SDPC
Global Education Security Standard (GESS)

Home | About GESS | GESS Documentation | Self-Assessment | Submit Feedback | Attributions

V1.0 of GESS identifies and cross walks controls from the following Security Frameworks;
Filter All Controls Across Frameworks (Click on the standard(s) you DON'T want to include):
  

Filter GESS Controls Across Frameworks (Click on the standard(s) you DON'T want to include):
  

Filter GESS Controls by Jurisdiction:
  

Filter GESS Controls by Control Set:
  

Search results include:

Standard Control Control Text Questions Control Type Category Jurisdiction NH Standard ST4S Version
NIST 800-171 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? Basic Security - Access United States Y 1
NIST 800-171 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? Derived Security - Access United States Y 1
NIST 800-171 3.1.3 Control the flow of CUI in accordance with approved authorizations. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. With regards to the development of the service, are different mission, testing, auditing, and system support roles allocated to different individuals (organisation staff, vendor staff, external contractors, associates) as a matter of policy Derived Security - Access United States 1
NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts. In your organisation, are privileged accounts (super-users) restricted by role or to specific staff? Derived Security - Access United States Y 1
NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions. In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) Derived Security - Access United States 1
NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions in audit logs. In your organisation, are privileged accounts (super-users) restricted by role or to specific staff? Derived Security - Access United States 1
NIST 800-171 3.1.8 Limit unsuccessful logon attempts. Does the service limit unsuccessful logon attempts, e.g. by resetting the user password after several such attempts? Derived Security - Access United States Y 1
NIST 800-171 3.1.9 Provide privacy and security notices consistent with applicable CUI rules. Is the privacy policy made available free of charge, stating explicitly what sites and services it covers, and: Published on the internet; or Provided to customers prior to use of the service? Derived Privacy - Requests United States 1
NIST 800-171 3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. Are all internal organisation systems (including operating systems) configured with a session or screen lock that: - activates after a maximum of 15 minutes of user inactivity or if manually activated by the user; - activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices; - completely conceals all information on the screen; - ensures that the screen does not enter a power saving state before the screen or session lock is activated; - requires the user to reauthenticate to unlock the system; and - denies users the ability to disable the session or screen locking mechanism? - does not display any secure information of its own Basic Security - Access United States 1
NIST 800-171 3.1.11 Terminate (automatically) a user session after a defined condition. For the service, are user log-in sessions automatically terminated after a period of inactivity, or in response to a security incident? Derived Security - Access United States 1
NIST 800-171 3.1.12 Monitor and control remote access sessions. In relation to the chat/instant messaging functionality available within the service, select all that apply. Derived Privacy - Functionality United States 1
NIST 800-171 3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States Y 1
NIST 800-171 3.1.14 Route remote access via managed access control points. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information. Within your organisation, are additional authorisation protocols required to execute privileged commands remotely, compared to on-site? Derived Security - Access United States 1
NIST 800-171 3.1.16 Authorize wireless access prior to allowing such connections. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States Y 1
NIST 800-171 3.1.17 Protect wireless access using authentication and encryption. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States Y 1
NIST 800-171 3.1.18 Control connection of mobile devices. Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including •use of a Mobile Device Management solution applied to all mobile devices and • encryption of any sensitive information transferred to mobile devices? Derived Security - Technical United States 1
NIST 800-171 3.1.19 Encrypt CUI on mobile devices. Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including •use of a Mobile Device Management solution applied to all mobile devices and • encryption of any sensitive information transferred to mobile devices? Derived Security - Technical United States 1
NIST 800-171 3.1.20 Verify and control/limit connections to and use of external information systems. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.1.21 Limit use of portable storage devices on external systems. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 3.1.22 Control CUI posted or processed on publicly accessible systems. Does your organisation share user data with third parties in any circumstance other than the following? If yes, please specify. -the individual has consented to the use or disclosure of the information; -the use or disclosure of the information is required or authorised by or under a law or a court/tribunal order in the customer's country; - the use or disclosure is required or permitted under privacy legislation in the customer's country; or -the entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body? For service in Australia, refer to the Australian Privacy Principles, as well as the permitted general situations and permitted health situations. For service in New Zealand, refer to the Privacy Principles and information sharing provisions in the Privacy Act 2020, as well as the Oranga Tamariki Act 1989 and the Family Violence Act 2018. For the UK, refer to Keeping Children Safe in Education Derived Privacy - Requests United States 1
NIST 800-171 AC-1 Access control policy and procedures NFO United States 1
NIST 800-171 3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Basic Security - HR United States Y 1
NIST 800-171 3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Basic Security - HR United States Y 1
NIST 800-171 3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Derived Security - HR United States 1
NIST 800-171 AT-1 Security awareness and training policy and procedures NFO United States 1
NIST 800-171 AT-4 Security training records NFO United States 1
NIST 800-171 3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful unauthorized system activity. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori Basic Security - Plans and Quality United States Y 1
NIST 800-171 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Basic Security - Logging United States Y 1
NIST 800-171 3.3.3 Review and update events. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori Derived Security - Plans and Quality United States 1
NIST 800-171 3.3.4 Alert in the event of an audit process failure. Has your organisation implemented a centralised logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times? Derived Security - Logging United States 1
NIST 800-171 3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of suspicious, or unusual activity. Does your organisation have a documented and implemented event log auditing procedure which outlines, at a minimum: • Schedule of audits (annual or real-time for sensitive data); • Definitions of security violations; • Actions to be taken when violations are detected; and • Reporting requirements? Derived Security - Logging United States 1
NIST 800-171 3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting. Has your organisation implemented a centralised logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times? Derived Security - Logging United States 1
NIST 800-171 3.3.7 Provide system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Derived Security - Logging United States 1
NIST 800-171 3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion. Has your organisation implemented a centralised logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times? Derived Security - Logging United States 1
NIST 800-171 3.3.9 Limit management of audit functionality to a subset of privileged users. Derived United States 1
NIST 800-171 AU-1 Audit and accountability policy and procedures NFO United States 1
NIST 800-171 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Basic Security - Plans and Quality United States Y 1
NIST 800-171 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? Basic Security - Access United States Y 1
NIST 800-171 3.4.3 Track, review, approve/ or disapprove, and audit log changes to orgaizational systems. Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalised Derived Security - Plans and Quality United States 1
NIST 800-171 3.4.4 Analyze the security impact of changes prior to implementation. Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalised Derived Security - Plans and Quality United States 1
NIST 800-171 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? Derived Security - Access United States 1
NIST 800-171 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Derived Security - Technical United States 1
NIST 800-171 3.4.7 Restrict, disable, prevent the use of nonessential programs, functions, ports, protocols, and services. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Derived Security - Technical United States Y 1
NIST 800-171 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Derived Security - Technical United States 1
NIST 800-171 3.4.9 Control and monitor user-installed software. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Derived Security - Technical United States 1
NIST 800-171 CM-1 Configuration management policies NFO United States 1
NIST 800-171 CM-2(1) Baseline configuration - reviews and updates NFO United States 1
NIST 800-171 CM-2(7) Baseline configuration - configure systems, components, or devices for high-risk areas NFO United States 1
NIST 800-171 CM-3(2) Configuration change control - test/validate/document changes NFO United States 1
NIST 800-171 CM-8(5) System component inventory - no duplicate accounting of components NFO United States 1
NIST 800-171 CM-9 Configuration management plan NFO United States 1
NIST 800-171 3.5.1 Identify system users, processes acting on behalf of users, devices. Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? Basic Security - Access United States Y 1
NIST 800-171 3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. Does all access to the service require authentication and authorisation, including both human access, and access by process or devices? Basic Security - Access United States Y 1
NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Does your organisation mandate multi-factor authentication for: • Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems); • System administrators; • Support staff; • Staff with privileged accounts? Derived Security - Access United States 1
NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Within the service, is the multi-factor authentication used relay-resistant (e.g. nonces, one-time authentication tokens)? Derived Security - Access United States 1
NIST 800-171 3.5.5 Prevent reuse of identifiers for a defined period. Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? Derived Security - Access United States 1
NIST 800-171 3.5.6 Disable identifiers after a defined period of inactivity. Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? Derived Security - Access United States 1
