],
|
|
2753
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2754
|
-
"centralize",
|
|
2755
|
-
"network AAA",
|
|
2756
|
-
"authentication",
|
|
2757
|
-
"authorization",
|
|
2758
|
-
"auditing"
|
|
2759
|
-
],
|
|
2760
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2761
|
-
"secure network management and design policy/process",
|
|
2762
|
-
"identity and access management tool",
|
|
2763
|
-
"AAA servers",
|
|
2764
|
-
"centralized authentication systems"
|
|
2765
|
-
],
|
|
2766
|
-
relatedSafeguards: ["4.2", "5.6", "6.7", "8.9", "12.6", "12.7"] },
|
|
2767
|
-
"12.6": {
|
|
2768
|
-
id: "12.6",
|
|
2769
|
-
title: "Use of Secure Network Management and Communication Protocols",
|
|
2770
|
-
description: "Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater)",
|
|
2771
|
-
implementationGroup: "IG2",
|
|
2772
|
-
assetType: ["network"],
|
|
2773
|
-
securityFunction: ["Protect"],
|
|
2774
|
-
governanceElements: [ // Orange - MUST be met
|
|
2775
|
-
"use secure network management protocols",
|
|
2776
|
-
"use secure communication protocols",
|
|
2777
|
-
"secure protocol implementation",
|
|
2778
|
-
"enterprise-grade security protocols"
|
|
2779
|
-
],
|
|
2780
|
-
coreRequirements: [ // Green - The "what"
|
|
2781
|
-
"secure network management",
|
|
2782
|
-
"secure communication protocols",
|
|
2783
|
-
"802.1X implementation",
|
|
2784
|
-
"WPA2 Enterprise or greater"
|
|
2785
|
-
],
|
|
2786
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2787
|
-
"use",
|
|
2788
|
-
"secure network management",
|
|
2789
|
-
"communication protocols",
|
|
2790
|
-
"802.1X",
|
|
2791
|
-
"Wi-Fi Protected Access 2 (WPA2) Enterprise",
|
|
2792
|
-
"greater"
|
|
2793
|
-
],
|
|
2794
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2795
|
-
"secure network management and design policy/process",
|
|
2796
|
-
"802.1X authentication systems",
|
|
2797
|
-
"enterprise wireless controllers",
|
|
2798
|
-
"secure protocol implementations"
|
|
2799
|
-
],
|
|
2800
|
-
relatedSafeguards: ["12.3", "12.5"] },
|
|
2801
|
-
"12.7": {
|
|
2802
|
-
id: "12.7",
|
|
2803
|
-
title: "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure",
|
|
2804
|
-
description: "Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices",
|
|
2805
|
-
implementationGroup: "IG2",
|
|
2806
|
-
assetType: ["Devices"],
|
|
2807
|
-
securityFunction: ["Protect"],
|
|
2808
|
-
governanceElements: [ // Orange - MUST be met
|
|
2809
|
-
"require users to authenticate to enterprise-managed VPN",
|
|
2810
|
-
"authenticate to authentication services",
|
|
2811
|
-
"prior to accessing enterprise resources on end-user devices",
|
|
2812
|
-
"VPN and AAA integration requirements"
|
|
2813
|
-
],
|
|
2814
|
-
coreRequirements: [ // Green - The "what"
|
|
2815
|
-
"enterprise-managed VPN",
|
|
2816
|
-
"authentication services",
|
|
2817
|
-
"user authentication requirements",
|
|
2818
|
-
"enterprise resource access control"
|
|
2819
|
-
],
|
|
2820
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2821
|
-
"require",
|
|
2822
|
-
"users to authenticate",
|
|
2823
|
-
"enterprise-managed VPN",
|
|
2824
|
-
"authentication services",
|
|
2825
|
-
"prior to accessing enterprise resources",
|
|
2826
|
-
"end-user devices"
|
|
2827
|
-
],
|
|
2828
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2829
|
-
"secure network management and design policy/process",
|
|
2830
|
-
"VPN/encryption tool",
|
|
2831
|
-
"enterprise VPN solutions",
|
|
2832
|
-
"AAA integration systems"
|
|
2833
|
-
],
|
|
2834
|
-
relatedSafeguards: ["6.4", "12.5"] },
|
|
2835
|
-
"12.8": {
|
|
2836
|
-
id: "12.8",
|
|
2837
|
-
title: "Establish and Maintain Dedicated Computing Resources for All Administrative Work",
|
|
2838
|
-
description: "Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access",
|
|
2839
|
-
implementationGroup: "IG3",
|
|
2840
|
-
assetType: ["Devices"],
|
|
2841
|
-
securityFunction: ["Protect"],
|
|
2842
|
-
governanceElements: [ // Orange - MUST be met
|
|
2843
|
-
"establish dedicated computing resources for administrative work",
|
|
2844
|
-
"maintain dedicated computing resources",
|
|
2845
|
-
"segmented from enterprise's primary network",
|
|
2846
|
-
"not allowed internet access"
|
|
2847
|
-
],
|
|
2848
|
-
coreRequirements: [ // Green - The "what"
|
|
2849
|
-
"dedicated computing resources (SAW)",
|
|
2850
|
-
"administrative tasks isolation",
|
|
2851
|
-
"administrative access separation",
|
|
2852
|
-
"network segmentation from primary network"
|
|
2853
|
-
],
|
|
2854
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2855
|
-
"establish",
|
|
2856
|
-
"maintain",
|
|
2857
|
-
"dedicated computing resources",
|
|
2858
|
-
"physically or logically separated",
|
|
2859
|
-
"all administrative tasks",
|
|
2860
|
-
"tasks requiring administrative access",
|
|
2861
|
-
"segmented from primary network",
|
|
2862
|
-
"no internet access"
|
|
2863
|
-
],
|
|
2864
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2865
|
-
"secure network management and design policy/process",
|
|
2866
|
-
"secure admin workstations (SAW)",
|
|
2867
|
-
"network segmentation tools",
|
|
2868
|
-
"administrative isolation systems"
|
|
2869
|
-
],
|
|
2870
|
-
relatedSafeguards: ["1.1", "5.1"] },
|
|
2871
|
-
"13.1": {
|
|
2872
|
-
id: "13.1",
|
|
2873
|
-
title: "Centralize Security Event Alerting",
|
|
2874
|
-
description: "Centralize security event alerting across enterprise assets for log correlation and analysis. Security event alerting includes, at a minimum, active exploitation attempts of enterprise assets",
|
|
2875
|
-
implementationGroup: "IG2",
|
|
2876
|
-
assetType: ["network", "Devices"],
|
|
2877
|
-
securityFunction: ["Detect"],
|
|
2878
|
-
governanceElements: [ // Orange - MUST be met
|
|
2879
|
-
"centralize security event alerting across enterprise assets",
|
|
2880
|
-
"log correlation and analysis",
|
|
2881
|
-
"active exploitation attempts monitoring"
|
|
2882
|
-
],
|
|
2883
|
-
coreRequirements: [ // Green - The "what"
|
|
2884
|
-
"centralized security event alerting",
|
|
2885
|
-
"log correlation capabilities",
|
|
2886
|
-
"analysis of security events",
|
|
2887
|
-
"active exploitation attempt detection"
|
|
2888
|
-
],
|
|
2889
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2890
|
-
"centralize security event alerting",
|
|
2891
|
-
"across enterprise assets",
|
|
2892
|
-
"for log correlation",
|
|
2893
|
-
"for analysis",
|
|
2894
|
-
"active exploitation attempts",
|
|
2895
|
-
"of enterprise assets"
|
|
2896
|
-
],
|
|
2897
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2898
|
-
"security information and event management (SIEM)",
|
|
2899
|
-
"security orchestration, automation and response (SOAR)",
|
|
2900
|
-
"log aggregation platforms",
|
|
2901
|
-
"event correlation engines"
|
|
2902
|
-
],
|
|
2903
|
-
relatedSafeguards: ["8.1", "8.2", "8.11", "13.2", "13.3", "13.11"] },
|
|
2904
|
-
"13.2": {
|
|
2905
|
-
id: "13.2",
|
|
2906
|
-
title: "Deploy a Host-Based Intrusion Detection Solution",
|
|
2907
|
-
description: "Deploy a host-based intrusion detection solution on enterprise assets, where technically feasible",
|
|
2908
|
-
implementationGroup: "IG2",
|
|
2909
|
-
assetType: ["Devices"],
|
|
2910
|
-
securityFunction: ["Detect"],
|
|
2911
|
-
governanceElements: [ // Orange - MUST be met
|
|
2912
|
-
"deploy host-based intrusion detection solution",
|
|
2913
|
-
"on enterprise assets",
|
|
2914
|
-
"where technically feasible"
|
|
2915
|
-
],
|
|
2916
|
-
coreRequirements: [ // Green - The "what"
|
|
2917
|
-
"host-based intrusion detection solution",
|
|
2918
|
-
"deployment on enterprise assets",
|
|
2919
|
-
"technical feasibility assessment"
|
|
2920
|
-
],
|
|
2921
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2922
|
-
"deploy",
|
|
2923
|
-
"host-based intrusion detection solution",
|
|
2924
|
-
"on enterprise assets",
|
|
2925
|
-
"where technically feasible"
|
|
2926
|
-
],
|
|
2927
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2928
|
-
"host-based intrusion detection systems (HIDS)",
|
|
2929
|
-
"endpoint detection and response (EDR)",
|
|
2930
|
-
"host-based security monitoring",
|
|
2931
|
-
"behavioral analysis tools"
|
|
2932
|
-
],
|
|
2933
|
-
relatedSafeguards: ["1.1", "13.1", "13.3", "13.7"] },
|
|
2934
|
-
"13.3": {
|
|
2935
|
-
id: "13.3",
|
|
2936
|
-
title: "Deploy a Network Intrusion Detection Solution",
|
|
2937
|
-
description: "Deploy a network intrusion detection solution with ruleset tuned for threats facing the enterprise's industry sector",
|
|
2938
|
-
implementationGroup: "IG2",
|
|
2939
|
-
assetType: ["network"],
|
|
2940
|
-
securityFunction: ["Detect"],
|
|
2941
|
-
governanceElements: [ // Orange - MUST be met
|
|
2942
|
-
"deploy network intrusion detection solution",
|
|
2943
|
-
"ruleset tuned for threats facing enterprise's industry sector"
|
|
2944
|
-
],
|
|
2945
|
-
coreRequirements: [ // Green - The "what"
|
|
2946
|
-
"network intrusion detection solution",
|
|
2947
|
-
"threat-tuned rulesets",
|
|
2948
|
-
"industry-specific threat focus"
|
|
2949
|
-
],
|
|
2950
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2951
|
-
"deploy",
|
|
2952
|
-
"network intrusion detection solution",
|
|
2953
|
-
"with ruleset tuned",
|
|
2954
|
-
"for threats facing",
|
|
2955
|
-
"the enterprise's industry sector"
|
|
2956
|
-
],
|
|
2957
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2958
|
-
"network intrusion detection systems (NIDS)",
|
|
2959
|
-
"network security monitoring",
|
|
2960
|
-
"threat intelligence integration",
|
|
2961
|
-
"industry-specific threat feeds"
|
|
2962
|
-
],
|
|
2963
|
-
relatedSafeguards: ["13.1", "13.2", "13.8"] },
|
|
2964
|
-
"13.4": {
|
|
2965
|
-
id: "13.4",
|
|
2966
|
-
title: "Perform Traffic Filtering Between Network Segments",
|
|
2967
|
-
description: "Perform traffic filtering between network segments, where technically feasible",
|
|
2968
|
-
implementationGroup: "IG2",
|
|
2969
|
-
assetType: ["network"],
|
|
2970
|
-
securityFunction: ["Protect"],
|
|
2971
|
-
governanceElements: [ // Orange - MUST be met
|
|
2972
|
-
"perform traffic filtering between network segments",
|
|
2973
|
-
"where technically feasible"
|
|
2974
|
-
],
|
|
2975
|
-
coreRequirements: [ // Green - The "what"
|
|
2976
|
-
"traffic filtering between network segments",
|
|
2977
|
-
"network segmentation controls",
|
|
2978
|
-
"technical feasibility assessment"
|
|
2979
|
-
],
|
|
2980
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2981
|
-
"perform traffic filtering",
|
|
2982
|
-
"between network segments",
|
|
2983
|
-
"where technically feasible"
|
|
2984
|
-
],
|
|
2985
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2986
|
-
"network firewalls",
|
|
2987
|
-
"micro-segmentation",
|
|
2988
|
-
"network access control",
|
|
2989
|
-
"software-defined perimeter"
|
|
2990
|
-
],
|
|
2991
|
-
relatedSafeguards: ["12.2", "12.3", "13.9"] },
|
|
2992
|
-
"13.5": {
|
|
2993
|
-
id: "13.5",
|
|
2994
|
-
title: "Manage Access Control for Remote Assets",
|
|
2995
|
-
description: "Manage access control for assets remotely connecting to enterprise networks. Determine amount of access to the enterprise network based on: up-to-date anti-malware software, up-to date system patches, up-to-date host-based firewall, and up-to-date host-based intrusion detection or intrusion prevention system",
|
|
2996
|
-
implementationGroup: "IG2",
|
|
2997
|
-
assetType: ["Devices", "network"],
|
|
2998
|
-
securityFunction: ["Protect"],
|
|
2999
|
-
governanceElements: [ // Orange - MUST be met
|
|
3000
|
-
"manage access control for assets remotely connecting to enterprise networks",
|
|
3001
|
-
"determine amount of access based on security posture"
|
|
3002
|
-
],
|
|
3003
|
-
coreRequirements: [ // Green - The "what"
|
|
3004
|
-
"access control for remote assets",
|
|
3005
|
-
"remote connection management",
|
|
3006
|
-
"security posture-based access"
|
|
3007
|
-
],
|
|
3008
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3009
|
-
"manage access control",
|
|
3010
|
-
"for assets remotely connecting",
|
|
3011
|
-
"to enterprise networks",
|
|
3012
|
-
"determine amount of access",
|
|
3013
|
-
"up-to-date anti-malware software",
|
|
3014
|
-
"up-to-date system patches",
|
|
3015
|
-
"up-to-date host-based firewall",
|
|
3016
|
-
"up-to-date host-based intrusion detection or prevention"
|
|
3017
|
-
],
|
|
3018
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3019
|
-
"network access control (NAC)",
|
|
3020
|
-
"zero trust network access",
|
|
3021
|
-
"device compliance checking",
|
|
3022
|
-
"posture assessment tools"
|
|
3023
|
-
],
|
|
3024
|
-
relatedSafeguards: ["6.1", "10.1", "10.7", "12.1", "13.2"] },
|
|
3025
|
-
"13.6": {
|
|
3026
|
-
id: "13.6",
|
|
3027
|
-
title: "Collect Network Traffic Flow Logs",
|
|
3028
|
-
description: "Collect network traffic flow logs and/or network traffic to review and alert upon",
|
|
3029
|
-
implementationGroup: "IG2",
|
|
3030
|
-
assetType: ["network"],
|
|
3031
|
-
securityFunction: ["Detect"],
|
|
3032
|
-
governanceElements: [ // Orange - MUST be met
|
|
3033
|
-
"collect network traffic flow logs and/or network traffic",
|
|
3034
|
-
"to review and alert upon"
|
|
3035
|
-
],
|
|
3036
|
-
coreRequirements: [ // Green - The "what"
|
|
3037
|
-
"network traffic flow log collection",
|
|
3038
|
-
"network traffic monitoring",
|
|
3039
|
-
"review and alerting capabilities"
|
|
3040
|
-
],
|
|
3041
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3042
|
-
"collect network traffic flow logs",
|
|
3043
|
-
"collect network traffic",
|
|
3044
|
-
"to review",
|
|
3045
|
-
"to alert upon"
|
|
3046
|
-
],
|
|
3047
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3048
|
-
"network flow analyzers",
|
|
3049
|
-
"packet capture systems",
|
|
3050
|
-
"network monitoring tools",
|
|
3051
|
-
"traffic analysis platforms"
|
|
3052
|
-
],
|
|
3053
|
-
relatedSafeguards: ["8.5", "13.1", "13.3"] },
|
|
3054
|
-
"13.7": {
|
|
3055
|
-
id: "13.7",
|
|
3056
|
-
title: "Deploy a Host-Based Intrusion Prevention Solution",
|
|
3057
|
-
description: "Deploy a host-based intrusion prevention solution on enterprise assets, where technically feasible",
|
|
3058
|
-
implementationGroup: "IG3",
|
|
3059
|
-
assetType: ["Devices"],
|
|
3060
|
-
securityFunction: ["Respond"],
|
|
3061
|
-
governanceElements: [ // Orange - MUST be met
|
|
3062
|
-
"deploy host-based intrusion prevention solution",
|
|
3063
|
-
"on enterprise assets",
|
|
3064
|
-
"where technically feasible"
|
|
3065
|
-
],
|
|
3066
|
-
coreRequirements: [ // Green - The "what"
|
|
3067
|
-
"host-based intrusion prevention solution",
|
|
3068
|
-
"deployment on enterprise assets",
|
|
3069
|
-
"technical feasibility assessment"
|
|
3070
|
-
],
|
|
3071
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3072
|
-
"deploy",
|
|
3073
|
-
"host-based intrusion prevention solution",
|
|
3074
|
-
"on enterprise assets",
|
|
3075
|
-
"where technically feasible"
|
|
3076
|
-
],
|
|
3077
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3078
|
-
"host-based intrusion prevention systems (HIPS)",
|
|
3079
|
-
"endpoint protection platforms",
|
|
3080
|
-
"behavioral blocking systems",
|
|
3081
|
-
"automated threat response"
|
|
3082
|
-
],
|
|
3083
|
-
relatedSafeguards: ["13.2", "13.8"] },
|
|
3084
|
-
"13.8": {
|
|
3085
|
-
id: "13.8",
|
|
3086
|
-
title: "Deploy a Network Intrusion Prevention Solution",
|
|
3087
|
-
description: "Deploy a network intrusion prevention solution to block malicious network traffic in real-time",
|
|
3088
|
-
implementationGroup: "IG3",
|
|
3089
|
-
assetType: ["network"],
|
|
3090
|
-
securityFunction: ["Respond"],
|
|
3091
|
-
governanceElements: [ // Orange - MUST be met
|
|
3092
|
-
"deploy network intrusion prevention solution",
|
|
3093
|
-
"to block malicious network traffic in real-time"
|
|
3094
|
-
],
|
|
3095
|
-
coreRequirements: [ // Green - The "what"
|
|
3096
|
-
"network intrusion prevention solution",
|
|
3097
|
-
"malicious traffic blocking",
|
|
3098
|
-
"real-time response capabilities"
|
|
3099
|
-
],
|
|
3100
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3101
|
-
"deploy",
|
|
3102
|
-
"network intrusion prevention solution",
|
|
3103
|
-
"to block malicious network traffic",
|
|
3104
|
-
"in real-time"
|
|
3105
|
-
],
|
|
3106
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3107
|
-
"network intrusion prevention systems (NIPS)",
|
|
3108
|
-
"inline security appliances",
|
|
3109
|
-
"automated blocking systems",
|
|
3110
|
-
"real-time threat mitigation"
|
|
3111
|
-
],
|
|
3112
|
-
relatedSafeguards: ["13.3", "13.7"] },
|
|
3113
|
-
"13.9": {
|
|
3114
|
-
id: "13.9",
|
|
3115
|
-
title: "Deploy Port-Level Access Control",
|
|
3116
|
-
description: "Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates",
|
|
3117
|
-
implementationGroup: "IG3",
|
|
3118
|
-
assetType: ["network"],
|
|
3119
|
-
securityFunction: ["Protect"],
|
|
3120
|
-
governanceElements: [ // Orange - MUST be met
|
|
3121
|
-
"deploy port-level access control",
|
|
3122
|
-
"utilizes 802.1x or similar network access control protocols"
|
|
3123
|
-
],
|
|
3124
|
-
coreRequirements: [ // Green - The "what"
|
|
3125
|
-
"port-level access control",
|
|
3126
|
-
"802.1x implementation",
|
|
3127
|
-
"network access control protocols"
|
|
3128
|
-
],
|
|
3129
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3130
|
-
"deploy port-level access control",
|
|
3131
|
-
"utilizes 802.1x",
|
|
3132
|
-
"similar network access control protocols",
|
|
3133
|
-
"such as certificates"
|
|
3134
|
-
],
|
|
3135
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3136
|
-
"802.1x authentication",
|
|
3137
|
-
"network access control systems",
|
|
3138
|
-
"certificate-based authentication",
|
|
3139
|
-
"port-based network access control"
|
|
3140
|
-
],
|
|
3141
|
-
relatedSafeguards: ["12.7", "13.4"] },
|
|
3142
|
-
"13.10": {
|
|
3143
|
-
id: "13.10",
|
|
3144
|
-
title: "Perform Application Layer Filtering",
|
|
3145
|
-
description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
|
|
3146
|
-
implementationGroup: "IG3",
|
|
3147
|
-
assetType: ["network", "Software"],
|
|
3148
|
-
securityFunction: ["Protect"],
|
|
3149
|
-
governanceElements: [ // Orange - MUST be met
|
|
3150
|
-
"perform application layer filtering",
|
|
3151
|
-
"to protect against enterprise's most common network-based attacks"
|
|
3152
|
-
],
|
|
3153
|
-
coreRequirements: [ // Green - The "what"
|
|
3154
|
-
"application layer filtering",
|
|
3155
|
-
"protection against common network-based attacks",
|
|
3156
|
-
"enterprise-specific threat focus"
|
|
3157
|
-
],
|
|
3158
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3159
|
-
"perform application layer filtering",
|
|
3160
|
-
"to protect against",
|
|
3161
|
-
"the enterprise's most common",
|
|
3162
|
-
"network-based attacks"
|
|
3163
|
-
],
|
|
3164
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3165
|
-
"web application firewalls",
|
|
3166
|
-
"application layer gateways",
|
|
3167
|
-
"deep packet inspection",
|
|
3168
|
-
"application-aware filtering"
|
|
3169
|
-
],
|
|
3170
|
-
relatedSafeguards: ["13.4", "16.11"] },
|
|
3171
|
-
"13.11": {
|
|
3172
|
-
id: "13.11",
|
|
3173
|
-
title: "Tune Security Event Alerting Thresholds",
|
|
3174
|
-
description: "Tune security event alerting thresholds monthly, or more frequently",
|
|
3175
|
-
implementationGroup: "IG3",
|
|
3176
|
-
assetType: ["network", "Devices"],
|
|
3177
|
-
securityFunction: ["Detect"],
|
|
3178
|
-
governanceElements: [ // Orange - MUST be met
|
|
3179
|
-
"tune security event alerting thresholds",
|
|
3180
|
-
"monthly or more frequently"
|
|
3181
|
-
],
|
|
3182
|
-
coreRequirements: [ // Green - The "what"
|
|
3183
|
-
"security event alerting threshold tuning",
|
|
3184
|
-
"monthly tuning frequency",
|
|
3185
|
-
"threshold optimization"
|
|
3186
|
-
],
|
|
3187
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3188
|
-
"tune security event alerting thresholds",
|
|
3189
|
-
"monthly",
|
|
3190
|
-
"or more frequently"
|
|
3191
|
-
],
|
|
3192
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3193
|
-
"SIEM tuning processes",
|
|
3194
|
-
"threshold optimization tools",
|
|
3195
|
-
"alert management platforms",
|
|
3196
|
-
"false positive reduction"
|
|
3197
|
-
],
|
|
3198
|
-
relatedSafeguards: ["13.1", "8.11"] },
|
|
3199
|
-
"14.1": {
|
|
3200
|
-
id: "14.1",
|
|
3201
|
-
title: "Establish and Maintain a Security Awareness Program",
|
|
3202
|
-
description: "Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
3203
|
-
implementationGroup: "IG1",
|
|
3204
|
-
assetType: ["Users"],
|
|
3205
|
-
securityFunction: ["Govern"],
|
|
3206
|
-
governanceElements: [ // Orange - MUST be met
|
|
3207
|
-
"establish and maintain a security awareness program",
|
|
3208
|
-
"conduct training at hire and at a minimum annually",
|
|
3209
|
-
"review and update content annually or when significant enterprise changes occur"
|
|
3210
|
-
],
|
|
3211
|
-
coreRequirements: [ // Green - The "what"
|
|
3212
|
-
"security awareness program establishment",
|
|
3213
|
-
"workforce education on secure interaction",
|
|
3214
|
-
"enterprise assets and data security training",
|
|
3215
|
-
"training frequency requirements"
|
|
3216
|
-
],
|
|
3217
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3218
|
-
"establish security awareness program",
|
|
3219
|
-
"maintain security awareness program",
|
|
3220
|
-
"educate enterprise workforce",
|
|
3221
|
-
"how to interact with enterprise assets",
|
|
3222
|
-
"how to interact with data in secure manner",
|
|
3223
|
-
"conduct training at hire",
|
|
3224
|
-
"conduct training minimum annually",
|
|
3225
|
-
"review and update content annually",
|
|
3226
|
-
"when significant enterprise changes occur"
|
|
3227
|
-
],
|
|
3228
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3229
|
-
"security training and awareness tools",
|
|
3230
|
-
"security training and awareness policy/process",
|
|
3231
|
-
"training documentation systems",
|
|
3232
|
-
"learning management systems"
|
|
3233
|
-
],
|
|
3234
|
-
relatedSafeguards: ["14.2", "14.3", "14.4", "14.5", "14.6", "14.7", "14.8", "14.9"] },
|
|
3235
|
-
"14.2": {
|
|
3236
|
-
id: "14.2",
|
|
3237
|
-
title: "Train Workforce Members to Recognize Social Engineering Attacks",
|
|
3238
|
-
description: "Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating",
|
|
3239
|
-
implementationGroup: "IG1",
|
|
3240
|
-
assetType: ["Users"],
|
|
3241
|
-
securityFunction: ["Protect"],
|
|
3242
|
-
governanceElements: [ // Orange - MUST be met
|
|
3243
|
-
"train workforce members to recognize social engineering attacks",
|
|
3244
|
-
"such as phishing, business email compromise, pretexting, and tailgating"
|
|
3245
|
-
],
|
|
3246
|
-
coreRequirements: [ // Green - The "what"
|
|
3247
|
-
"workforce training on social engineering recognition",
|
|
3248
|
-
"phishing attack awareness",
|
|
3249
|
-
"business email compromise awareness",
|
|
3250
|
-
"pretexting attack awareness",
|
|
3251
|
-
"tailgating attack awareness"
|
|
3252
|
-
],
|
|
3253
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3254
|
-
"train workforce members",
|
|
3255
|
-
"to recognize social engineering attacks",
|
|
3256
|
-
"such as phishing",
|
|
3257
|
-
"such as business email compromise (BEC)",
|
|