NIST 800-171 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. For the service, when a new password is selected by a user, is there a restriction on: • How similar the new password is to the previous password; • The time duration or number of password changes before a previous password can be reused by a user? Derived Security - Access United States Y 1
NIST 800-171 3.5.8 Prohibit password reuse for a specified number of generations. For the service, when a new password is selected by a user, is there a restriction on: • How similar the new password is to the previous password; • The time duration or number of password changes before a previous password can be reused by a user? Derived Security - Access United States 1
NIST 800-171 3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password. When a password reset is requested by the user or enforced by the service, are: • the newly assigned passwords (e.g., temporary initial passwords) randomly generated; • users required to provide verification of their identity (e.g., answering a set of challenge-response questions); • new passwords provided via a secure communication channel or split into parts; and • users required to change their assigned temporary password on first use? Derived Security - Access United States 1
NIST 800-171 3.5.10 Store and transmit only cryptographically-protected of passwords. Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? Derived Security - Access United States 1
NIST 800-171 3.5.11 Obscure feedback of authentication information. Are passwords obscured or masked as users enter them in order to access the service? Derived Security - Access United States 1
NIST 800-171 IA-1 Identification and authentication policy and procedures NFO United States 1
NIST 800-171 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: - Identified, following a clear definition; - Reported by staff (if internal); - Proactively monitored; - Contained; - Investigated; - Remediated; - Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: o Date incident occurred; o Date incident discovered; o Description of the incident; o Actions taken in response to the incident; and o Name of person to whom the incident was reported? Basic Security - Processess and Testing United States Y 1
NIST 800-171 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? Basic Security - Processess and Testing United States Y 1
NIST 800-171 3.6.3 Test the organizational incident response capability. Is the incident response capability of the organisation regularly tested and reviewed? Derived Security - Processess and Testing United States 1
NIST 800-171 IR-1 Incident response policy and procedures NFO United States 1
NIST 800-171 IR-8 Incident response plan NFO United States 1
NIST 800-171 3.7.1 Perform maintenance on organizational systems. Does your organisation use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly; and - that by default, patches to the product are applied automatically i.e. without the need for customer action Basic Security - Processess and Testing United States Y 1
NIST 800-171 3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Basic Security - Access United States Y 1
NIST 800-171 3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. Does your organisation enforce enhanced security configurations for organisation systems and components moving: Physically to high-risk areas; and Off-site for maintenance; Derived Security - Technical United States Y 1
NIST 800-171 3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the organizational systems. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) Derived Security - Access United States 1
NIST 800-171 3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization. Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? Derived Security - Access United States 1
NIST 800-171 MA-1 System maintenance policy and procedures NFO United States 1
NIST 800-171 MA-4(2) Non-local maintenance - document non-local maintenance Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged NFO Security - Logging United States 1
NIST 800-171 3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Basic Security - Technical United States Y 1
NIST 800-171 3.8.2 Limit access to CUI on information system media to authorized users. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Basic Security - Technical United States Y 1
NIST 800-171 3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Basic Security - Plans and Quality United States Y 1
NIST 800-171 3.8.4 Mark media with necessary CUI markings and distribution limitations. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States Y 1
NIST 800-171 3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.8.7 Control the use of removable media on system components. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 3.8.9 Protect the confidentiality of backup CUI at storage locations. Derived United States 1
NIST 800-171 MP-1 Media protection policy and procedures Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? NFO Security - Technical United States 1
NIST 800-171 3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI. Do all vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements? Basic Security - HR United States Y 1
NIST 800-171 3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs): - Validated and approved by appropriate personnel; - Periodically reviewed (at least annually) and revalidated or revoked; and - Reviewed and revalidated or revoked following changes to role, employment and/or inactivity? - Provided appropriate security notices when they access the system Basic Security - Access United States Y 1
NIST 800-171 PS-1 Personnel security policy and procedures NFO United States 1
NIST 800-171 PS-6 Access agreements NFO United States 1
NIST 800-171 PS-7 Third-party / external personnel security NFO United States 1
NIST 800-171 PS-8 Personnel sanctions NFO United States 1
NIST 800-171 3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Basic Security - Hosting and Location United States Y 1
NIST 800-171 3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Basic Security - Hosting and Location United States Y 1
NIST 800-171 3.10.3 Escort visitors and monitor visitor activity. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Derived Security - Hosting and Location United States 1
NIST 800-171 3.10.4 Maintain audit logs of physical access. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Derived Security - Hosting and Location United States 1
NIST 800-171 3.10.5 Control and manage physical access devices. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Derived Security - Hosting and Location United States 1
NIST 800-171 3.10.6 Enforce safeguarding measures for CUI at alternate work sites. Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include: • physically controlling and securely storing all media (paper and digital) containing sensitive data; • restricting access to media containing sensitive data to authorised staff; • encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); • logging any transport of media outside secure areas; • marking media containing sensitive data with applicable distribution limitations; • requiring all removable portable storage devices to have an identifiable owner • disabling all autorun and auto-play functionality on removable media? Derived Security - Technical United States 1
NIST 800-171 PE-1 Physical and environmental protection policy and procedures NFO United States 1
NIST 800-171 PE-6(1) Monitoring physical access - intrusion alarms / surveillance equipment At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components NFO Security - Hosting and Location United States 1
NIST 800-171 PE-8 Visitor access records At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components NFO Security - Hosting and Location United States 1
NIST 800-171 PE-16 Delivery and removal At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components NFO Security - Hosting and Location United States 1
NIST 800-171 3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum: - Scope and categorisation of information assets and systems; - Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on); - Selected and implemented controls to manage risks with the following details recorded in a risk register: o Identified security risks, categories and risk ratings; o Risk owner(s); o Mitigation actions; o Accepted risks (where applicable) and; o Residual risk ratings after implementing mitigation actions Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis the framework is to be reviewed regularly and in response to security incidents? Basic Security - Plans and Quality United States Y 1
NIST 800-171 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Derived Security - Processes and Testing United States Y 1
NIST 800-171 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Derived Security - Processes and Testing United States Y 1
NIST 800-171 RA-1 Risk assessment policy and procedures NFO United States 1
NIST 800-171 RA-5(1) Vulnerability scanning - tool update capability NFO United States 1
NIST 800-171 RA-5(2) Vulnerability scanning - update by frequency / prior to new scan / when identified NFO United States 1
NIST 800-171 3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Which compliance certifications or assessments are undertaken by independent assessors? Basic Security - Compliance Controls United States Y 1
NIST 800-171 3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Basic Security - Processes and Testing United States Y 1
NIST 800-171 3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Basic Security - Processes and Testing United States Y 1
NIST 800-171 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori Basic Security - Plans and Quality United States 1
NIST 800-171 CA-1 Security assessment and authorization policies and procedures NFO United States 1
NIST 800-171 CA-2(1) Security assessments / independent assessors NFO United States 1
NIST 800-171 CA-3 System interconnections NFO United States 1
NIST 800-171 CA-3(5) System interconnections / restrictions on external system connections NFO United States 1
NIST 800-171 CA-7 Continuous monitoring NFO United States 1
NIST 800-171 CA-7(1) Continuous monitoring / independent assessment NFO United States 1
NIST 800-171 CA-9 Internal system connections NFO United States 1
NIST 800-171 PL-1 Security planning policy and procedures NFO United States 1
NIST 800-171 PL-2(3) System security plan - plan / coordinate with other organizational entities NFO United States 1
NIST 800-171 PL-4 Rules of behaviour NFO United States 1
NIST 800-171 PL-4(1) Rules of behaviour - social media and networking restrictions NFO United States 1
NIST 800-171 PL-8 Information security architecture NFO United States 1
NIST 800-171 3.13.1 Monitor, control, and protect l communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Within the organisation, for internal systems and components (e.g. databases, internal user networks) that routinely deal with sensitive data or are widely accessed, is there a separation between internet facing components and other online components? Basic Security - Technical United States Y 1
NIST 800-171 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Does the service's application development have the following characteristics:
  • Environments are separated into at least development, testing and production environments;
  • Development and modification of software only takes place in development environments;
  • Unauthorised access to the authoritative software source is prevented;
  • Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
  • Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
  • Privacy-by-design principles;
  • Threat modelling is used in support of application development; and
  • Alignment to a security and privacy architecture that has been drawn up for the system?