3258
|
-
"such as pretexting",
|
|
3259
|
-
"such as tailgating"
|
|
3260
|
-
],
|
|
3261
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3262
|
-
"security training and awareness tools",
|
|
3263
|
-
"phishing simulation platforms",
|
|
3264
|
-
"social engineering awareness training",
|
|
3265
|
-
"security awareness modules"
|
|
3266
|
-
],
|
|
3267
|
-
relatedSafeguards: ["14.1"] },
|
|
3268
|
-
"14.3": {
|
|
3269
|
-
id: "14.3",
|
|
3270
|
-
title: "Train Workforce Members on Authentication Best Practices",
|
|
3271
|
-
description: "Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management",
|
|
3272
|
-
implementationGroup: "IG1",
|
|
3273
|
-
assetType: ["Users"],
|
|
3274
|
-
securityFunction: ["Protect"],
|
|
3275
|
-
governanceElements: [ // Orange - MUST be met
|
|
3276
|
-
"train workforce members on authentication best practices",
|
|
3277
|
-
"example topics include MFA, password composition, and credential management"
|
|
3278
|
-
],
|
|
3279
|
-
coreRequirements: [ // Green - The "what"
|
|
3280
|
-
"authentication best practices training",
|
|
3281
|
-
"MFA training",
|
|
3282
|
-
"password composition training",
|
|
3283
|
-
"credential management training"
|
|
3284
|
-
],
|
|
3285
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3286
|
-
"train workforce members",
|
|
3287
|
-
"on authentication best practices",
|
|
3288
|
-
"example topics include MFA",
|
|
3289
|
-
"example topics include password composition",
|
|
3290
|
-
"example topics include credential management"
|
|
3291
|
-
],
|
|
3292
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3293
|
-
"security training and awareness tools",
|
|
3294
|
-
"authentication training modules",
|
|
3295
|
-
"password security training",
|
|
3296
|
-
"MFA awareness programs"
|
|
3297
|
-
],
|
|
3298
|
-
relatedSafeguards: ["14.1", "6.2", "6.3"] },
|
|
3299
|
-
"14.4": {
|
|
3300
|
-
id: "14.4",
|
|
3301
|
-
title: "Train Workforce on Data Handling Best Practices",
|
|
3302
|
-
description: "Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely",
|
|
3303
|
-
implementationGroup: "IG1",
|
|
3304
|
-
assetType: ["Users"],
|
|
3305
|
-
securityFunction: ["Protect"],
|
|
3306
|
-
governanceElements: [ // Orange - MUST be met
|
|
3307
|
-
"train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data",
|
|
3308
|
-
"training on clear screen and desk best practices",
|
|
3309
|
-
"such as locking screen when stepping away, erasing whiteboards, storing data securely"
|
|
3310
|
-
],
|
|
3311
|
-
coreRequirements: [ // Green - The "what"
|
|
3312
|
-
"data handling best practices training",
|
|
3313
|
-
"sensitive data identification training",
|
|
3314
|
-
"secure data storage, transfer, archive, destroy procedures",
|
|
3315
|
-
"clear screen and desk policies"
|
|
3316
|
-
],
|
|
3317
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3318
|
-
"train workforce members on how to",
|
|
3319
|
-
"identify sensitive data",
|
|
3320
|
-
"properly store sensitive data",
|
|
3321
|
-
"properly transfer sensitive data",
|
|
3322
|
-
"properly archive sensitive data",
|
|
3323
|
-
"properly destroy sensitive data",
|
|
3324
|
-
"clear screen best practices",
|
|
3325
|
-
"clear desk best practices",
|
|
3326
|
-
"locking screen when stepping away",
|
|
3327
|
-
"erasing physical whiteboards at end of meetings",
|
|
3328
|
-
"erasing virtual whiteboards at end of meetings",
|
|
3329
|
-
"storing data and assets securely"
|
|
3330
|
-
],
|
|
3331
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3332
|
-
"security training and awareness tools",
|
|
3333
|
-
"data handling training modules",
|
|
3334
|
-
"clean desk policy training",
|
|
3335
|
-
"data classification training"
|
|
3336
|
-
],
|
|
3337
|
-
relatedSafeguards: ["14.1", "3.1", "3.2"] },
|
|
3338
|
-
"14.5": {
|
|
3339
|
-
id: "14.5",
|
|
3340
|
-
title: "Train Workforce Members on Causes of Unintentional Data Exposure",
|
|
3341
|
-
description: "Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences",
|
|
3342
|
-
implementationGroup: "IG1",
|
|
3343
|
-
assetType: ["Users"],
|
|
3344
|
-
securityFunction: ["Protect"],
|
|
3345
|
-
governanceElements: [ // Orange - MUST be met
|
|
3346
|
-
"train workforce members to be aware of causes for unintentional data exposure",
|
|
3347
|
-
"example topics include mis-delivery, losing portable devices, publishing to unintended audiences"
|
|
3348
|
-
],
|
|
3349
|
-
coreRequirements: [ // Green - The "what"
|
|
3350
|
-
"unintentional data exposure awareness training",
|
|
3351
|
-
"mis-delivery prevention training",
|
|
3352
|
-
"portable device security awareness",
|
|
3353
|
-
"data publication controls training"
|
|
3354
|
-
],
|
|
3355
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3356
|
-
"train workforce members",
|
|
3357
|
-
"to be aware of causes for unintentional data exposure",
|
|
3358
|
-
"example topics include mis-delivery of sensitive data",
|
|
3359
|
-
"example topics include losing a portable end-user device",
|
|
3360
|
-
"example topics include publishing data to unintended audiences"
|
|
3361
|
-
],
|
|
3362
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3363
|
-
"security training and awareness tools",
|
|
3364
|
-
"data loss prevention training",
|
|
3365
|
-
"device security awareness training",
|
|
3366
|
-
"data sharing awareness programs"
|
|
3367
|
-
],
|
|
3368
|
-
relatedSafeguards: ["14.1", "3.3"] },
|
|
3369
|
-
"14.6": {
|
|
3370
|
-
id: "14.6",
|
|
3371
|
-
title: "Train Workforce Members on Recognizing and Reporting Security Incidents",
|
|
3372
|
-
description: "Train workforce members to be able to recognize a potential incident and be able to report such an incident",
|
|
3373
|
-
implementationGroup: "IG1",
|
|
3374
|
-
assetType: ["Users"],
|
|
3375
|
-
securityFunction: ["Protect"],
|
|
3376
|
-
governanceElements: [ // Orange - MUST be met
|
|
3377
|
-
"train workforce members to be able to recognize a potential incident",
|
|
3378
|
-
"train workforce members to be able to report such an incident"
|
|
3379
|
-
],
|
|
3380
|
-
coreRequirements: [ // Green - The "what"
|
|
3381
|
-
"security incident recognition training",
|
|
3382
|
-
"incident reporting training",
|
|
3383
|
-
"potential incident identification",
|
|
3384
|
-
"incident reporting procedures"
|
|
3385
|
-
],
|
|
3386
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3387
|
-
"train workforce members",
|
|
3388
|
-
"to be able to recognize a potential incident",
|
|
3389
|
-
"to be able to report such an incident"
|
|
3390
|
-
],
|
|
3391
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3392
|
-
"security training and awareness tools",
|
|
3393
|
-
"incident response training",
|
|
3394
|
-
"security incident awareness programs",
|
|
3395
|
-
"incident reporting tools"
|
|
3396
|
-
],
|
|
3397
|
-
relatedSafeguards: ["14.1", "17.3"] },
|
|
3398
|
-
"14.7": {
|
|
3399
|
-
id: "14.7",
|
|
3400
|
-
title: "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates",
|
|
3401
|
-
description: "Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools",
|
|
3402
|
-
implementationGroup: "IG1",
|
|
3403
|
-
assetType: ["Users"],
|
|
3404
|
-
securityFunction: ["Protect"],
|
|
3405
|
-
governanceElements: [ // Orange - MUST be met
|
|
3406
|
-
"train workforce to understand how to verify and report out-of-date software patches",
|
|
3407
|
-
"train on reporting failures in automated processes and tools",
|
|
3408
|
-
"include notifying IT personnel of any failures in automated processes and tools"
|
|
3409
|
-
],
|
|
3410
|
-
coreRequirements: [ // Green - The "what"
|
|
3411
|
-
"security update verification training",
|
|
3412
|
-
"out-of-date software patch identification",
|
|
3413
|
-
"automated process failure reporting",
|
|
3414
|
-
"IT personnel notification procedures"
|
|
3415
|
-
],
|
|
3416
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3417
|
-
"train workforce to understand how to",
|
|
3418
|
-
"verify out-of-date software patches",
|
|
3419
|
-
"report out-of-date software patches",
|
|
3420
|
-
"report any failures in automated processes",
|
|
3421
|
-
"report any failures in automated tools",
|
|
3422
|
-
"training should include notifying IT personnel",
|
|
3423
|
-
"of any failures in automated processes",
|
|
3424
|
-
"of any failures in automated tools"
|
|
3425
|
-
],
|
|
3426
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3427
|
-
"security training and awareness tools",
|
|
3428
|
-
"patch management awareness training",
|
|
3429
|
-
"IT support reporting procedures",
|
|
3430
|
-
"automated system monitoring training"
|
|
3431
|
-
],
|
|
3432
|
-
relatedSafeguards: ["14.1", "7.3", "7.4"] },
|
|
3433
|
-
"14.8": {
|
|
3434
|
-
id: "14.8",
|
|
3435
|
-
title: "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks",
|
|
3436
|
-
description: "Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure",
|
|
3437
|
-
implementationGroup: "IG1",
|
|
3438
|
-
assetType: ["Users"],
|
|
3439
|
-
securityFunction: ["Protect"],
|
|
3440
|
-
governanceElements: [ // Orange - MUST be met
|
|
3441
|
-
"train workforce members on dangers of connecting to and transmitting data over insecure networks",
|
|
3442
|
-
"if enterprise has remote workers, training must include guidance for secure home network configuration"
|
|
3443
|
-
],
|
|
3444
|
-
coreRequirements: [ // Green - The "what"
|
|
3445
|
-
"insecure network dangers training",
|
|
3446
|
-
"secure connection practices",
|
|
3447
|
-
"enterprise data transmission security",
|
|
3448
|
-
"remote worker home network security"
|
|
3449
|
-
],
|
|
3450
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3451
|
-
"train workforce members on the dangers of",
|
|
3452
|
-
"connecting to insecure networks",
|
|
3453
|
-
"transmitting data over insecure networks",
|
|
3454
|
-
"for enterprise activities",
|
|
3455
|
-
"if enterprise has remote workers",
|
|
3456
|
-
"training must include guidance",
|
|
3457
|
-
"to ensure all users securely configure",
|
|
3458
|
-
"their home network infrastructure"
|
|
3459
|
-
],
|
|
3460
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3461
|
-
"security training and awareness tools",
|
|
3462
|
-
"network security awareness training",
|
|
3463
|
-
"remote work security training",
|
|
3464
|
-
"home network configuration guides"
|
|
3465
|
-
],
|
|
3466
|
-
relatedSafeguards: ["14.1", "12.1"] },
|
|
3467
|
-
"14.9": {
|
|
3468
|
-
id: "14.9",
|
|
3469
|
-
title: "Conduct Role-Specific Security Awareness and Skills Training",
|
|
3470
|
-
description: "Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles",
|
|
3471
|
-
implementationGroup: "IG2",
|
|
3472
|
-
assetType: ["Users"],
|
|
3473
|
-
securityFunction: ["Protect"],
|
|
3474
|
-
governanceElements: [ // Orange - MUST be met
|
|
3475
|
-
"conduct role-specific security awareness and skills training",
|
|
3476
|
-
"example implementations include secure system administration courses, OWASP Top 10 training, and advanced social engineering training"
|
|
3477
|
-
],
|
|
3478
|
-
coreRequirements: [ // Green - The "what"
|
|
3479
|
-
"role-specific security awareness training",
|
|
3480
|
-
"role-specific skills training",
|
|
3481
|
-
"IT professional system administration courses",
|
|
3482
|
-
"developer OWASP Top 10 training",
|
|
3483
|
-
"high-profile role advanced social engineering training"
|
|
3484
|
-
],
|
|
3485
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3486
|
-
"conduct role-specific security awareness training",
|
|
3487
|
-
"conduct role-specific skills training",
|
|
3488
|
-
"secure system administration courses for IT professionals",
|
|
3489
|
-
"OWASP Top 10 vulnerability awareness and prevention training for web application developers",
|
|
3490
|
-
"advanced social engineering awareness training for high-profile roles"
|
|
3491
|
-
],
|
|
3492
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3493
|
-
"security training and awareness tools",
|
|
3494
|
-
"role-based training programs",
|
|
3495
|
-
"specialized security courses",
|
|
3496
|
-
"professional development programs"
|
|
3497
|
-
],
|
|
3498
|
-
relatedSafeguards: ["14.1", "16.9"] },
|
|
3499
|
-
"15.1": {
|
|
3500
|
-
id: "15.1",
|
|
3501
|
-
title: "Establish and Maintain an Inventory of Service Providers",
|
|
3502
|
-
description: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
3503
|
-
implementationGroup: "IG1",
|
|
3504
|
-
assetType: ["Users"],
|
|
3505
|
-
securityFunction: ["Identify"],
|
|
3506
|
-
governanceElements: [ // Orange - MUST be met
|
|
3507
|
-
"establish and maintain an inventory of service providers",
|
|
3508
|
-
"list all known service providers, include classifications, designate enterprise contact",
|
|
3509
|
-
"review and update inventory annually or when significant enterprise changes occur"
|
|
3510
|
-
],
|
|
3511
|
-
coreRequirements: [ // Green - The "what"
|
|
3512
|
-
"service provider inventory establishment",
|
|
3513
|
-
"comprehensive service provider listing",
|
|
3514
|
-
"classification system implementation",
|
|
3515
|
-
"enterprise contact designation"
|
|
3516
|
-
],
|
|
3517
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3518
|
-
"establish inventory of service providers",
|
|
3519
|
-
"maintain inventory of service providers",
|
|
3520
|
-
"list all known service providers",
|
|
3521
|
-
"include classifications",
|
|
3522
|
-
"designate an enterprise contact for each service provider",
|
|
3523
|
-
"review and update the inventory annually",
|
|
3524
|
-
"when significant enterprise changes occur that could impact this safeguard"
|
|
3525
|
-
],
|
|
3526
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3527
|
-
"third-party risk management tools",
|
|
3528
|
-
"service provider management platforms",
|
|
3529
|
-
"vendor inventory systems",
|
|
3530
|
-
"supplier relationship management tools"
|
|
3531
|
-
],
|
|
3532
|
-
relatedSafeguards: ["2.1", "8.12", "15.2", "15.3", "15.4", "15.5", "15.6", "15.7"] },
|
|
3533
|
-
"15.2": {
|
|
3534
|
-
id: "15.2",
|
|
3535
|
-
title: "Establish and Maintain a Service Provider Management Policy",
|
|
3536
|
-
description: "Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
3537
|
-
implementationGroup: "IG2",
|
|
3538
|
-
assetType: ["Users"],
|
|
3539
|
-
securityFunction: ["Govern"],
|
|
3540
|
-
governanceElements: [ // Orange - MUST be met
|
|
3541
|
-
"establish and maintain a service provider management policy",
|
|
3542
|
-
"ensure policy addresses classification, inventory, assessment, monitoring, and decommissioning",
|
|
3543
|
-
"review and update policy annually or when significant enterprise changes occur"
|
|
3544
|
-
],
|
|
3545
|
-
coreRequirements: [ // Green - The "what"
|
|
3546
|
-
"service provider management policy establishment",
|
|
3547
|
-
"comprehensive policy coverage",
|
|
3548
|
-
"classification processes",
|
|
3549
|
-
"inventory management processes",
|
|
3550
|
-
"assessment processes",
|
|
3551
|
-
"monitoring processes",
|
|
3552
|
-
"decommissioning processes"
|
|
3553
|
-
],
|
|
3554
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3555
|
-
"establish service provider management policy",
|
|
3556
|
-
"maintain service provider management policy",
|
|
3557
|
-
"ensure policy addresses classification",
|
|
3558
|
-
"ensure policy addresses inventory",
|
|
3559
|
-
"ensure policy addresses assessment",
|
|
3560
|
-
"ensure policy addresses monitoring",
|
|
3561
|
-
"ensure policy addresses decommissioning of service providers",
|
|
3562
|
-
"review and update policy annually",
|
|
3563
|
-
"when significant enterprise changes occur that could impact this safeguard"
|
|
3564
|
-
],
|
|
3565
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3566
|
-
"service provider management policy documentation",
|
|
3567
|
-
"third-party risk management frameworks",
|
|
3568
|
-
"vendor management policy templates",
|
|
3569
|
-
"supplier governance documentation"
|
|
3570
|
-
],
|
|
3571
|
-
relatedSafeguards: ["15.1", "15.3", "15.4", "15.5", "15.6", "15.7"] },
|
|
3572
|
-
"15.3": {
|
|
3573
|
-
id: "15.3",
|
|
3574
|
-
title: "Classify Service Providers",
|
|
3575
|
-
description: "Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
3576
|
-
implementationGroup: "IG2",
|
|
3577
|
-
assetType: ["Users"],
|
|
3578
|
-
securityFunction: ["Govern"],
|
|
3579
|
-
governanceElements: [ // Orange - MUST be met
|
|
3580
|
-
"classify service providers",
|
|
3581
|
-
"classification may include data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, mitigated risk",
|
|
3582
|
-
"update and review classifications annually or when significant enterprise changes occur"
|
|
3583
|
-
],
|
|
3584
|
-
coreRequirements: [ // Green - The "what"
|
|
3585
|
-
"service provider classification system",
|
|
3586
|
-
"risk-based classification criteria",
|
|
3587
|
-
"data sensitivity classification",
|
|
3588
|
-
"regulatory compliance classification"
|
|
3589
|
-
],
|
|
3590
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3591
|
-
"classify service providers",
|
|
3592
|
-
"classification consideration may include one or more characteristics",
|
|
3593
|
-
"such as data sensitivity",
|
|
3594
|
-
"such as data volume",
|
|
3595
|
-
"such as availability requirements",
|
|
3596
|
-
"such as applicable regulations",
|
|
3597
|
-
"such as inherent risk",
|
|
3598
|
-
"such as mitigated risk",
|
|
3599
|
-
"update and review classifications annually",
|
|
3600
|
-
"when significant enterprise changes occur that could impact this safeguard"
|
|
3601
|
-
],
|
|
3602
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3603
|
-
"service provider management policy",
|
|
3604
|
-
"risk classification frameworks",
|
|
3605
|
-
"data sensitivity classification schemes",
|
|
3606
|
-
"regulatory compliance matrices"
|
|
3607
|
-
],
|
|
3608
|
-
relatedSafeguards: ["15.1", "15.2"] },
|
|
3609
|
-
"15.4": {
|
|
3610
|
-
id: "15.4",
|
|
3611
|
-
title: "Ensure Service Provider Contracts Include Security Requirements",
|
|
3612
|
-
description: "Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements",
|
|
3613
|
-
implementationGroup: "IG2",
|
|
3614
|
-
assetType: ["Users"],
|
|
3615
|
-
securityFunction: ["Govern"],
|
|
3616
|
-
governanceElements: [ // Orange - MUST be met
|
|
3617
|
-
"ensure service provider contracts include security requirements",
|
|
3618
|
-
"security requirements must be consistent with enterprise's service provider management policy",
|
|
3619
|
-
"review service provider contracts annually to ensure contracts are not missing security requirements"
|
|
3620
|
-
],
|
|
3621
|
-
coreRequirements: [ // Green - The "what"
|
|
3622
|
-
"contract security requirements inclusion",
|
|
3623
|
-
"minimum security program requirements",
|
|
3624
|
-
"security incident and data breach notification requirements",
|
|
3625
|
-
"data encryption requirements",
|
|
3626
|
-
"data disposal commitments"
|
|
3627
|
-
],
|
|
3628
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3629
|
-
"ensure service provider contracts include security requirements",
|
|
3630
|
-
"example requirements may include minimum security program requirements",
|
|
3631
|
-
"security incident and/or data breach notification and response",
|
|
3632
|
-
"data encryption requirements",
|
|
3633
|
-
"data disposal commitments",
|
|
3634
|
-
"security requirements must be consistent with enterprise's service provider management policy",
|
|
3635
|
-
"review service provider contracts annually",
|
|
3636
|
-
"to ensure contracts are not missing security requirements"
|
|
3637
|
-
],
|
|
3638
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3639
|
-
"contract management systems",
|
|
3640
|
-
"service provider management policy",
|
|
3641
|
-
"legal contract templates",
|
|
3642
|
-
"security requirement checklists"
|
|
3643
|
-
],
|
|
3644
|
-
relatedSafeguards: ["15.1", "15.2"] },
|
|
3645
|
-
"15.5": {
|
|
3646
|
-
id: "15.5",
|
|
3647
|
-
title: "Assess Service Providers",
|
|
3648
|
-
description: "Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts",
|
|
3649
|
-
implementationGroup: "IG3",
|
|
3650
|
-
assetType: ["Users"],
|
|
3651
|
-
securityFunction: ["Govern"],
|
|
3652
|
-
governanceElements: [ // Orange - MUST be met
|
|
3653
|
-
"assess service providers consistent with enterprise's service provider management policy",
|
|
3654
|
-
"assessment scope may vary based on classifications and may include SOC 2, PCI AoC, customized questionnaires, or other rigorous processes",
|
|
3655
|
-
"reassess service providers annually at minimum or with new and renewed contracts"
|
|
3656
|
-
],
|
|
3657
|
-
coreRequirements: [ // Green - The "what"
|
|
3658
|
-
"service provider assessment processes",
|
|
3659
|
-
"standardized assessment report reviews",
|
|
3660
|
-
"customized questionnaire assessments",
|
|
3661
|
-
"rigorous assessment methodologies"
|
|
3662
|
-
],
|
|
3663
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3664
|
-
"assess service providers consistent with enterprise's service provider management policy",
|
|
3665
|
-
"assessment scope may vary based on classifications",
|
|
3666
|
-
"may include review of standardized assessment reports",
|
|
3667
|
-
"such as Service Organization Control 2 (SOC 2)",
|
|
3668
|
-
"Payment Card Industry (PCI) Attestation of Compliance (AoC)",
|
|
3669
|
-
"customized questionnaires",
|
|
3670
|
-
"other appropriately rigorous processes",
|
|
3671
|
-
"reassess service providers annually at a minimum",
|
|
3672
|
-
"or with new and renewed contracts"
|
|
3673
|
-
],
|
|
3674
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3675
|
-
"third-party risk management tools",
|
|
3676
|
-
"service provider management policy",
|
|
3677
|
-
"assessment questionnaire platforms",
|
|
3678
|
-
"compliance monitoring systems"
|
|
3679
|
-
],
|
|
3680
|
-
relatedSafeguards: ["15.1", "15.2"] },
|
|
3681
|
-
"15.6": {
|
|
3682
|
-
id: "15.6",
|
|
3683
|
-
title: "Monitor Service Providers",
|
|
3684
|
-
description: "Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring",
|
|
3685
|
-
implementationGroup: "IG3",
|
|
3686
|
-
assetType: ["Data"],
|
|
3687
|
-
securityFunction: ["Govern"],
|
|
3688
|
-
governanceElements: [ // Orange - MUST be met
|
|
3689
|
-
"monitor service providers consistent with enterprise's service provider management policy",
|
|
3690
|
-
"monitoring may include periodic reassessment, release notes monitoring, and dark web monitoring"
|
|
3691
|
-
],
|
|
3692
|
-
coreRequirements: [ // Green - The "what"
|
|
3693
|
-
"service provider monitoring processes",
|
|
3694
|
-
"periodic compliance reassessment",
|
|
3695
|
-
"service provider release notes monitoring",
|
|
3696
|
-
"dark web monitoring"
|
|
3697
|
-
],
|
|
3698
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3699
|
-
"monitor service providers",
|
|
3700
|
-
"consistent with enterprise's service provider management policy",
|
|
3701
|
-
"monitoring may include periodic reassessment of service provider compliance",
|
|
3702
|
-
"monitoring service provider release notes",
|
|
3703
|
-
"dark web monitoring"
|
|
3704
|
-
],
|
|
3705
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3706
|
-
"third-party risk management tools",
|
|
3707
|
-
"service provider management policy",
|
|
3708
|
-
"dark web monitoring services",
|
|
3709
|
-
"compliance monitoring platforms"
|
|
3710