Basic Security - Plans and Quality United States 1
NIST 800-171 3.13.3 Separate user functionality from information system management functionality. Is privileged system management segregated from user functionality? (e.g. through different computers, different operating systems, use of VPNs) Derived Security - Access United States 1
NIST 800-171 3.13.4 Prevent unauthorized and unintended information transfer via shared system resources. What are the minimum encryption algorithms applied to protect data at rest, including backups, data storage and auditable logs? Derived Security - Technical United States 1
NIST 800-171 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Within the organisation, for internal systems and components (e.g. databases, internal user networks) that routinely deal with sensitive data or are widely accessed, is there a separation between internet facing components and other online components? Derived Security - Technical United States 1
NIST 800-171 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Derived Security - Technical United States Y 1
NIST 800-171 3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). Derived United States 1
NIST 800-171 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Derived Security - Technical United States 1
NIST 800-171 3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 3.13.10 Establish and manage cryptographic keys for cryptography employed in the organizational systems. Does your organisation have a documented and implemented key management process which describes at a minimum: • Key generation; • Key registration; • Key storage; • Key distribution and installation; • Key use; • Key rotation; • Key backup; • Key recovery; • Key revocation; • Key suspension; and • Key destruction? Derived Security - Technical United States 1
NIST 800-171 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Derived Security - Technical United States 1
NIST 800-171 3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. In relation to the chat/instant messaging functionality available within the service, select all that apply. Derived Privacy - Functionality United States 1
NIST 800-171 3.13.13 Control and monitor the use of mobile code. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Derived Security - Access United States 1
NIST 800-171 3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. In relation to the chat/instant messaging functionality available within the service, select all that apply. Derived Privacy - Functionality United States 1
NIST 800-171 3.13.15 Protect the authenticity of communications sessions. Are all of the service's web servers secured with digital certificates signed by a reputable trusted authority? Derived Security - Technical United States 1
NIST 800-171 3.13.16 Protect the confidentiality of CUI at rest. Derived United States Y 1
NIST 800-171 SA-1 System and services acquisition policy and procedures NFO United States 1
NIST 800-171 SA-2 Allocation of resources NFO United States 1
NIST 800-171 SA-3 System Development Life Cycle NFO United States 1
NIST 800-171 SA-4 Acquisition process NFO United States 1
NIST 800-171 SA-4(1) Acquisition process - functional properties of security controls NFO United States 1
NIST 800-171 SA-4(2) Acquisition process - design / implementation information for security controls NFO United States 1
NIST 800-171 SA-4(9) Acquisition process - functions / ports / protocols / services in use NFO United States 1
NIST 800-171 SA-4(10) Acquisition process - use of approved Personal Identity Verification (PIV) products NFO United States 1
NIST 800-171 SA-5 System documentation NFO United States 1
NIST 800-171 SA-9 External system services NFO United States 1
NIST 800-171 SA-9(2) External systems - identification of functions / ports / protocols / services NFO United States 1
NIST 800-171 SA-10 Developer configuration management NFO United States 1
NIST 800-171 SA-11 Developer security testing and evaluation NFO United States 1
NIST 800-171 SC-1 System and communications protection policy and procedures NFO United States 1
NIST 800-171 SC-7(3) Boundary protection - access points NFO United States 1
NIST 800-171 SC-7(4) Boundary protection - external telecommunications services NFO United States 1
NIST 800-171 SC-20 Secure name/address resolution service (authoritative source) NFO United States 1
NIST 800-171 SC-21 Secure name/address resolution service (recursive or caching resolver) NFO United States 1
NIST 800-171 SC-22 Architecture and provisioning for name/address resolution service NFO United States 1
NIST 800-171 SC-39 Process isolation NFO United States 1
NIST 800-171 3.14.1 Identify, report, and correct system flaws in a timely manner. Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? Basic Security - Processess and Testing United States Y 1
NIST 800-171 3.14.2 Provide protection from malicious code at designated locations within organizational systems. At a minimum, are the following features built into the file upload functionality available within the service? - All files are scanned for Malware/Viruses during upload - All files are scanned for Malware/Viruses while at rest - All files found to contain Malware/Viruses are quarantined or deleted Basic Privacy - Functionality United States 1
NIST 800-171 3.14.3 Monitor system security alerts and advisories and take actions in response. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Basic Security - Processes and Testing United States Y 1
NIST 800-171 3.14.4 Update malicious code protection mechanisms when new releases are available. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Derived Security - Processes and Testing United States Y 1
NIST 800-171 3.14.6 Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 3.14.7 Identify unauthorized use of organizational systems. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Derived Security - Technical United States 1
NIST 800-171 SI-1 System and information integrity policy and procedures NFO United States 1
NIST 800-171 SI-4(5) System monitoring - system-generated alerts NFO United States 1
NIST 800-171 SI-16 Memory protection NFO United States 1
AUISM G1 A Chief Information Security Officer provides leadership and oversight of cyber security. Australia
AUISM G2 The identity and value of systems, applications and data is determined and documented. Australia
AUISM G3 The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented. Australia
AUISM G4 Security risk management processes are embedded into organisational risk management frameworks. Australia
AUISM G5 Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life. Australia
AUISM P1 Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. Australia
AUISM P2 Systems and applications are delivered and supported by trusted suppliers. Australia
AUISM P3 Systems and applications are configured to reduce their attack surface. Australia
AUISM P4 Systems and applications are administered in a secure and accountable manner. Australia
AUISM P5 Security vulnerabilities in systems and applications are identified and mitigated in a timely manner. Australia
AUISM P6 Only trusted and supported operating systems, applications and computer code can execute on systems. Australia
AUISM P7 Data is encrypted at rest and in transit between different systems. Australia
AUISM P8 Data communicated between different systems is controlled and inspectable. Australia
AUISM P9 Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis. Australia
AUISM P10 Only trusted and vetted personnel are granted access to systems, applications and data repositories. Australia
AUISM P11 Personnel are granted the minimum access to systems, applications and data repositories required for their duties. Australia
AUISM P12 Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories. Australia
AUISM P13 Personnel are provided with ongoing cyber security awareness training. Australia
AUISM P14 Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel. Australia
AUISM D1 Event logs are collected and analysed in a timely manner to detect cyber security events. Australia
AUISM D2 Cyber security events are analysed in a timely manner to identify cyber security incidents. Australia
AUISM R1 Cyber security incidents are reported both internally and externally to relevant bodies in a timely manner. Australia
AUISM R2 Cyber security incidents are contained, eradicated and recovered from in a timely manner. Australia
AUISM R3 Business continuity and disaster recovery plans are enacted when required. Australia
AUISM 714 A CISO is appointed to provide cyber security leadership and guidance for their organisation. Is there a nominated role within the organisation responsible for information security (i.e., CIO, CTO, CISO)? Security - Governance Australia
AUISM 1478 The CISO oversees their organisationís cyber security program and ensures their organisationís compliance with cyber security policy, standards, regulations and legislation. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori Security - Plans and Quality Australia Y
AUISM 1617 The CISO regularly reviews and updates their organisationís cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities. Australia
AUISM 724 The CISO implements cyber security measurement metrics and key performance indicators for their organisation. Australia
AUISM 725 The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis. Australia
AUISM 726 The CISO coordinates security risk management activities between cyber security and business teams. Australia
AUISM 718 The CISO reports directly to their organisationís senior executive or Board on cyber security matters. Australia
AUISM 733 The CISO is fully aware of all cyber security incidents within their organisation. Australia
AUISM 1618 The CISO oversees their organisationís response to cyber security incidents. Australia
AUISM 734 The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. Australia
AUISM 720 The CISO develops, implements and maintains a cyber security communications strategy for their organisation. Australia
AUISM 731 The CISO oversees cyber supply chain risk management activities for their organisation. Australia
AUISM 732 The CISO receives and manages a dedicated cyber security budget for their organisation. Australia
AUISM 717 The CISO oversees the management of cyber security personnel within their organisation. Australia
AUISM 735 The CISO oversees the development, implementation and maintenance of their organisationís cyber security awareness training program. Australia
AUISM 1071 Each system has a designated system owner. Australia
AUISM 1525 System owners register each system with its authorising officer. Australia
AUISM 1633 System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised. Australia
AUISM 1634 System owners select controls for each system and tailor them to achieve desired security objectives. Australia
AUISM 1635 System owners implement controls for each system and its operating environment. Australia
AUISM 1636 System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended. Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum: - Scope and categorisation of information assets and systems; - Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on); - Selected and implemented controls to manage risks with the following details recorded in a risk register: o Identified security risks, categories and risk ratings; o Risk owner(s); o Mitigation actions; o Accepted risks (where applicable) and; o Residual risk ratings after implementing mitigation actions Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis the framework is to be reviewed regularly and in response to security incidents? Security - Plans and Quality Australia Y
AUISM 27 System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation. Australia
AUISM 1526 System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis. Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum: - Scope and categorisation of information assets and systems; - Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on); - Selected and implemented controls to manage risks with the following details recorded in a risk register: o Identified security risks, categories and risk ratings; o Risk owner(s); o Mitigation actions; o Accepted risks (where applicable) and; o Residual risk ratings after implementing mitigation actions Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis the framework is to be reviewed regularly and in response to security incidents? Security - Plans and Quality Australia Y
AUISM 1587 System owners report the security status of each system to its authorising officer at least annually. Australia
AUISM 576 An incident management policy, and associated incident response plan, is developed, implemented and maintained. Australia
AUISM 1784 The incident management policy, including the associated incident response plan, is exercised at least annually. Australia
AUISM 125 A cyber security incident register is developed, implemented and maintained. Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: - Identified, following a clear definition; - Reported by staff (if internal); - Proactively monitored; - Contained; - Investigated; - Remediated; - Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: o Date incident occurred; o Date incident discovered; o Description of the incident; o Actions taken in response to the incident; and o Name of person to whom the incident was reported? Security - Processess and Testing Australia Y
AUISM 1803 A cyber security incident register contains the following for each cyber security incident:[ul][li]the date the cyber security incident occurred[/li][li]the date the cyber security incident was discovered[/li][li]a description of the cyber security incident[/li][li]any actions taken in response to the cyber security incident[/li][li]to whom the cyber security incident was reported.[/li] Australia
AUISM 1625 A trusted insider program is developed, implemented and maintained. Australia
AUISM 1626 Legal advice is sought regarding the development and implementation of a trusted insider program. Australia
AUISM 120 Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise. Australia
AUISM 133 When a data spill occurs, data owners are advised and access to the data is restricted. Australia
AUISM 917 When malicious code is detected, the following steps are taken to handle the infection:[ul][li]the infected systems are isolated[/li][li]all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary[/li][li]antivirus software is used to remove the infection from infected systems and media[/li][li]if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.[/li] Australia
AUISM 137 Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. Australia
AUISM 1609 System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. Australia
AUISM 1731 Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised. Australia
AUISM 1732 To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage. Australia
AUISM 1213 Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether the adversary has been successfully removed from the system. Australia
AUISM 138 The integrity of evidence gathered during an investigation is maintained by investigators:[ul][li]recording all of their actions[/li][li]creating checksums for all evidence[/li][li]copying evidence onto media for archiving[/li][li]maintaining a proper chain of custody.[/li] Australia
AUISM 123 Cyber security incidents are reported to an organisationís Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? Security - Processess and Testing Australia Y
AUISM 140 Cyber security incidents are reported to the ACSC. When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? Security - Processess and Testing Australia Y
AUISM 1631 Suppliers of applications, ICT equipment and services associated with systems are identified. Australia
AUISM 1452 A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a systemís security risk profile. Select the option which best describes where user data or any related data (e.g., metadata, logs, user content) is stored or processed across all components of the service, including live solution, backup, disaster recovery, test environment, and development environments. Security - Hosting and Location Australia Y
AUISM 1567 Suppliers identified as high risk by a cyber supply chain risk assessment are not used. Australia
AUISM 1568 Applications, ICT equipment and services are chosen from suppliers that have made a commitment to the security of their products and services. Australia
AUISM 1632 Applications, ICT equipment and services are chosen from suppliers that have a strong track record of transparency and maintaining the security of their own systems and cyber supply chains. Australia
AUISM 1569 A shared responsibility model is created, documented and shared between suppliers and their customers in order to articulate the security responsibilities of each party. Australia
AUISM 1785 A supplier relationship management policy is developed, implemented and maintained. Australia
AUISM 1786 An approved supplier list is developed, implemented and maintained. Australia
AUISM 1787 Applications, ICT equipment and services are sourced from approved suppliers. Australia
AUISM 1788 Multiple potential suppliers are identified for sourcing critical applications, ICT equipment and services. Australia
AUISM 1789 Sufficient spares of critical ICT equipment are sourced and kept in reserve. Australia
AUISM 1790 Applications, ICT equipment and services are delivered in a manner that maintains their integrity. Australia
AUISM 1791 The integrity of applications, ICT equipment and services are assessed as part of acceptance of products and services. Australia
AUISM 1792 The authenticity of applications, ICT equipment and services are assessed as part of acceptance of products and services. Australia
AUISM 1736 A managed service register is developed, implemented, maintained and verified on a regular basis. Australia
AUISM 1737 A managed service register contains the following for each managed service:[ul][li]managed service providerís name[/li][li]managed serviceís name[/li][li]purpose for using the managed service[/li][li]sensitivity or classification of data involved[/li][li]due date for the next security assessment of the managed service[/li][li]contractual arrangements for the managed service[/li][li]point of contact for users of the managed service[/li][li]24/7 contact details for the managed service provider.[/li] Australia
AUISM 1793 Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months. Australia
AUISM 1637 An outsourced cloud service register is developed, implemented, maintained and verified on a regular basis. Australia
AUISM 1638 An outsourced cloud service register contains the following for each outsourced cloud service:[ul][li]cloud service providerís name[/li][li]cloud serviceís name[/li][li]purpose for using the cloud service[/li][li]sensitivity or classification of data involved[/li][li]due date for the next security assessment of the cloud service[/li][li]contractual arrangements for the cloud service[/li][li]point of contact for users of the cloud service[/li][li]24/7 contact details for the cloud service provider.[/li] Australia
AUISM 1529 Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services. Australia
AUISM 1570 Outsourced cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months. If the service includes outsourced cloud-based services, are those cloud-based services IRAP assessed? See https://www.cyber.gov.au/irap for information about IRAP assessment. Security - Hosting and Location Australia Y
AUISM 1395 Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services. Australia
AUISM 72 Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. Australia
AUISM 1571 The right to verify compliance with security requirements is documented in contractual arrangements with service providers. Australia
AUISM 1738 The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis. Australia
AUISM 1804 Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers. Australia
AUISM 141 The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers. When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? Security - Processess and Testing Australia Y
AUISM 1794 A minimum notification period of one month by service providers for significant changes to their own service provider arrangements is documented in contractual arrangements with service providers. Australia
AUISM 1451 Types of data and its ownership is documented in contractual arrangements with service providers. Australia
AUISM 1572 The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements with service providers. Australia
AUISM 1573 Access to all logs relating to an organisationís data and services is documented in contractual arrangements with service providers. Australia
AUISM 1574 The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers. Australia
AUISM 1575 A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements with service providers. Australia
AUISM 1073 An organisationís systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so. Australia
AUISM 1576 If an organisationís systems or data are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified. Australia
AUISM 39 A cyber security strategy is developed, implemented and maintained. Australia
AUISM 47 Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the systemís authorising officer. Australia
AUISM 1739 A systemís security architecture is approved prior to the development of the system. Australia
AUISM 888 Security documentation is reviewed at least annually and includes a ëcurrent as at [date]í or equivalent statement. Australia
AUISM 1602 Security documentation, including notification of subsequent changes, is communicated to all stakeholders. Australia
AUISM 41 Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified. Australia
AUISM 43 Systems have an incident response plan that covers the following:[ul][li]guidelines on what constitutes a cyber security incident[/li][li]the types of cyber security incidents likely to be encountered and the expected response to each type[/li][li]how to report cyber security incidents, internally to an organisation and externally to relevant authorities[/li][li]other parties which need to be informed in the event of a cyber security incident[/li][li]the authority, or authorities, responsible for investigating and responding to cyber security incidents[/li][li]the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Cyber Security Centre or other relevant authority[/li][li]the steps necessary to ensure the integrity of evidence relating to a cyber security incident[/li][li]system contingency measures or a reference to such details if they are located in a separate document.[/li] Australia
AUISM 1163 Systems have a continuous monitoring plan that includes:[ul][li]conducting vulnerability scans for systems at least monthly[/li][li]conducting vulnerability assessments or penetration tests for systems at least annually[/li][li]analysing identified security vulnerabilities to determine their potential impact[/li][li]using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost.[/li] Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Security - Processes and Testing Australia
AUISM 1563 At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:[ul][li]the scope of the security assessment[/li][li]the systemís strengths and weaknesses[/li][li]security risks associated with the operation of the system[/li][li]the effectiveness of the implementation of controls[/li][li]any recommended remediation actions.[/li] Australia
AUISM 1564 At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner. Australia
AUISM 810 Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification. Australia
AUISM 1053 Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification. Australia
AUISM 1530 Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in. Australia
AUISM 813 Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states. Australia
AUISM 1074 Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled. Australia
AUISM 1296 Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access. At a minimum, are the following physical access controls in place at the locations where data is stored: • No public access; • Visitor access only for visitors with a need to know and with a close escort; • Restricted access for authorised personnel with appropriate security clearance; • Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); • Single factor authentication for access control using secure swipe card, biometrics, coded access, other; •Control and management of any physical access control devices, such as secure swipe cards Security alarm system; • Physical surveillance (e.g. video cameras); • Logging of visitors and of any visitor activity, with reporting of any identified anomalies; • Logging of any physical access to locations where data is stored; and • Logging of any delivery and removal of physical system components Security - Hosting and Location Australia Y
AUISM 1543 An authorised RF and IR device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis. Australia
AUISM 225 Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas. Australia
AUISM 829 Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas. Australia
AUISM 164 Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities. Australia
AUISM 161 ICT equipment and media are secured when not in use. Australia
AUISM 252 Cyber security awareness training is undertaken annually by all personnel and covers:[ul][li]the purpose of the cyber security awareness training[/li][li]security appointments and contacts[/li][li]authorised use of systems and their resources[/li][li]protection of systems and their resources[/li][li]reporting of cyber security incidents and suspected compromises of systems and their resources.[/li] Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Security - HR Australia Y
AUISM 1565 Tailored privileged user training is undertaken annually by all privileged users. Australia
AUISM 1740 Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it. Australia
AUISM 817 Personnel are advised of what suspicious contact via online services is and how to report it. Australia
AUISM 820 Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted. Australia
AUISM 1146 Personnel are advised to maintain separate work and personal accounts for online services. Australia
AUISM 821 Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information. Australia
AUISM 824 Personnel are advised not to send or receive files via unauthorised online services. Australia
AUISM 432 Access requirements for a system and its resources are documented in its system security plan. Australia
AUISM 434 Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources. Do all vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements? Security - HR Australia Y
AUISM 435 Personnel receive any necessary briefings before being granted access to a system and its resources. Australia
AUISM 414 Personnel granted access to a system and its resources are uniquely identifiable. Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? Security - Access Australia
AUISM 415 The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. Australia
AUISM 1583 Personnel who are contractors are identified as such. Australia
AUISM 420 Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality. Australia
AUISM 405 Requests for unprivileged access to systems, applications and data repositories are validated when first requested. At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs): - Validated and approved by appropriate personnel; - Periodically reviewed (at least annually) and revalidated or revoked; and - Reviewed and revalidated or revoked following changes to role, employment and/or inactivity? - Provided appropriate security notices when they access the system Security - Access Australia
AUISM 1566 Use of unprivileged access is logged. Australia
AUISM 1714 Unprivileged access event logs are stored centrally. Australia
AUISM 409 Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective controls are in place to ensure such data is not accessible to them. Australia
AUISM 411 Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective controls are in place to ensure such data is not accessible to them. Australia
AUISM 1507 Requests for privileged access to systems and applications are validated when first requested. Australia
AUISM 1733 Requests for privileged access to data repositories are validated when first requested. Australia
AUISM 1508 Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. Australia
AUISM 1175 Privileged user accounts are prevented from accessing the internet, email and web services. Australia
AUISM 1653 Privileged service accounts are prevented from accessing the internet, email and web services. Australia
AUISM 1649 Just-in-time administration is used for administering systems and applications. Australia
AUISM 445 Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. Australia
AUISM 1509 Privileged access events are logged. Australia