|
-
],
|
|
3711
|
-
relatedSafeguards: ["15.1", "15.2"] },
|
|
3712
|
-
"15.7": {
|
|
3713
|
-
id: "15.7",
|
|
3714
|
-
title: "Securely Decommission Service Providers",
|
|
3715
|
-
description: "Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems",
|
|
3716
|
-
implementationGroup: "IG3",
|
|
3717
|
-
assetType: ["Data"],
|
|
3718
|
-
securityFunction: ["Protect"],
|
|
3719
|
-
governanceElements: [ // Orange - MUST be met
|
|
3720
|
-
"securely decommission service providers",
|
|
3721
|
-
"example considerations include user and service account deactivation, termination of data flows, secure disposal of enterprise data"
|
|
3722
|
-
],
|
|
3723
|
-
coreRequirements: [ // Green - The "what"
|
|
3724
|
-
"secure service provider decommissioning",
|
|
3725
|
-
"user and service account deactivation",
|
|
3726
|
-
"data flow termination",
|
|
3727
|
-
"secure enterprise data disposal"
|
|
3728
|
-
],
|
|
3729
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3730
|
-
"securely decommission service providers",
|
|
3731
|
-
"example considerations include user and service account deactivation",
|
|
3732
|
-
"termination of data flows",
|
|
3733
|
-
"secure disposal of enterprise data within service provider systems"
|
|
3734
|
-
],
|
|
3735
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3736
|
-
"service provider management policy",
|
|
3737
|
-
"data destruction procedures",
|
|
3738
|
-
"account deactivation processes",
|
|
3739
|
-
"secure decommissioning checklists"
|
|
3740
|
-
],
|
|
3741
|
-
relatedSafeguards: ["15.1", "15.2"] },
|
|
3742
|
-
"16.1": {
|
|
3743
|
-
id: "16.1",
|
|
3744
|
-
title: "Establish and Maintain a Secure Application Development Process",
|
|
3745
|
-
description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
3746
|
-
implementationGroup: "IG2",
|
|
3747
|
-
assetType: ["Software"],
|
|
3748
|
-
securityFunction: ["Govern"],
|
|
3749
|
-
governanceElements: [ // Orange - MUST be met
|
|
3750
|
-
"establish and maintain a secure application development process",
|
|
3751
|
-
"review and update documentation annually or when significant enterprise changes occur that could impact this safeguard"
|
|
3752
|
-
],
|
|
3753
|
-
coreRequirements: [ // Green - The "what"
|
|
3754
|
-
"secure application development process",
|
|
3755
|
-
"secure application design standards",
|
|
3756
|
-
"secure coding practices",
|
|
3757
|
-
"developer training",
|
|
3758
|
-
"vulnerability management",
|
|
3759
|
-
"security of third-party code",
|
|
3760
|
-
"application security testing procedures"
|
|
3761
|
-
],
|
|
3762
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3763
|
-
"address such items as secure application design standards",
|
|
3764
|
-
"address such items as secure coding practices",
|
|
3765
|
-
"address such items as developer training",
|
|
3766
|
-
"address such items as vulnerability management",
|
|
3767
|
-
"address such items as security of third-party code",
|
|
3768
|
-
"address such items as application security testing procedures",
|
|
3769
|
-
"review and update documentation annually",
|
|
3770
|
-
"when significant enterprise changes occur"
|
|
3771
|
-
],
|
|
3772
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3773
|
-
"secure development lifecycle (SDLC) frameworks",
|
|
3774
|
-
"application security policies",
|
|
3775
|
-
"development process documentation",
|
|
3776
|
-
"security training programs for developers"
|
|
3777
|
-
],
|
|
3778
|
-
relatedSafeguards: ["16.2", "16.3", "16.4", "16.5", "16.6", "16.7", "16.8", "16.9", "16.10", "16.11", "16.12", "16.13", "16.14"] },
|
|
3779
|
-
"16.2": {
|
|
3780
|
-
id: "16.2",
|
|
3781
|
-
title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
|
|
3782
|
-
description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
|
|
3783
|
-
implementationGroup: "IG2",
|
|
3784
|
-
assetType: ["Software"],
|
|
3785
|
-
securityFunction: ["Govern"],
|
|
3786
|
-
governanceElements: [ // Orange - MUST be met
|
|
3787
|
-
"establish and maintain a process to accept and address reports of software vulnerabilities",
|
|
3788
|
-
"provide a means for external entities to report vulnerabilities",
|
|
3789
|
-
"review and update documentation annually or when significant enterprise changes occur that could impact this safeguard"
|
|
3790
|
-
],
|
|
3791
|
-
coreRequirements: [ // Green - The "what"
|
|
3792
|
-
"process to accept and address software vulnerabilities",
|
|
3793
|
-
"vulnerability handling policy",
|
|
3794
|
-
"reporting process",
|
|
3795
|
-
"responsible party for handling vulnerability reports",
|
|
3796
|
-
"process for intake, assignment, remediation, and remediation testing",
|
|
3797
|
-
"vulnerability tracking system",
|
|
3798
|
-
"severity ratings",
|
|
3799
|
-
"metrics for measuring timing"
|
|
3800
|
-
],
|
|
3801
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3802
|
-
"vulnerability handling policy that identifies reporting process",
|
|
3803
|
-
"process for intake",
|
|
3804
|
-
"process for assignment",
|
|
3805
|
-
"process for remediation",
|
|
3806
|
-
"process for remediation testing",
|
|
3807
|
-
"vulnerability tracking system that includes severity ratings",
|
|
3808
|
-
"metrics for measuring timing for identification of vulnerabilities",
|
|
3809
|
-
"metrics for measuring timing for analysis of vulnerabilities",
|
|
3810
|
-
"metrics for measuring timing for remediation of vulnerabilities",
|
|
3811
|
-
"externally-facing policy that helps to set expectations for outside stakeholders"
|
|
3812
|
-
],
|
|
3813
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3814
|
-
"vulnerability disclosure platforms",
|
|
3815
|
-
"bug bounty programs",
|
|
3816
|
-
"vulnerability management systems",
|
|
3817
|
-
"incident response tools"
|
|
3818
|
-
],
|
|
3819
|
-
relatedSafeguards: ["16.1", "16.3", "16.6"] },
|
|
3820
|
-
"16.3": {
|
|
3821
|
-
id: "16.3",
|
|
3822
|
-
title: "Perform Root Cause Analysis on Security Vulnerabilities",
|
|
3823
|
-
description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
|
|
3824
|
-
implementationGroup: "IG2",
|
|
3825
|
-
assetType: ["Software"],
|
|
3826
|
-
securityFunction: ["Protect"],
|
|
3827
|
-
governanceElements: [ // Orange - MUST be met
|
|
3828
|
-
"perform root cause analysis on security vulnerabilities"
|
|
3829
|
-
],
|
|
3830
|
-
coreRequirements: [ // Green - The "what"
|
|
3831
|
-
"root cause analysis on security vulnerabilities",
|
|
3832
|
-
"evaluating underlying issues that create vulnerabilities in code"
|
|
3833
|
-
],
|
|
3834
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3835
|
-
"when reviewing vulnerabilities",
|
|
3836
|
-
"root cause analysis is the task of evaluating underlying issues",
|
|
3837
|
-
"allows development teams to move beyond just fixing individual vulnerabilities as they arise"
|
|
3838
|
-
],
|
|
3839
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3840
|
-
"code analysis tools",
|
|
3841
|
-
"vulnerability assessment platforms",
|
|
3842
|
-
"development team training on root cause analysis",
|
|
3843
|
-
"systematic vulnerability review processes"
|
|
3844
|
-
],
|
|
3845
|
-
relatedSafeguards: ["16.1", "16.2"] },
|
|
3846
|
-
"16.4": {
|
|
3847
|
-
id: "16.4",
|
|
3848
|
-
title: "Establish and Manage an Inventory of Third-Party Software Components",
|
|
3849
|
-
description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
|
|
3850
|
-
implementationGroup: "IG2",
|
|
3851
|
-
assetType: ["Software"],
|
|
3852
|
-
securityFunction: ["Identify"],
|
|
3853
|
-
governanceElements: [ // Orange - MUST be met
|
|
3854
|
-
"establish and manage an updated inventory of third-party components used in development",
|
|
3855
|
-
"evaluate the list at least monthly to identify any changes or updates to these components and validate that the component is still supported"
|
|
3856
|
-
],
|
|
3857
|
-
coreRequirements: [ // Green - The "what"
|
|
3858
|
-
"updated inventory of third-party components",
|
|
3859
|
-
"bill of materials",
|
|
3860
|
-
"components slated for future use",
|
|
3861
|
-
"risks that each third-party component could pose",
|
|
3862
|
-
"monthly evaluation",
|
|
3863
|
-
"component support validation"
|
|
3864
|
-
],
|
|
3865
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3866
|
-
"third-party components used in development",
|
|
3867
|
-
"often referred to as bill of materials",
|
|
3868
|
-
"components slated for future use",
|
|
3869
|
-
"any risks that each third-party component could pose",
|
|
3870
|
-
"identify any changes or updates to these components",
|
|
3871
|
-
"validate that the component is still supported"
|
|
3872
|
-
],
|
|
3873
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3874
|
-
"software composition analysis (SCA) tools",
|
|
3875
|
-
"dependency management systems",
|
|
3876
|
-
"component vulnerability databases",
|
|
3877
|
-
"automated inventory tracking tools"
|
|
3878
|
-
],
|
|
3879
|
-
relatedSafeguards: ["16.1", "16.5"] },
|
|
3880
|
-
"16.5": {
|
|
3881
|
-
id: "16.5",
|
|
3882
|
-
title: "Use Up-to-Date and Trusted Third-Party Software Components",
|
|
3883
|
-
description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
|
|
3884
|
-
implementationGroup: "IG2",
|
|
3885
|
-
assetType: ["Software"],
|
|
3886
|
-
securityFunction: ["Protect"],
|
|
3887
|
-
governanceElements: [ // Orange - MUST be met
|
|
3888
|
-
"use up-to-date and trusted third-party software components"
|
|
3889
|
-
],
|
|
3890
|
-
coreRequirements: [ // Green - The "what"
|
|
3891
|
-
"up-to-date third-party software components",
|
|
3892
|
-
"trusted third-party software components",
|
|
3893
|
-
"established and proven frameworks and libraries",
|
|
3894
|
-
"adequate security",
|
|
3895
|
-
"trusted sources",
|
|
3896
|
-
"vulnerability evaluation before use"
|
|
3897
|
-
],
|
|
3898
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3899
|
-
"when possible choose established and proven frameworks and libraries",
|
|
3900
|
-
"that provide adequate security",
|
|
3901
|
-
"acquire these components from trusted sources",
|
|
3902
|
-
"evaluate the software for vulnerabilities before use"
|
|
3903
|
-
],
|
|
3904
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3905
|
-
"software composition analysis (SCA) tools",
|
|
3906
|
-
"trusted software repositories",
|
|
3907
|
-
"vulnerability scanning tools",
|
|
3908
|
-
"component security assessment processes"
|
|
3909
|
-
],
|
|
3910
|
-
relatedSafeguards: ["16.1", "16.4", "16.11", "7.1"] },
|
|
3911
|
-
"16.6": {
|
|
3912
|
-
id: "16.6",
|
|
3913
|
-
title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
|
|
3914
|
-
description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
|
|
3915
|
-
implementationGroup: "IG2",
|
|
3916
|
-
assetType: ["Software"],
|
|
3917
|
-
securityFunction: ["Govern"],
|
|
3918
|
-
governanceElements: [ // Orange - MUST be met
|
|
3919
|
-
"establish and maintain a severity rating system and process for application vulnerabilities",
|
|
3920
|
-
"review and update the system and process annually"
|
|
3921
|
-
],
|
|
3922
|
-
coreRequirements: [ // Green - The "what"
|
|
3923
|
-
"severity rating system",
|
|
3924
|
-
"process for application vulnerabilities",
|
|
3925
|
-
"prioritizing the order in which discovered vulnerabilities are fixed",
|
|
3926
|
-
"minimum level of security acceptability for releasing code or applications",
|
|
3927
|
-
"systematic way of triaging vulnerabilities"
|
|
3928
|
-
],
|
|
3929
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3930
|
-
"facilitates prioritizing the order in which discovered vulnerabilities are fixed",
|
|
3931
|
-
"setting a minimum level of security acceptability for releasing code or applications",