AUISM 1651 Privileged access event logs are stored centrally. Australia
AUISM 1650 Privileged account and group management events are logged. Australia
AUISM 1652 Privileged account and group management event logs are stored centrally. Australia
AUISM 446 Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data. Australia
AUISM 447 Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data. Australia
AUISM 430 Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. Is there a documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that: no longer have a legitimate requirement for access (implemented on the same day); and are detected undertaking malicious activities (implemented immediately)? Security - HR Australia Y
AUISM 1591 Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities. Is there a documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that: no longer have a legitimate requirement for access (implemented on the same day); and are detected undertaking malicious activities (implemented immediately)? Security - HR Australia Y
AUISM 1404 Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity. At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs): - Validated and approved by appropriate personnel; - Periodically reviewed (at least annually) and revalidated or revoked; and - Reviewed and revalidated or revoked following changes to role, employment and/or inactivity? - Provided appropriate security notices when they access the system Security - Access Australia
AUISM 1648 Privileged access to systems and applications is automatically disabled after 45 days of inactivity. Australia
AUISM 1716 Access to data repositories is automatically disabled after 45 days of inactivity. Australia
AUISM 1647 Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. Australia
AUISM 1734 Privileged access to data repositories is automatically disabled after 12 months unless revalidated. Australia
AUISM 407 A secure record is maintained for the life of each system covering:[ul][li]all personnel authorised to access the system, and their user identification[/li][li]who provided authorisation for access[/li][li]when access was granted[/li][li]the level of access that was granted[/li][li]when access, and the level of access, was last reviewed[/li][li]when the level of access was changed, and to what extent (if applicable)[/li][li]when access was withdrawn (if applicable).[/li] Australia
AUISM 441 When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties. Australia
AUISM 443 Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information. Australia
AUISM 1610 A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. Australia
AUISM 1611 Break glass accounts are only used when normal authentication processes cannot be used. Australia
AUISM 1612 Break glass accounts are only used for specific authorised activities. Australia
AUISM 1614 Break glass account credentials are changed by the account custodian after they are accessed by any other party. Australia
AUISM 1615 Break glass accounts are tested after credentials are changed. Australia
AUISM 1613 Use of break glass accounts is logged. Australia
AUISM 1715 Break glass event logs are stored centrally. Australia
AUISM 78 Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government. Australia
AUISM 854 AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government. Australia
AUISM 181 Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority. Australia
AUISM 1111 Fibre-optic cables are used for cabling infrastructure instead of copper cables. Australia
AUISM 211 A cable register is developed, implemented, maintained and verified on a regular basis. Australia
AUISM 208 A cable register contains the following for each cable:[ul][li]cable identifier[/li][li]cable colour[/li][li]sensitivity/classification[/li][li]source[/li][li]destination[/li][li]location[/li][li]seal numbers (if applicable).[/li] Australia
AUISM 1645 Floor plan diagrams are developed, implemented, maintained and verified on a regular basis. Australia
AUISM 1646 Floor plan diagrams contain the following:[ul][li]cable paths (including ingress and egress points between floors)[/li][li]cable reticulation system and conduit paths[/li][li]floor concentration boxes[/li][li]wall outlet boxes[/li][li]network cabinets.[/li] Australia
AUISM 206 Cable labelling processes, and supporting cable labelling procedures, are developed, implemented and maintained. Australia
AUISM 1096 Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable. Australia
AUISM 1639 Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals. Australia
AUISM 1640 Cables for foreign systems installed in Australian facilities are labelled at inspection points. Australia
AUISM 926 OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red. Australia
AUISM 1718 SECRET cables colours are coloured salmon pink. Australia
AUISM 1719 TOP SECRET cables colours are coloured red. Australia
AUISM 1216 SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points. Australia
AUISM 1112 Cables are inspectable at a minimum of five-metre intervals. Australia
AUISM 1119 Cables in TOP SECRET areas are fully inspectable for their entire length. Australia
AUISM 187 SECRET and TOP SECRET systems belong exclusively to their own cable groups. Australia
AUISM 189 Cables only carry a single cable group, unless each cable group belongs to a different subunit. Australia
AUISM 1114 Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups. Australia
AUISM 1130 In shared facilities, cables are run in an enclosed cable reticulation system. Australia
AUISM 1164 In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic. Australia
AUISM 195 In shared facilities, uniquely identifiable SCEC-approved tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems. Australia
AUISM 194 In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts. Australia
AUISM 201 Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ëTS RUNí. Australia
AUISM 1115 Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit. Australia
AUISM 1133 In shared facilities, TOP SECRET cables are not run in party walls. Australia
AUISM 1122 Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound. Australia
AUISM 1104 Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems. Australia
AUISM 1105 Different cables groups do not share a wall outlet box. Australia
AUISM 1095 Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier. Australia
AUISM 1107 OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red. Australia
AUISM 1720 SECRET wall outlet boxes are coloured salmon pink. Australia
AUISM 1721 TOP SECRET wall outlet boxes are coloured red. Australia
AUISM 1109 Wall outlet box covers are clear plastic. Australia
AUISM 218 If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet boxís identifier. Australia
AUISM 1102 Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet. Australia
AUISM 1101 In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet. Australia
AUISM 1103 In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet. Australia
AUISM 1098 Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups. Australia
AUISM 1100 TOP SECRET cables are terminated in an individual TOP SECRET cabinet. Australia
AUISM 213 Different cable groups do not terminate on the same patch panel. Australia
AUISM 1116 There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications. Australia
AUISM 216 TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets. Australia
AUISM 217 Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:[ul][li]a physical barrier in the cabinet is provided to separate patch panels[/li][li]only personnel holding a Positive Vetting security clearance have access to the cabinet[/li][li]approval from the TOP SECRET systemís authorising officer is obtained prior to installation.[/li] Australia
AUISM 198 When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with. Australia
AUISM 1123 A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment. Australia
AUISM 248 System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. Australia
AUISM 247 System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. Australia
AUISM 1137 System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. Australia
AUISM 249 System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. Australia
AUISM 246 An emanation security threat assessment is sought as early as possible in a systemís life cycle as implementing emanation security can have significant cost implications. Australia
AUISM 250 ICT equipment meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility. Australia
AUISM 1078 A telephone system usage policy is developed, implemented and maintained. Australia
AUISM 229 Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems. Australia
AUISM 230 Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur. Australia
AUISM 231 When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made. Australia
AUISM 232 Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems. Australia
AUISM 233 Cordless telephone systems are not used for sensitive or classified conversations. Australia
AUISM 235 Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room. Australia
AUISM 236 Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating. Australia
AUISM 931 In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements. Australia
AUISM 1562 Video conferencing and IP telephony infrastructure is hardened. Australia
AUISM 546 When video conferencing or IP telephony traffic passes through a gateway containing a firewall or proxy, a video-aware or voice-aware firewall or proxy is used. Australia
AUISM 548 Video conferencing and IP telephony calls are established using a secure session initiation protocol. Australia
AUISM 547 Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol. Australia
AUISM 554 An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation. Australia
AUISM 553 Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings. Australia
AUISM 555 Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail. Australia
AUISM 551 IP telephony is configured such that:[ul][li]IP phones authenticate themselves to the call controller upon registration[/li][li]auto-registration is disabled and only authorised devices are allowed to access the network[/li][li]unauthorised devices are blocked by default[/li][li]all unused and prohibited functionality is disabled.[/li] Australia
AUISM 1014 Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations. Australia
AUISM 549 Video conferencing and IP telephony traffic is separated physically or logically from other data traffic. Australia
AUISM 556 Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic. Australia
AUISM 558 IP phones used in public areas do not have the ability to access data networks, voicemail and directory services. Australia
AUISM 559 Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas. Australia
AUISM 1450 Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas. Australia
AUISM 1019 A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained. Australia
AUISM 1805 A denial of service response plan for video conferencing and IP telephony services contains the following:[ul][li]how to identify signs of a denial-of-service attack[/li][li]how to identify the source of a denial-of-service attack[/li][li]how capabilities can be maintained during a denial-of-service attack[/li][li]what actions can be taken to respond to a denial-of-service attack.[/li] Australia
AUISM 588 A fax machine and MFD usage policy is developed, implemented and maintained. Australia
AUISM 1092 Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages. Australia
AUISM 241 When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure. Australia
AUISM 1075 The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time. Australia
AUISM 590 Controls for MFDs connected to networks are of a similar strength to those for other devices on networks. Australia
AUISM 245 A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected. Australia
AUISM 589 MFDs connected to networks are not used to copy documents above the sensitivity or classification of connected networks. Australia
AUISM 1036 Fax machines and MFDs are located in areas where their use can be observed. Australia
AUISM 1533 A mobile device management policy is developed, implemented and maintained. Australia
AUISM 1195 A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices. Australia
AUISM 687 Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD. Australia
AUISM 1297 Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data. Australia
AUISM 1400 Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data. Australia
AUISM 694 Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data. Australia
AUISM 1482 Personnel accessing systems or data using an organisation-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data. Australia
AUISM 869 Mobile devices encrypt their internal storage and any removable media. Australia
AUISM 1085 Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure. Australia
AUISM 1196 OFFICIAL and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. Australia
AUISM 1200 Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported. Australia
AUISM 1198 Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices. Australia
AUISM 1199 Bluetooth pairings for OFFICIAL and PROTECTED mobile devices are removed when there is no longer a requirement for their use. Australia
AUISM 682 Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices. Australia
AUISM 863 Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned. Australia
AUISM 864 Mobile devices prevent personnel from disabling or modifying security functionality once provisioned. Australia
AUISM 1366 Security updates are applied to mobile devices as soon as they become available. Australia
AUISM 874 Mobile devices access the internet via a VPN connection to an organisationís internet gateway rather than via a direct connection to the internet. Australia
AUISM 705 When accessing an organisationís network via a VPN connection, split tunnelling is disabled. Australia
AUISM 1082 A mobile device usage policy is developed, implemented and maintained. Australia
AUISM 1083 Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices. Australia
AUISM 240 Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data. Australia
AUISM 866 Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed. Australia
AUISM 1145 Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices. Australia
AUISM 1644 Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard. Australia
AUISM 871 Mobile devices are kept under continual direct supervision when being actively used. Australia
AUISM 870 Mobile devices are carried or stored in a secured state when not being actively used. Australia
AUISM 1084 If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag. Australia
AUISM 701 Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed, implemented and maintained. Australia
AUISM 702 If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures. Australia
AUISM 1298 Personnel are advised of privacy and security risks when travelling overseas with mobile devices. Australia
AUISM 1554 If travelling overseas with mobile devices to high or extreme risk countries, personnel are:[ul][li]issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities[/li][li]advised on how to apply and inspect tamper seals to key areas of mobile devices[/li][li]advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.[/li] Australia
AUISM 1555 Before travelling overseas with mobile devices, personnel take the following actions:[ul][li]record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers[/li][li]update all operating systems and applications[/li][li]remove all non-essential accounts, applications and data[/li][li]apply security configuration settings, such as lock screens[/li][li]configure remote locate and wipe functionality[/li][li]enable encryption, including for any removable media[/li][li]backup all important data and configuration settings.[/li] Australia
AUISM 1299 Personnel take the following precautions when travelling overseas with mobile devices:[ul][li]never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes[/li][li]never storing credentials with mobile devices that they grant access to, such as in laptop bags[/li][li]never lending mobile devices or removable media to untrusted people, even if briefly[/li][li]never allowing untrusted people to connect their mobile devices or removable media, including for charging[/li][li]never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people[/li][li]avoiding connecting mobile devices to open or untrusted Wi-Fi networks[/li][li]using a VPN connection to encrypt all mobile device communications[/li][li]using encrypted messaging apps for communications instead of using foreign telecommunication networks[/li][li]disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication[/li][li]avoiding reuse of removable media once used with other partiesí systems or mobile devices[/li][li]ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand[/li][li]never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling.[/li] Australia
AUISM 1088 Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:[ul][li]provide credentials to foreign government officials[/li][li]decrypt mobile devices for foreign government officials[/li][li]have mobile devices taken out of sight by foreign government officials[/li][li]have mobile devices or removable media stolen that are later returned[/li][li]lose mobile devices or removable media that are later found[/li][li]observe unusual behaviour of mobile devices.[/li] Australia
AUISM 1300 Upon returning from travelling overseas with mobile devices, personnel take the following actions:[ul][li]sanitise and reset mobile devices, including all removable media[/li][li]decommission any credentials that left their possession during their travel[/li][li]report if significant doubt exists as to the integrity of any mobile devices or removable media.[/li] Australia
AUISM 1556 If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:[ul][li]reset credentials used with mobile devices, including those used for remote access to their organisationís systems[/li][li]monitor accounts for any indicators of compromise, such as failed logon attempts.[/li] Australia
AUISM 280 If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation. Australia
AUISM 285 Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation. Australia
AUISM 286 When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures. Australia
AUISM 289 Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation. Australia
AUISM 290 High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC. Australia
AUISM 292 High assurance ICT equipment is always operated in an evaluated configuration. Australia
AUISM 1551 An ICT equipment management policy is developed, implemented and maintained. Australia
AUISM 336 An ICT equipment register is developed, implemented, maintained and verified on a regular basis. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Security - Plans and Quality Australia Y
AUISM 294 ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. Australia
AUISM 296 The Australian Cyber Security Centre (ACSC)ís approval is sought before applying labels to external surfaces of high assurance ICT equipment. Australia
AUISM 293 ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating. Australia
AUISM 1599 ICT equipment is handled in a manner suitable for its sensitivity or classification. Australia
AUISM 1079 The ACSCís approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment. Australia
AUISM 305 Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician. Australia
AUISM 307 If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken. Australia
AUISM 306 If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:[ul][li]is appropriately cleared and briefed[/li][li]takes due care to ensure that data is not disclosed[/li][li]takes all responsible measures to ensure the integrity of the ICT equipment[/li][li]has the authority to direct the technician[/li][li]is sufficiently familiar with the ICT equipment to understand the work being performed.[/li] Australia
AUISM 310 ICT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the ICT equipment. Australia
AUISM 1598 Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place. Australia
AUISM 313 ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed, implemented and maintained. Australia
AUISM 1741 ICT equipment destruction processes, and supporting ICT equipment destruction procedures, are developed, implemented and maintained. Australia
AUISM 311 ICT equipment containing media is sanitised by removing the media from the ICT equipment or by sanitising the media in situ. Australia
AUISM 1742 ICT equipment that cannot be sanitised is destroyed. Australia
AUISM 1218 ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ. Australia
AUISM 312 ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction. Australia
AUISM 315 High assurance ICT equipment is destroyed prior to its disposal. Australia
AUISM 317 At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum. Australia
AUISM 1219 MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller. Australia
AUISM 1220 Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen. Australia
AUISM 1221 Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam. Australia
AUISM 318 When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices. Australia
AUISM 1534 Printer ribbons in printers and MFDs are removed and destroyed. Australia
AUISM 1076 Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time. Australia
AUISM 1222 Televisions and computer monitors that cannot be sanitised are destroyed. Australia
AUISM 1223 Memory in network devices is sanitised using the following processes, in order of preference:[ul][li]following device-specific guidance provided in evaluation documentation[/li][li]following vendor sanitisation guidance[/li][li]loading a dummy configuration file, performing a factory reset and then reinstalling firmware.[/li] Australia
AUISM 1225 The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed. Australia
AUISM 1226 Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam. Australia
AUISM 1550 ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed, implemented and maintained. Australia
AUISM 1217 Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal. Australia
AUISM 321 When disposing of ICT equipment that has been designed or modified to meet emanation security standards, the ACSC is contacted for requirements relating to its disposal. Australia
AUISM 316 Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain. Australia
AUISM 1549 A media management policy is developed, implemented and maintained. Australia
AUISM 1359 A removable media usage policy is developed, implemented and maintained. Australia
AUISM 1713 A removable media register is developed, implemented, maintained and verified on a regular basis. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Security - Plans and Quality Australia Y
AUISM 332 Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. Australia
AUISM 323 Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification. Australia
AUISM 337 Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification. Australia
AUISM 325 Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured. Australia
AUISM 330 Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it. Australia
AUISM 831 Media is handled in a manner suitable for its sensitivity or classification. Australia
AUISM 1059 All data stored on media is encrypted. Australia
AUISM 1600 Media is sanitised before it is used for the first time. Australia
AUISM 1642 Media is sanitised before it is reused in a different security domain. Australia
AUISM 347 When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured. Australia
AUISM 947 When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer. Australia
AUISM 348 Media sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained. Australia
AUISM 351 Volatile media is sanitised by removing its power for at least 10 minutes. Australia
AUISM 352 SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification. Australia
AUISM 835 Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time. Australia
AUISM 354 Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification. Australia
AUISM 1065 The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives. Australia
AUISM 1067 The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten. Australia
AUISM 356 Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification. Australia
AUISM 357 Non-volatile EPROM media is sanitised by applying three times the manufacturerís specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification. Australia
AUISM 836 Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification. Australia
AUISM 358 Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification. Australia
AUISM 359 Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification. Australia
AUISM 360 Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification. Australia
AUISM 1735 Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal. Australia
AUISM 363 Media destruction processes, and supporting media destruction procedures, are developed, implemented and maintained. Australia
AUISM 350 The following media types are destroyed prior to their disposal:[ul][li]microfiche and microfilm[/li][li]optical discs[/li][li]programmable read-only memory[/li][li]read-only memory[/li][li]other types of media that cannot be sanitised.[/li] Australia
AUISM 1361 Security Construction and Equipment Committee-approved equipment or ASIO-approved equipment is used when destroying media. Australia
AUISM 1160 If using degaussers to destroy media, degaussers evaluated by the United Statesí National Security Agency are used. Australia
AUISM 1517 Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm. Australia
AUISM 1722 Electrostatic memory devices are destroyed using a furnace/incinerator, hammer mill, disintegrator or grinder/sander. Australia
AUISM 1723 Magnetic floppy disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting. Australia
AUISM 1724 Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser. Australia
AUISM 1725 Magnetic tapes are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting. Australia
AUISM 1726 Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or by cutting. Australia
AUISM 1727 Semiconductor memory is destroyed using a furnace/incinerator, hammer mill or disintegrator. Australia
AUISM 368 Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting results in media waste particles no larger than 9 mm. Australia
AUISM 1728 The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm. Australia
AUISM 1729 The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm. Australia
AUISM 361 Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation. Australia
AUISM 362 Product-specific directions provided by degausser manufacturers are followed. Australia
AUISM 1641 Following the use of a degausser, magnetic media is physically damaged by deforming any internal platters. Australia
AUISM 370 The destruction of media is performed under the supervision of at least one person cleared to its sensitivity or classification. Australia
AUISM 371 Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully. Australia
AUISM 372 The destruction of media storing accountable material is performed under the supervision of at least two personnel cleared to its sensitivity or classification. Australia
AUISM 373 Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards. Australia
AUISM 839 The destruction of media storing accountable material is not outsourced. Australia
AUISM 840 When outsourcing the destruction of media storing non-accountable material, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIOís Protective Security Circular-167, is used. Australia
AUISM 374 Media disposal processes, and supporting media disposal procedures, are developed, implemented and maintained. Australia
AUISM 378 Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal. Australia
AUISM 375 Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain. Australia
AUISM 1743 Operating systems are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. Australia
AUISM 1407 The latest release, or the previous release, of operating systems are used. Australia
AUISM 1408 Where supported, 64-bit versions of operating systems are used. Australia
AUISM 1406 SOEs are used for workstations and servers. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Security - Technical Australia
AUISM 1608 SOEs provided by third parties are scanned for malicious code and configurations. Australia
AUISM 1588 SOEs are reviewed and updated at least annually. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Security - Technical Australia
AUISM 1409 ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems. Australia
AUISM 380 Unneeded accounts, components, services and functionality of operating systems are disabled or removed. Australia
AUISM 383 Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed. Australia