|
|
3932
|
-
"severity ratings bring a systematic way of triaging vulnerabilities",
|
|
3933
|
-
"improves risk management",
|
|
3934
|
-
"helps ensure the most severe bugs are fixed first"
|
|
3935
|
-
],
|
|
3936
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3937
|
-
"CVSS scoring systems",
|
|
3938
|
-
"vulnerability management platforms",
|
|
3939
|
-
"risk assessment frameworks",
|
|
3940
|
-
"prioritization workflows"
|
|
3941
|
-
],
|
|
3942
|
-
relatedSafeguards: ["16.1", "16.2"] },
|
|
3943
|
-
"16.7": {
|
|
3944
|
-
id: "16.7",
|
|
3945
|
-
title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
|
|
3946
|
-
description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
|
|
3947
|
-
implementationGroup: "IG2",
|
|
3948
|
-
assetType: ["Software"],
|
|
3949
|
-
securityFunction: ["Protect"],
|
|
3950
|
-
governanceElements: [ // Orange - MUST be met
|
|
3951
|
-
"use standard, industry-recommended hardening configuration templates for application infrastructure components",
|
|
3952
|
-
"do not allow in-house developed software to weaken configuration hardening"
|
|
3953
|
-
],
|
|
3954
|
-
coreRequirements: [ // Green - The "what"
|
|
3955
|
-
"standard hardening configuration templates",
|
|
3956
|
-
"application infrastructure components",
|
|
3957
|
-
"underlying servers",
|
|
3958
|
-
"databases",
|
|
3959
|
-
"web servers",
|
|
3960
|
-
"cloud containers",
|
|
3961
|
-
"Platform as a Service (PaaS) components",
|
|
3962
|
-
"SaaS components"
|
|
3963
|
-
],
|
|
3964
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3965
|
-
"industry-recommended hardening configuration templates",
|
|
3966
|
-
"includes underlying servers, databases, and web servers",
|
|
3967
|
-
"applies to cloud containers",
|
|
3968
|
-
"applies to Platform as a Service (PaaS) components",
|
|
3969
|
-
"applies to SaaS components"
|
|
3970
|
-
],
|
|
3971
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3972
|
-
"configuration baseline tools",
|
|
3973
|
-
"infrastructure as code (IaC) templates",
|
|
3974
|
-
"security hardening guides",
|
|
3975
|
-
"automated configuration management"
|
|
3976
|
-
],
|
|
3977
|
-
relatedSafeguards: ["16.1"] },
|
|
3978
|
-
"16.8": {
|
|
3979
|
-
id: "16.8",
|
|
3980
|
-
title: "Separate Production and Non-Production Systems",
|
|
3981
|
-
description: "Maintain separate environments for production and non-production systems",
|
|
3982
|
-
implementationGroup: "IG2",
|
|
3983
|
-
assetType: ["network"],
|
|
3984
|
-
securityFunction: ["Protect"],
|
|
3985
|
-
governanceElements: [ // Orange - MUST be met
|
|
3986
|
-
"maintain separate environments for production and non-production systems"
|
|
3987
|
-
],
|
|
3988
|
-
coreRequirements: [ // Green - The "what"
|
|
3989
|
-
"separate environments",
|
|
3990
|
-
"production systems",
|
|
3991
|
-
"non-production systems"
|
|
3992
|
-
],
|
|
3993
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
3994
|
-
"separate environments for production systems",
|
|
3995
|
-
"separate environments for non-production systems"
|
|
3996
|
-
],
|
|
3997
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
3998
|
-
"network segmentation tools",
|
|
3999
|
-
"environment isolation technologies",
|
|
4000
|
-
"access control systems",
|
|
4001
|
-
"deployment pipeline controls"
|
|
4002
|
-
],
|
|
4003
|
-
relatedSafeguards: ["16.1"] },
|
|
4004
|
-
"16.9": {
|
|
4005
|
-
id: "16.9",
|
|
4006
|
-
title: "Train Developers in Application Security Concepts and Secure Coding",
|
|
4007
|
-
description: "Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers",
|
|
4008
|
-
implementationGroup: "IG2",
|
|
4009
|
-
assetType: ["Users"],
|
|
4010
|
-
securityFunction: ["Protect"],
|
|
4011
|
-
governanceElements: [ // Orange - MUST be met
|
|
4012
|
-
"ensure that all software development personnel receive training in writing secure code",
|
|
4013
|
-
"conduct training at least annually"
|
|
4014
|
-
],
|
|
4015
|
-
coreRequirements: [ // Green - The "what"
|
|
4016
|
-
"training in writing secure code",
|
|
4017
|
-
"specific development environment and responsibilities",
|
|
4018
|
-
"general security principles",
|
|
4019
|
-
"application security standard practices",
|
|
4020
|
-
"promote security within the development team",
|
|
4021
|
-
"build a culture of security among the developers"
|
|
4022
|
-
],
|
|
4023
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4024
|
-
"all software development personnel receive training",
|
|
4025
|
-
"for their specific development environment and responsibilities",
|
|
4026
|
-
"training can include general security principles",
|
|
4027
|
-
"training can include application security standard practices",
|
|
4028
|
-
"design in a way to promote security within the development team",
|
|
4029
|
-
"build a culture of security among the developers"
|
|
4030
|
-
],
|
|
4031
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4032
|
-
"security training and awareness tools",
|
|
4033
|
-
"secure coding training programs",
|
|
4034
|
-
"developer security certifications",
|
|
4035
|
-
"hands-on security workshops"
|
|
4036
|
-
],
|
|
4037
|
-
relatedSafeguards: ["16.1", "14.1", "14.9"] },
|
|
4038
|
-
"16.10": {
|
|
4039
|
-
id: "16.10",
|
|
4040
|
-
title: "Apply Secure Design Principles in Application Architectures",
|
|
4041
|
-
description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
|
|
4042
|
-
implementationGroup: "IG2",
|
|
4043
|
-
assetType: ["Software"],
|
|
4044
|
-
securityFunction: ["Protect"],
|
|
4045
|
-
governanceElements: [ // Orange - MUST be met
|
|
4046
|
-
"apply secure design principles in application architectures"
|
|
4047
|
-
],
|
|
4048
|
-
coreRequirements: [ // Green - The "what"
|
|
4049
|
-
"secure design principles",
|
|
4050
|
-
"concept of least privilege",
|
|
4051
|
-
"enforcing mediation to validate every operation",
|
|
4052
|
-
"never trust user input",
|
|
4053
|
-
"explicit error checking for all input",
|
|
4054
|
-
"minimizing the application infrastructure attack surface"
|
|
4055
|
-
],
|
|
4056
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4057
|
-
"concept of least privilege",
|
|
4058
|
-
"enforcing mediation",
|
|
4059
|
-
"validate every operation that the user makes",
|
|
4060
|
-
"promoting the concept of never trust user input",
|
|
4061
|
-
"ensuring that explicit error checking is performed and documented for all input",
|
|
4062
|
-
"including for size, data type, and acceptable ranges or formats",
|
|
4063
|
-
"turning off unprotected ports and services",
|
|
4064
|
-
"removing unnecessary programs and files",
|
|
4065
|
-
"renaming or removing default accounts"
|
|
4066
|
-
],
|
|
4067
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4068
|
-
"secure architecture frameworks",
|
|
4069
|
-
"input validation libraries",
|
|
4070
|
-
"access control systems",
|
|
4071
|
-
"security design patterns"
|
|
4072
|
-
],
|
|
4073
|
-
relatedSafeguards: ["16.1"] },
|
|
4074
|
-
"16.11": {
|
|
4075
|
-
id: "16.11",
|
|
4076
|
-
title: "Leverage Vetted Modules or Services for Application Security Components",
|
|
4077
|
-
description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
|
|
4078
|
-
implementationGroup: "IG2",
|
|
4079
|
-
assetType: ["Software"],
|
|
4080
|
-
securityFunction: ["Identify"],
|
|
4081
|
-
governanceElements: [ // Orange - MUST be met
|
|
4082
|
-
"leverage vetted modules or services for application security components",
|
|
4083
|
-
"use only standardized, currently accepted, and extensively reviewed encryption algorithms"
|
|
4084
|
-
],
|
|
4085
|
-
coreRequirements: [ // Green - The "what"
|
|
4086
|
-
"vetted modules or services",
|
|
4087
|
-
"application security components",
|
|
4088
|
-
"identity management",
|
|
4089
|
-
"encryption",
|
|
4090
|
-
"auditing and logging",
|
|
4091
|
-
"platform features in critical security functions",
|
|
4092
|
-
"identification, authentication, and authorization mechanisms",
|
|
4093
|
-
"secure audit logs"
|
|
4094
|
-
],
|
|
4095
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4096
|
-
"such as identity management, encryption, and auditing and logging",
|
|
4097
|
-
"using platform features in critical security functions will reduce developers' workload",
|
|
4098
|
-
"minimize the likelihood of design or implementation errors",
|
|
4099
|
-
"modern operating systems provide effective mechanisms for identification, authentication, and authorization",
|
|
4100
|
-
"make those mechanisms available to applications",
|
|
4101
|
-
"operating systems also provide mechanisms to create and maintain secure audit logs"
|
|
4102
|
-
],
|
|
4103
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4104
|
-
"established security libraries",
|
|
4105
|
-
"platform security services",
|
|
4106
|
-
"cryptographic modules",
|
|
4107
|
-
"operating system security features"
|
|
4108
|
-
],
|
|
4109
|
-
relatedSafeguards: ["16.1", "16.5"] },
|
|
4110
|
-
"16.12": {
|
|
4111
|
-
id: "16.12",
|
|
4112
|
-
title: "Implement Code-Level Security Checks",
|
|
4113
|
-
description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
|
|
4114
|
-
implementationGroup: "IG3",
|
|
4115
|
-
assetType: ["Software"],
|
|
4116
|
-
securityFunction: ["Protect"],
|
|
4117
|
-
governanceElements: [ // Orange - MUST be met
|
|
4118
|
-
"apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
|
|
4119
|
-
],
|
|
4120
|
-
coreRequirements: [ // Green - The "what"
|
|
4121
|
-
"static analysis tools",
|
|
4122
|
-
"dynamic analysis tools",
|
|
4123
|
-
"application life cycle",
|
|
4124
|
-
"secure coding practices verification"
|
|
4125
|
-
],
|
|
4126
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4127
|
-
"apply static analysis tools within the application life cycle",
|
|
4128
|
-
"apply dynamic analysis tools within the application life cycle",
|
|
4129
|
-
"verify that secure coding practices are being followed"
|
|
4130
|
-
],
|
|
4131
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4132
|
-
"code analysis tools",
|
|
4133
|
-
"static application security testing (SAST)",
|
|
4134
|
-
"dynamic application security testing (DAST)",
|
|
4135
|
-
"interactive application security testing (IAST)"
|
|
4136
|
-
],
|
|
4137
|
-
relatedSafeguards: ["16.1"] },
|
|
4138
|
-
"16.13": {
|
|
4139
|
-
id: "16.13",
|
|
4140
|
-
title: "Conduct Application Penetration Testing",
|
|
4141
|
-
description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
|
|
4142
|
-
implementationGroup: "IG3",
|
|
4143
|
-
assetType: ["Software"],
|
|
4144
|
-
securityFunction: ["Detect"],
|
|
4145
|
-
governanceElements: [ // Orange - MUST be met
|
|
4146
|
-
"conduct application penetration testing"
|
|
4147
|
-
],
|
|
4148
|
-
coreRequirements: [ // Green - The "what"
|
|
4149
|
-
"application penetration testing",
|
|
4150
|
-
"authenticated penetration testing for critical applications",
|
|
4151
|
-
"business logic vulnerabilities",
|
|
4152
|
-
"manual manipulation of application",
|
|
4153
|
-
"authenticated and unauthenticated user testing"
|
|
4154
|
-
],
|
|
4155
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4156
|
-
"for critical applications",
|
|
4157
|
-
"authenticated penetration testing is better suited to finding business logic vulnerabilities",
|
|
4158
|
-
"than code scanning and automated security testing",
|
|
4159
|
-
"penetration testing relies on the skill of the tester",
|
|
4160
|
-
"to manually manipulate an application as an authenticated and unauthenticated user"
|
|
4161
|
-
],
|
|
4162
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4163
|
-
"application security testing tools",
|
|
4164
|
-
"penetration testing frameworks",