AUISM 341 Automatic execution features for removable media are disabled. Australia
AUISM 1654 Internet Explorer 11 is disabled or removed. Australia
AUISM 1655 .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. Australia
AUISM 1492 Operating system exploit protection functionality is enabled. Australia
AUISM 1745 Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled. Australia
AUISM 1584 Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems. Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? Security - Access Australia
AUISM 1491 Unprivileged users are prevented from running script execution engines, including:[ul][li]Windows Script Host (cscript.exe and wscript.exe)[/li][li]PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)[/li][li]Command Prompt (cmd.exe)[/li][li]Windows Management Instrumentation (wmic.exe)[/li][li]Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).[/li] Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? Security - Access Australia
AUISM 1592 Unprivileged users do not have the ability to install unapproved software. Australia
AUISM 382 Unprivileged users do not have the ability to uninstall or disable approved software. Australia
AUISM 843 Application control is implemented on workstations. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1490 Application control is implemented on internet-facing servers. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1656 Application control is implemented on non-internet-facing servers. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1657 Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1658 Application control restricts the execution of drivers to an organisation-approved set. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 955 Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1582 Application control rulesets are validated on an annual or more frequent basis. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1471 When implementing application control using publisher certificate rules, both publisher names and product names are used. Within the vendor organisation, is application control: - Implemented on all workstations; - Implemented on internet-facing and non-internet facing servers; - Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set; - Enabled to restrict the execution of drivers to an organisation-approved set; - Implemented using cryptographic hash rules, publisher certificate rules or path rules; - Rulesets are validated on an annual or more frequent basis; - When implementing application control using publisher certificate rules, both publisher names and product names are used; and - Extended to tools and applications used in system and software maintenance; Security - Access Australia Y
AUISM 1392 When implementing application control using path rules, only approved users can write to and modify content within approved folders and files. Australia
AUISM 1746 When implementing application control using path rules, only approved users can change file system permissions for approved folders and files. Australia
AUISM 1544 Microsoftís ërecommended block rulesí are implemented. Australia
AUISM 1659 Microsoftís ërecommended driver block rulesí are implemented. Australia
AUISM 846 All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control. Australia
AUISM 1660 Allowed and blocked execution events on workstations are logged. Australia
AUISM 1661 Allowed and blocked execution events on internet-facing servers are logged. Australia
AUISM 1662 Allowed and blocked execution events on non-internet-facing servers are logged. Australia
AUISM 1663 Application control event logs are stored centrally. Australia
AUISM 1621 Windows PowerShell 2.0 is disabled or removed. Australia
AUISM 1622 PowerShell is configured to use Constrained Language Mode. Australia
AUISM 1623 PowerShell is configured to use module logging, script block logging and transcription functionality. Australia
AUISM 1624 PowerShell script block logs are protected by Protected Event Logging functionality. Australia
AUISM 1664 Blocked PowerShell script execution events are logged. Australia
AUISM 1665 PowerShell event logs are stored centrally. Australia
AUISM 1341 A HIPS is implemented on workstations. Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? Security - Technical Australia
AUISM 1034 A HIPS is implemented on critical servers and high-value servers. Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? Security - Technical Australia
AUISM 1416 A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services. Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? Security - Technical Australia
AUISM 1417 Antivirus software is implemented on workstations and servers with:[ul][li]signature-based detection functionality enabled and set to a high level[/li][li]heuristic-based detection functionality enabled and set to a high level[/li][li]reputation rating functionality enabled[/li][li]ransomware protection functionality enabled[/li][li]detection signatures configured to update on at least a daily basis[/li][li]regular scanning configured for all fixed disks and removable media.[/li] Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? Security - Technical Australia
AUISM 1418 If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. Australia
AUISM 343 If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. Australia
AUISM 345 External communication interfaces that allow DMA are disabled. Australia
AUISM 582 The following events are logged for operating systems:[ul][li]application and operating system crashes and error messages[/li][li]changes to security policies and system configurations[/li][li]successful user logons and logoffs, failed user logons and account lockouts[/li][li]failures, restarts and changes to important processes and services[/li][li]requests to access internet resources[/li][li]security product-related events[/li][li]system startups and shutdowns.[/li] Australia
AUISM 1747 Operating system event logs are stored centrally. Australia
AUISM 938 Applications are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. Australia
AUISM 1467 The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used. Australia
AUISM 1483 The latest release of web server applications, and other internet-accessible server applications, are used. Australia
AUISM 1806 Default accounts or credentials for applications, including for any pre-configured accounts, are changed. Australia
AUISM 1412 ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented. Australia
AUISM 1470 Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. Australia
AUISM 1235 Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set. Australia
AUISM 1486 Web browsers do not process Java from the internet. Australia
AUISM 1485 Web browsers do not process web advertisements from the internet. Australia
AUISM 1666 Internet Explorer 11 does not process content from the internet. Australia
AUISM 1667 Microsoft Office is blocked from creating child processes. Australia
AUISM 1668 Microsoft Office is blocked from creating executable content. Australia
AUISM 1669 Microsoft Office is blocked from injecting code into other processes. Australia
AUISM 1542 Microsoft Office is configured to prevent activation of Object Linking and Embedding packages. Australia
AUISM 1670 PDF software is blocked from creating child processes. Australia
AUISM 1601 Microsoftís Attack Surface Reduction rules are implemented. Australia
AUISM 1585 Web browser, Microsoft Office and PDF software security settings cannot be changed by users. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Security - Technical Australia
AUISM 1748 Office productivity suite, email client and security product security settings cannot be changed by users. Australia
AUISM 1671 Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. Australia
AUISM 1488 Microsoft Office macros in files originating from the internet are blocked. Does your organisation: - disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement; - block macros in files originating from the internet; - enable macro antivirus scanning; and - ensure macro security settings can't be changed by users? Security - Technical Australia Y
AUISM 1672 Microsoft Office macro antivirus scanning is enabled. Australia
AUISM 1673 Microsoft Office macros are blocked from making Win32 API calls. Australia
AUISM 1674 Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute. Australia
AUISM 1487 Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations. Does your organisation: - disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement; - block macros in files originating from the internet; - enable macro antivirus scanning; and - ensure macro security settings can't be changed by users? Security - Technical Australia Y
AUISM 1675 Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View. Australia
AUISM 1676 Microsoft Officeís list of trusted publishers is validated on an annual or more frequent basis. Australia
AUISM 1489 Microsoft Office macro security settings cannot be changed by users. Does your organisation: - disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement; - block macros in files originating from the internet; - enable macro antivirus scanning; and - ensure macro security settings can't be changed by users? Security - Technical Australia Y
AUISM 1677 Allowed and blocked Microsoft Office macro execution events are logged. Australia
AUISM 1678 Microsoft Office macro event logs are stored centrally. Australia
AUISM 1546 Users are authenticated before they are granted access to a system and its resources. Australia
AUISM 974 Multi-factor authentication is used to authenticate unprivileged users of systems. Within the service, do you offer multi-factor authentication forend-users? Security - Access Australia
AUISM 1173 Multi-factor authentication is used to authenticate privileged users of systems. Does your organisation mandate multi-factor authentication for: • Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems); • System administrators; • Support staff; • Staff with privileged accounts? Security - Access Australia
AUISM 1504 Multi-factor authentication is used by an organisationís users if they authenticate to their organisationís internet-facing services. Australia
AUISM 1679 Multi-factor authentication is used by an organisationís users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. Australia
AUISM 1680 Multi-factor authentication (where available) is used by an organisationís users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. Australia
AUISM 1681 Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisationís internet-facing services. Australia
AUISM 1505 Multi-factor authentication is used to authenticate users accessing important data repositories. Australia
AUISM 1401 Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are. Australia
AUISM 1682 Multi-factor authentication is verifier impersonation resistant. Australia
AUISM 1559 Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply. At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service: if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity) if using multi-factor authentication, passwords are a minimum of eight characters Security - Access Australia
AUISM 1560 Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters. Australia
AUISM 1561 Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters. Australia
AUISM 1683 Successful and unsuccessful multi-factor authentication events are logged. Australia
AUISM 1684 Multi-factor authentication event logs are stored centrally. Australia
AUISM 417 When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead. Australia
AUISM 421 Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service: if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity) if using multi-factor authentication, passwords are a minimum of eight characters Security - Access Australia
AUISM 1557 Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters. Australia
AUISM 422 Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters. Australia
AUISM 1558 Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material. Australia
AUISM 1593 Users provide sufficient evidence to verify their identity when requesting new credentials. When a password reset is requested by the user or enforced by the service, are: • the newly assigned passwords (e.g., temporary initial passwords) randomly generated; • users required to provide verification of their identity (e.g., answering a set of challenge-response questions); • new passwords provided via a secure communication channel or split into parts; and • users required to change their assigned temporary password on first use? Security - Access Australia
AUISM 1227 Credentials set for user accounts are randomly generated. When a password reset is requested by the user or enforced by the service, are: • the newly assigned passwords (e.g., temporary initial passwords) randomly generated; • users required to provide verification of their identity (e.g., answering a set of challenge-response questions); • new passwords provided via a secure communication channel or split into parts; and • users required to change their assigned temporary password on first use? Security - Access Australia
AUISM 1594 Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors. When a password reset is requested by the user or enforced by the service, are: • the newly assigned passwords (e.g., temporary initial passwords) randomly generated; • users required to provide verification of their identity (e.g., answering a set of challenge-response questions); • new passwords provided via a secure communication channel or split into parts; and • users required to change their assigned temporary password on first use? Security - Access Australia
AUISM 1595 Credentials provided to users are changed on first use. When a password reset is requested by the user or enforced by the service, are: • the newly assigned passwords (e.g., temporary initial passwords) randomly generated; • users required to provide verification of their identity (e.g., answering a set of challenge-response questions); • new passwords provided via a secure communication channel or split into parts; and • users required to change their assigned temporary password on first use? Security - Access Australia
AUISM 1596 Credentials, in the form of memorised secrets, are not reused by users across different systems. Australia
AUISM 1403 Accounts are locked out after a maximum of five failed logon attempts. Australia