|
|
4165
|
-
"security testing methodologies",
|
|
4166
|
-
"skilled penetration testers"
|
|
4167
|
-
],
|
|
4168
|
-
relatedSafeguards: ["16.1"] },
|
|
4169
|
-
"16.14": {
|
|
4170
|
-
id: "16.14",
|
|
4171
|
-
title: "Conduct Threat Modeling",
|
|
4172
|
-
description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
|
|
4173
|
-
implementationGroup: "IG3",
|
|
4174
|
-
assetType: ["Software"],
|
|
4175
|
-
securityFunction: ["Protect"],
|
|
4176
|
-
governanceElements: [ // Orange - MUST be met
|
|
4177
|
-
"conduct threat modeling"
|
|
4178
|
-
],
|
|
4179
|
-
coreRequirements: [ // Green - The "what"
|
|
4180
|
-
"threat modeling",
|
|
4181
|
-
"identifying and addressing application security design flaws",
|
|
4182
|
-
"before code is created",
|
|
4183
|
-
"specially trained individuals",
|
|
4184
|
-
"evaluate application design",
|
|
4185
|
-
"gauge security risks for each entry point and access level",
|
|
4186
|
-
"map out the application, architecture, and infrastructure"
|
|
4187
|
-
],
|
|
4188
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4189
|
-
"threat modeling is the process of identifying and addressing application security design flaws within a design",
|
|
4190
|
-
"before code is created",
|
|
4191
|
-
"conducted through specially trained individuals",
|
|
4192
|
-
"who evaluate the application design and gauge security risks",
|
|
4193
|
-
"for each entry point and access level",
|
|
4194
|
-
"the goal is to map out the application, architecture, and infrastructure in a structured way",
|
|
4195
|
-
"to understand its weaknesses"
|
|
4196
|
-
],
|
|
4197
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4198
|
-
"threat modeling frameworks",
|
|
4199
|
-
"security design review processes",
|
|
4200
|
-
"threat modeling tools",
|
|
4201
|
-
"security architecture documentation"
|
|
4202
|
-
],
|
|
4203
|
-
relatedSafeguards: ["16.1"] },
|
|
4204
|
-
"17.1": {
|
|
4205
|
-
id: "17.1",
|
|
4206
|
-
title: "Designate Personnel to Manage Incident Handling",
|
|
4207
|
-
description: "Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4208
|
-
implementationGroup: "IG1",
|
|
4209
|
-
assetType: ["Users"],
|
|
4210
|
-
securityFunction: ["Respond"],
|
|
4211
|
-
governanceElements: [ // Orange - MUST be met
|
|
4212
|
-
"designate one key person and at least one backup who will manage the enterprise's incident handling process",
|
|
4213
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4214
|
-
],
|
|
4215
|
-
coreRequirements: [ // Green - The "what"
|
|
4216
|
-
"one key person to manage incident handling",
|
|
4217
|
-
"at least one backup person",
|
|
4218
|
-
"coordination of incident response and recovery efforts",
|
|
4219
|
-
"documentation of incident response and recovery efforts",
|
|
4220
|
-
"management personnel for incident handling process"
|
|
4221
|
-
],
|
|
4222
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4223
|
-
"management personnel are responsible for coordination and documentation",
|
|
4224
|
-
"can consist of employees internal to the enterprise",
|
|
4225
|
-
"can consist of service providers",
|
|
4226
|
-
"can consist of a hybrid approach",
|
|
4227
|
-
"if using a service provider, designate at least one person internal to the enterprise to oversee any third-party work"
|
|
4228
|
-
],
|
|
4229
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4230
|
-
"incident response team structures",
|
|
4231
|
-
"incident management roles and responsibilities",
|
|
4232
|
-
"coordination tools and processes",
|
|
4233
|
-
"documentation templates"
|
|
4234
|
-
],
|
|
4235
|
-
relatedSafeguards: ["17.4"] },
|
|
4236
|
-
"17.2": {
|
|
4237
|
-
id: "17.2",
|
|
4238
|
-
title: "Establish and Maintain Contact Information for Reporting Security Incidents",
|
|
4239
|
-
description: "Establish and maintain contact information for reporting security incidents. This information must be available to all workforce members and should include various contact methods (e.g., phone, email) and be regularly updated. Consider the availability of these contact methods in different circumstances, such as when primary communication systems are compromised",
|
|
4240
|
-
implementationGroup: "IG1",
|
|
4241
|
-
assetType: ["Users"],
|
|
4242
|
-
securityFunction: ["Respond"],
|
|
4243
|
-
governanceElements: [ // Orange - MUST be met
|
|
4244
|
-
"establish and maintain contact information for reporting security incidents",
|
|
4245
|
-
"information must be available to all workforce members"
|
|
4246
|
-
],
|
|
4247
|
-
coreRequirements: [ // Green - The "what"
|
|
4248
|
-
"contact information for reporting security incidents",
|
|
4249
|
-
"available to all workforce members",
|
|
4250
|
-
"various contact methods",
|
|
4251
|
-
"regularly updated contact information"
|
|
4252
|
-
],
|
|
4253
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4254
|
-
"should include various contact methods (e.g., phone, email)",
|
|
4255
|
-
"be regularly updated",
|
|
4256
|
-
"consider the availability of these contact methods in different circumstances",
|
|
4257
|
-
"such as when primary communication systems are compromised"
|
|
4258
|
-
],
|
|
4259
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4260
|
-
"incident reporting hotlines",
|
|
4261
|
-
"emergency contact lists",
|
|
4262
|
-
"multiple communication channels",
|
|
4263
|
-
"contact information distribution methods"
|
|
4264
|
-
],
|
|
4265
|
-
relatedSafeguards: ["17.3", "17.4"] },
|
|
4266
|
-
"17.3": {
|
|
4267
|
-
id: "17.3",
|
|
4268
|
-
title: "Establish and Maintain an Enterprise Process for Reporting Incidents",
|
|
4269
|
-
description: "Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4270
|
-
implementationGroup: "IG1",
|
|
4271
|
-
assetType: ["Users"],
|
|
4272
|
-
securityFunction: ["Govern"],
|
|
4273
|
-
governanceElements: [ // Orange - MUST be met
|
|
4274
|
-
"establish and maintain a documented enterprise process for the workforce to report security incidents",
|
|
4275
|
-
"ensure the process is publicly available to all of the workforce",
|
|
4276
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4277
|
-
],
|
|
4278
|
-
coreRequirements: [ // Green - The "what"
|
|
4279
|
-
"documented enterprise process for reporting incidents",
|
|
4280
|
-
"reporting timeframe",
|
|
4281
|
-
"personnel to report to",
|
|
4282
|
-
"mechanism for reporting",
|
|
4283
|
-
"minimum information to be reported"
|
|
4284
|
-
],
|
|
4285
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4286
|
-
"the process includes reporting timeframe",
|
|
4287
|
-
"the process includes personnel to report to",
|
|
4288
|
-
"the process includes mechanism for reporting",
|
|
4289
|
-
"the process includes the minimum information to be reported"
|
|
4290
|
-
],
|
|
4291
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4292
|
-
"incident reporting procedures",
|
|
4293
|
-
"reporting forms and templates",
|
|
4294
|
-
"workforce training materials",
|
|
4295
|
-
"process communication methods"
|
|
4296
|
-
],
|
|
4297
|
-
relatedSafeguards: ["17.2", "17.4", "14.6"] },
|
|
4298
|
-
"17.4": {
|
|
4299
|
-
id: "17.4",
|
|
4300
|
-
title: "Establish and Maintain an Incident Response Process",
|
|
4301
|
-
description: "Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4302
|
-
implementationGroup: "IG2",
|
|
4303
|
-
assetType: ["Users"],
|
|
4304
|
-
securityFunction: ["Govern"],
|
|
4305
|
-
governanceElements: [ // Orange - MUST be met
|
|
4306
|
-
"establish and maintain a documented incident response process",
|
|
4307
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4308
|
-
],
|
|
4309
|
-
coreRequirements: [ // Green - The "what"
|
|
4310
|
-
"documented incident response process",
|
|
4311
|
-
"roles and responsibilities",
|
|
4312
|
-
"compliance requirements",
|
|
4313
|
-
"communication plan"
|
|
4314
|
-
],
|
|
4315
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4316
|
-
"that addresses roles and responsibilities",
|
|
4317
|
-
"that addresses compliance requirements",
|
|
4318
|
-
"that addresses a communication plan"
|
|
4319
|
-
],
|
|
4320
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4321
|
-
"incident response playbooks",
|
|
4322
|
-
"process documentation templates",
|
|
4323
|
-
"compliance frameworks",
|
|
4324
|
-
"communication protocols"
|
|
4325
|
-
],
|
|
4326
|
-
relatedSafeguards: ["17.1", "17.3", "17.5", "17.6", "17.7", "17.8", "17.9"] },
|
|
4327
|
-
"17.5": {
|
|
4328
|
-
id: "17.5",
|
|
4329
|
-
title: "Assign Key Roles and Responsibilities",
|
|
4330
|
-
description: "Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4331
|
-
implementationGroup: "IG2",
|
|
4332
|
-
assetType: ["Users"],
|
|
4333
|
-
securityFunction: ["Respond"],
|
|
4334
|
-
governanceElements: [ // Orange - MUST be met
|
|
4335
|
-
"assign key roles and responsibilities for incident response",
|
|
4336
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4337
|
-
],
|
|
4338
|
-
coreRequirements: [ // Green - The "what"
|
|
4339
|
-
"key roles and responsibilities for incident response",
|
|
4340
|
-
"staff from legal",
|
|
4341
|
-
"staff from IT",
|
|
4342
|
-
"staff from information security",
|
|
4343
|
-
"staff from facilities",
|
|
4344
|
-
"staff from public relations",
|
|
4345
|
-
"staff from human resources",
|
|
4346
|
-
"incident responders",
|
|
4347
|
-
"analysts"
|
|
4348
|
-
],
|
|
4349
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4350
|
-
"including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts"
|
|
4351
|
-
],
|
|
4352
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4353
|
-
"incident response team structures",
|
|
4354
|
-
"role definition templates",
|
|
4355
|
-
"responsibility matrices",
|
|
4356
|
-
"cross-functional team coordination"
|
|
4357
|
-
],
|
|
4358
|
-
relatedSafeguards: ["17.4"] },
|
|
4359
|
-
"17.6": {
|
|
4360
|
-
id: "17.6",
|
|
4361
|
-
title: "Define Mechanisms for Communicating During Incident Response",
|
|
4362
|
-
description: "Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4363
|
-
implementationGroup: "IG2",
|
|
4364
|
-
assetType: ["Users"],
|
|
4365
|
-
securityFunction: ["Respond"],
|
|
4366
|
-
governanceElements: [ // Orange - MUST be met
|
|
4367
|
-
"determine which primary and secondary mechanisms will be used to communicate and report during a security incident",
|
|
4368
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4369
|
-
],
|
|
4370
|
-
coreRequirements: [ // Green - The "what"
|
|
4371
|
-
"primary mechanisms for communicating during incident response",
|
|
4372
|
-
"secondary mechanisms for communicating during incident response",
|
|
4373
|
-
"mechanisms to communicate during security incident",
|
|
4374
|
-
"mechanisms to report during security incident"
|
|
4375
|
-
],
|
|
4376
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4377
|
-
"mechanisms can include phone calls",
|
|
4378
|
-
"mechanisms can include emails",
|
|
4379
|
-
"mechanisms can include secure chat",
|
|
4380
|
-
"mechanisms can include notification letters",
|
|
4381
|
-
"keep in mind that certain mechanisms, such as emails, can be affected during a security incident"
|
|
4382
|
-
],
|
|
4383
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4384
|
-
"communication platforms",
|
|
4385
|
-
"backup communication methods",
|
|
4386
|
-
"secure messaging systems",
|
|
4387
|
-
"notification systems"
|
|
4388
|
-
],
|
|
4389
|
-
relatedSafeguards: ["17.4"] },
|
|
4390
|
-
"17.7": {
|
|
4391
|
-
id: "17.7",
|
|
4392
|
-
title: "Conduct Routine Incident Response Exercises",
|
|
4393
|
-
description: "Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum",
|
|
4394
|
-
implementationGroup: "IG2",
|
|
4395
|
-
assetType: ["Users"],
|
|
4396
|
-
securityFunction: ["Recover"],
|
|
4397
|
-
governanceElements: [ // Orange - MUST be met
|
|
4398
|
-
"plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process",
|
|
4399
|
-
"conduct testing on an annual basis, at a minimum"
|
|
4400
|
-
],
|
|
4401
|
-
coreRequirements: [ // Green - The "what"
|
|
4402
|
-
"routine incident response exercises",
|
|
4403
|
-
"scenarios for key personnel",
|
|
4404
|
-
"prepare for responding to real-world incidents",
|
|
4405
|
-
"test communication channels",
|
|
4406
|
-
"test decision-making",
|
|
4407
|
-
"test workflows"
|
|
4408
|
-
],
|
|
4409
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4410
|
-
"key personnel involved in the incident response process",
|
|
4411
|
-
"to prepare for responding to real-world incidents",
|
|
4412
|
-
"exercises need to test communication channels, decision-making, and workflows"
|
|
4413
|
-
],
|
|
4414
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4415
|
-
"tabletop exercises",
|
|
4416
|
-
"simulation scenarios",
|
|
4417
|
-
"exercise planning frameworks",
|
|
4418
|
-
"testing schedules and protocols"
|
|
4419
|
-
],
|
|
4420
|
-
relatedSafeguards: ["17.4"] },
|
|
4421
|
-
"17.8": {
|
|
4422
|
-
id: "17.8",
|
|
4423
|
-
title: "Conduct Post-Incident Reviews",
|
|
4424
|
-
description: "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action",
|
|
4425
|
-
implementationGroup: "IG2",
|
|
4426
|
-
assetType: ["Users"],
|
|
4427
|
-
securityFunction: ["Recover"],
|
|
4428
|
-
governanceElements: [ // Orange - MUST be met
|
|
4429
|
-
"conduct post-incident reviews"
|
|
4430
|
-
],
|
|
4431
|
-
coreRequirements: [ // Green - The "what"
|
|
4432
|
-
"post-incident reviews",
|
|
4433
|
-
"prevent incident recurrence",
|
|
4434
|
-
"identifying lessons learned",
|
|
4435
|
-
"follow-up action"
|
|
4436
|
-
],
|
|
4437
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4438
|
-
"post-incident reviews help prevent incident recurrence",
|
|
4439
|
-
"through identifying lessons learned and follow-up action"
|
|
4440
|
-
],
|
|
4441
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4442
|
-
"post-incident review templates",
|
|
4443
|
-
"lessons learned documentation",
|
|
4444
|
-
"improvement action plans",
|
|
4445
|
-
"review meeting processes"
|
|
4446
|
-
],
|
|
4447
|
-
relatedSafeguards: ["17.4"] },
|
|
4448
|
-
"17.9": {
|
|
4449
|
-
id: "17.9",
|
|
4450
|
-
title: "Establish and Maintain Security Incident Thresholds",
|
|
4451
|
-
description: "Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
4452
|
-
implementationGroup: "IG3",
|
|
4453
|
-
assetType: ["Users"],
|
|
4454
|
-
securityFunction: ["Recover"],
|
|
4455
|
-
governanceElements: [ // Orange - MUST be met
|
|
4456
|
-
"establish and maintain security incident thresholds",
|
|
4457
|
-
"review annually or when significant enterprise changes occur that could impact this safeguard"
|
|
4458
|
-
],
|
|
4459
|
-
coreRequirements: [ // Green - The "what"
|
|
4460
|
-
"security incident thresholds",
|
|
4461
|
-
"differentiating between an incident and an event",
|
|
4462
|
-
"incident classification criteria"
|
|
4463
|
-
],
|
|
4464
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4465
|
-
"including, at a minimum, differentiating between an incident and an event",
|
|
4466
|
-
"examples can include abnormal activity",
|
|
4467
|
-
"examples can include security vulnerability",
|
|
4468
|
-
"examples can include security weakness",
|
|
4469
|
-
"examples can include data breach",
|
|
4470
|
-
"examples can include privacy incident"
|
|
4471
|
-
],
|
|
4472
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4473
|
-
"incident classification frameworks",
|
|
4474
|
-
"threshold definition templates",
|
|
4475
|
-
"severity rating systems",
|
|
4476
|
-
"incident categorization tools"
|
|
4477
|
-
],
|
|
4478
|
-
relatedSafeguards: ["17.4"] },
|
|
4479
|
-
"18.1": {
|
|
4480
|
-
id: "18.1",
|
|
4481
|
-
title: "Establish and Maintain a Penetration Testing Program",
|
|
4482
|
-
description: "Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements",
|
|
4483
|
-
implementationGroup: "IG2",
|
|
4484
|
-
assetType: ["network"],
|
|
4485
|
-
securityFunction: ["Govern"],
|
|
4486
|
-
governanceElements: [ // Orange - MUST be met
|
|
4487
|
-
"establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise"
|
|
4488
|
-
],
|
|
4489
|
-
coreRequirements: [ // Green - The "what"
|
|
4490
|
-
"penetration testing program",
|
|
4491
|
-
"scope including network, web application, API, hosted services, and physical premise controls",
|
|
4492
|
-
"frequency requirements",
|
|
4493
|
-
"limitations including acceptable hours and excluded attack types",
|
|
4494
|
-
"point of contact information",
|
|
4495
|
-
"remediation procedures for routing findings internally",
|
|
4496
|
-
"retrospective requirements"
|
|
4497
|
-
],
|
|
4498
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4499
|
-
"appropriate to the size, complexity, industry, and maturity of the enterprise",
|
|
4500
|
-
"penetration testing program characteristics include scope",
|
|
4501
|
-
"such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls",
|
|
4502
|
-
"characteristics include frequency",
|
|
4503
|
-
"characteristics include limitations, such as acceptable hours, and excluded attack types",
|
|
4504
|
-
"characteristics include point of contact information",
|
|
4505
|
-
"characteristics include remediation, such as how findings will be routed internally",
|
|
4506
|
-
"characteristics include retrospective requirements"
|
|
4507
|
-
],
|
|
4508
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4509
|
-
"penetration testing frameworks",
|
|
4510
|
-
"program documentation templates",
|
|
4511
|
-
"scope definition guidelines",
|
|
4512
|
-
"testing frequency schedules"
|
|
4513
|
-
],
|
|
4514
|
-
relatedSafeguards: ["18.2", "18.3", "18.4", "18.5"] },
|
|
4515
|
-
"18.2": {
|
|
4516
|
-
id: "18.2",
|
|
4517
|
-
title: "Perform Periodic External Penetration Tests",
|
|
4518
|
-
description: "Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box",
|
|
4519
|
-
implementationGroup: "IG2",
|
|
4520
|
-
assetType: ["network"],
|
|
4521
|
-
securityFunction: ["Detect"],
|
|
4522
|
-
governanceElements: [ // Orange - MUST be met
|
|
4523
|
-
"perform periodic external penetration tests based on program requirements, no less than annually",
|
|
4524
|
-
"external penetration testing must include enterprise and environmental reconnaissance to detect exploitable information",
|
|
4525
|
-
"penetration testing requires specialized skills and experience and must be conducted through a qualified party"
|
|
4526
|
-
],
|
|
4527
|
-
coreRequirements: [ // Green - The "what"
|
|
4528
|
-
"periodic external penetration tests",
|
|
4529
|
-
"enterprise reconnaissance",
|
|
4530
|
-
"environmental reconnaissance",
|
|
4531
|
-
"detect exploitable information",
|
|
4532
|
-
"specialized skills and experience",
|
|
4533
|
-
"qualified party to conduct testing"
|
|
4534
|
-
],
|
|
4535
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4536
|
-
"based on program requirements",
|
|
4537
|
-
"no less than annually",
|
|
4538
|
-
"to detect exploitable information",
|
|
4539
|
-
"the testing may be clear box or opaque box"
|
|
4540
|
-
],
|
|
4541
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4542
|
-
"external penetration testing services",
|
|
4543
|
-
"reconnaissance tools and techniques",
|
|
4544
|
-
"qualified penetration testing vendors",
|
|
4545
|
-
"clear box and opaque box methodologies"
|
|
4546
|
-
],
|
|
4547
|
-
relatedSafeguards: ["18.1", "18.3", "18.4"] },
|
|
4548
|
-
"18.3": {
|
|
4549
|
-
id: "18.3",
|
|
4550
|
-
title: "Remediate Penetration Test Findings",
|
|
4551
|
-
description: "Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding",
|
|
4552
|
-
implementationGroup: "IG2",
|
|
4553
|
-
assetType: ["network"],
|
|
4554
|
-
securityFunction: ["Protect"],
|
|
4555
|
-
governanceElements: [ // Orange - MUST be met
|
|
4556
|
-
"remediate penetration test findings based on the enterprise's documented vulnerability remediation process"
|
|
4557
|
-
],
|
|
4558
|
-
coreRequirements: [ // Green - The "what"
|
|
4559
|
-
"remediate penetration test findings",
|
|
4560
|
-
"documented vulnerability remediation process",
|
|
4561
|
-
"timeline for remediation",
|
|
4562
|
-
"level of effort determination",
|
|
4563
|
-
"impact assessment",
|
|
4564
|
-
"prioritization of findings"
|
|
4565
|
-
],
|
|
4566
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4567
|
-
"this should include determining a timeline and level of effort",
|
|
4568
|
-
"based on the impact and prioritization of each identified finding"
|
|
4569
|
-
],
|
|
4570
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4571
|
-
"vulnerability remediation workflows",
|
|
4572
|
-
"finding prioritization frameworks",
|
|
4573
|
-
"remediation tracking systems",
|
|
4574
|
-
"impact assessment methodologies"
|
|
4575
|
-
],
|
|
4576
|
-
relatedSafeguards: ["18.1", "18.2", "18.5"] },
|
|
4577
|
-
"18.4": {
|
|
4578
|
-
id: "18.4",
|
|
4579
|
-
title: "Validate Security Measures",
|
|
4580
|
-
description: "Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing",
|
|
4581
|
-
implementationGroup: "IG3",
|
|
4582
|
-
assetType: ["network"],
|
|
4583
|
-
securityFunction: ["Protect"],
|
|
4584
|
-
governanceElements: [ // Orange - MUST be met
|
|
4585
|
-
"validate security measures after each penetration test"
|
|
4586
|
-
],
|
|
4587
|
-
coreRequirements: [ // Green - The "what"
|
|
4588
|
-
"validate security measures",
|
|
4589
|
-
"modify rulesets if necessary",
|
|
4590
|
-
"modify capabilities if necessary",
|
|
4591
|
-
"detect techniques used during testing"
|
|
4592
|
-
],
|
|
4593
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4594
|
-
"after each penetration test",
|
|
4595
|
-
"if deemed necessary",
|
|
4596
|
-
"to detect the techniques used during testing"
|
|
4597
|
-
],
|
|
4598
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4599
|
-
"security control validation frameworks",
|
|
4600
|
-
"detection rule tuning processes",
|
|
4601
|
-
"capability enhancement procedures",
|
|
4602
|
-
"technique analysis methodologies"
|
|
4603
|
-
],
|
|
4604
|
-
relatedSafeguards: ["18.1", "18.2", "18.5"] },
|
|
4605
|
-
"18.5": {
|
|
4606
|
-
id: "18.5",
|
|
4607
|
-
title: "Perform Periodic Internal Penetration Tests",
|
|
4608
|
-
description: "Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box",
|
|
4609
|
-
implementationGroup: "IG3",
|
|
4610
|
-
assetType: ["network"],
|
|
4611
|
-
securityFunction: ["Detect"],
|
|
4612
|
-
governanceElements: [ // Orange - MUST be met
|
|
4613
|
-
"perform periodic internal penetration tests based on program requirements, no less than annually"
|
|
4614
|
-
],
|
|
4615
|
-
coreRequirements: [ // Green - The "what"
|
|
4616
|
-
"periodic internal penetration tests",
|
|
4617
|
-
"program requirements compliance",
|
|
4618
|
-
"annual testing frequency minimum"
|
|
4619
|
-
],
|
|
4620
|
-
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
4621
|
-
"based on program requirements",
|
|
4622
|
-
"no less than annually",
|
|
4623
|
-
"the testing may be clear box or opaque box"
|
|
4624
|
-
],
|
|
4625
|
-
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
4626
|
-
"internal penetration testing tools",
|
|
4627
|
-
"internal testing methodologies",
|
|
4628
|
-
"clear box and opaque box approaches",
|
|
4629
|
-
"internal security assessment frameworks"
|
|
4630
|
-
],
|
|
4631
|
-
relatedSafeguards: ["18.1", "18.3", "18.4"] }
|
|
4632
|
-
};
|
|
4633
|
-
}
|
|
4634
|
-
}
|