AUISM 1603 Authentication methods susceptible to replay attacks are disabled. Australia
AUISM 1055 LAN Manager and NT LAN Manager authentication methods are disabled. Australia
AUISM 1620 Privileged accounts are members of the Protected Users security group. Australia
AUISM 1685 Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. Australia
AUISM 1619 Service accounts are created as group Managed Service Accounts. Australia
AUISM 1795 Credentials for local administrator accounts and service accounts are a minimum of 30 characters. Australia
AUISM 418 Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities. Australia
AUISM 1597 Credentials are obscured as they are entered into systems. Australia
AUISM 1402 Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database. Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? Security - Access Australia
AUISM 1686 Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled. Australia
AUISM 1749 Cached credentials are limited to one previous logon. Australia
AUISM 1590 Credentials are changed if:[ul][li]they are directly compromised[/li][li]they are suspected of being compromised[/li][li]they appear in an online data breach database[/li][li]they are discovered stored on networks in the clear[/li][li]they are discovered being transferred across networks in the clear[/li][li]membership of a shared account changes[/li][li]they have not been changed in the past 12 months.[/li] Australia
AUISM 853 On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. Australia
AUISM 428 Systems are configured with a session or screen lock that:[ul][li]activates after a maximum of 15 minutes of user inactivity, or if manually activated by users[/li][li]conceals all session content on the screen[/li][li]ensures that the screen does not enter a power saving state before the session or screen lock is activated[/li][li]requires users to authenticate to unlock the session[/li][li]denies users the ability to disable the session or screen locking mechanism.[/li] Are all internal organisation systems (including operating systems) configured with a session or screen lock that: - activates after a maximum of 15 minutes of user inactivity or if manually activated by the user; - activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices; - completely conceals all information on the screen; - ensures that the screen does not enter a power saving state before the screen or session lock is activated; - requires the user to reauthenticate to unlock the system; and - denies users the ability to disable the session or screen locking mechanism? - does not display any secure information of its own Security - Access Australia
AUISM 408 Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted. Australia
AUISM 979 Legal advice is sought on the exact wording of logon banners. Australia
AUISM 1460 When using a software-based isolation mechanism to share a physical serverís hardware, the isolation mechanism is from a vendor that has made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. Australia
AUISM 1604 When using a software-based isolation mechanism to share a physical serverís hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism. Australia
AUISM 1605 When using a software-based isolation mechanism to share a physical serverís hardware, the underlying operating system is hardened. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Security - Technical Australia
AUISM 1606 When using a software-based isolation mechanism to share a physical serverís hardware, patches, updates or vendor mitigations for security vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner. Australia
AUISM 1607 When using a software-based isolation mechanism to share a physical serverís hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner. Australia
AUISM 1461 When using a software-based isolation mechanism to share a physical serverís hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain. Australia
AUISM 42 System administration processes, and supporting system administration procedures, are developed, implemented and maintained. Australia
AUISM 1211 System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation. Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalised Security - Plans and Quality Australia Y
AUISM 1380 Privileged users use separate privileged and unprivileged operating environments. Australia
AUISM 1687 Privileged operating environments are not virtualised within unprivileged operating environments. Australia
AUISM 1688 Unprivileged accounts cannot logon to privileged operating environments. Australia
AUISM 1689 Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. Australia
AUISM 1385 Administrative infrastructure is segregated from the wider network. Australia
AUISM 1750 Administrative infrastructure for critical servers, high-value servers and regular servers is segregated from each other. Australia
AUISM 1386 Network management traffic can only originate from administrative infrastructure. Australia
AUISM 1387 Administrative activities are conducted through jump servers. Australia
AUISM 1381 Only privileged operating environments can communicate with jump servers. Australia
AUISM 1388 Only jump servers can communicate with assets requiring administrative activities to be performed. Australia
AUISM 1143 Patch management processes, and supporting patch management procedures, are developed, implemented and maintained. Australia
AUISM 298 A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware. Does your organisation use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly; and - that by default, patches to the product are applied automatically i.e. without the need for customer action Security - Processess and Testing Australia Y
AUISM 1493 Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis. Australia
AUISM 1643 Software registers contain versions and patch histories of applications, drivers, operating systems and firmware. Australia
AUISM 1807 An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. Australia
AUISM 1808 A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. Australia
AUISM 1698 A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services. Australia
AUISM 1699 A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. Australia
AUISM 1700 A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. Australia
AUISM 1701 A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. Australia
AUISM 1702 A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. Australia
AUISM 1752 A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of other ICT equipment. Australia
AUISM 1703 A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in drivers and firmware. Australia
AUISM 1690 Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1691 Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1692 Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1693 Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release. Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? Security - Processess and Testing Australia Y
AUISM 1694 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1695 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1696 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1751 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment are applied within two weeks of release, or within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 1697 Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Security - Processess and Testing Australia Y
AUISM 300 Patches, updates or vendor mitigations for security vulnerabilities in high assurance ICT equipment are applied only when approved by the ACSC, and in doing so, using methods and timeframes prescribed by the ACSC. Australia
AUISM 1704 Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. Australia
AUISM 304 Applications that are no longer supported by vendors are removed. Australia
AUISM 1501 Operating systems that are no longer supported by vendors are replaced. Australia
AUISM 1753 Network devices and other ICT equipment that are no longer supported by vendors are replaced. Australia
AUISM 1809 When applications, operating systems, network devices or other ICT equipment that are no longer supported by vendors cannot be immediately removed or replaced, compensating controls are implemented until such time that they can be removed or replaced. Australia
AUISM 1510 A digital preservation policy is developed, implemented and maintained. Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; And considers the security of backed up data? Security - Plans and Quality Australia Y
AUISM 1547 Data backup processes, and supporting data backup procedures, are developed, implemented and maintained. Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; And considers the security of backed up data? Security - Plans and Quality Australia Y
AUISM 1548 Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained. Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; And considers the security of backed up data? Security - Plans and Quality Australia Y
AUISM 1511 Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. Are all data backups stored for a minimum of 3 months? Security - Data Deletion and Retention Australia Y
AUISM 1810 Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. Australia
AUISM 1811 Backups of important data, software and configuration settings are retained in a secure and resilient manner. Australia
AUISM 1812 Unprivileged accounts cannot access backups belonging to other accounts. Australia
AUISM 1813 Unprivileged accounts cannot access their own backups. Australia
AUISM 1705 Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. Australia
AUISM 1706 Privileged accounts (excluding backup administrator accounts) cannot access their own backups. Australia
AUISM 1814 Unprivileged accounts are prevented from modifying and deleting backups. Australia
AUISM 1707 Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. Australia
AUISM 1708 Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. Australia
AUISM 1515 Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises. Is the partial restoration of backups tested on a quarterly or more frequent basis? Security - Data Deletion and Retention Australia Y
AUISM Australia
AUISM 580 An event logging policy is developed, implemented and maintained. Australia
AUISM 585 For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Security - Logging Australia Y
AUISM 1405 A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. Has your organisation implemented a centralised logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times? Security - Logging Australia Y
AUISM 1815 Event logs stored within a centralised event logging facility are protected from unauthorised modification and deletion. Australia
AUISM 988 An accurate time source is established and used consistently across systems to assist with identifying connections between events. Australia
AUISM 109 Event logs are analysed in a timely manner to detect cyber security events. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Security - Logging Australia Y
AUISM 1228 Cyber security events are analysed in a timely manner to identify cyber security incidents. Australia
AUISM 859 Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australiaís Administrative Functions Disposal Authority Express Version 2 publication. Australia
AUISM 991 Domain Name System and web proxy event logs are retained for at least 18 months. Australia
AUISM 400 Development, testing and production environments are segregated. Australia
AUISM 1419 Development and modification of software only takes place in development environments. Australia
AUISM 1420 Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment. Is production data used in non-production (e.g., test and development) environments? Security - Technical Australia Y
AUISM 1422 Unauthorised access to the authoritative source for software is prevented. Australia
AUISM 1816 Unauthorised modification of the authoritative source for software is prevented. Australia
AUISM 401 Secure-by-design principles and secure programming practices are used as part of application development. Australia
AUISM 1780 SecDevOps practices are used for application development. Australia
AUISM 1238 Threat modelling is used in support of application development. Australia
AUISM 1796 Files containing executable content are digitally signed as part of application development. Australia
AUISM 1797 Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development. Australia
AUISM 1798 Secure configuration guidance is produced as part of application development. Australia
AUISM 1730 A software bill of materials is produced and made available to consumers of software. Australia
AUISM 402 Applications are robustly tested for security vulnerabilities by software developers, as well as independent parties, prior to their initial release and following any maintenance activities. Australia
AUISM 1754 Security vulnerabilities identified in applications are resolved by software developers. Australia
AUISM 1616 A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services. Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? Security - Processes and Testing Australia
AUISM 1755 A vulnerability disclosure policy is developed, implemented and maintained. Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? Security - Processes and Testing Australia
AUISM 1756 Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained. Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? Security - Processes and Testing Australia
AUISM 1717 A ësecurity.txtí file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in an organisationís products and services. Australia
AUISM 971 The OWASP Application Security Verification Standard is followed when developing web applications. Australia
AUISM 1239 Robust web application frameworks are used in the development of web applications. Are all service application developments assessed as per a security testing methodology that is consistent with the guidance provided by the latest industry standard frameworks (e.g., Open Web Application Security Project (OWASP) Testing Guide v4.2, Building Security In Maturity Model (BSIMM))? Security - Plans and Quality Australia Y
AUISM 1552 All web application content is offered exclusively using HTTPS. Australia
AUISM 1817 Clients are authenticated when calling web APIs that facilitate access to data not authorised for release into the public domain. Australia
AUISM 1818 Clients are authenticated when calling web APIs that facilitate modification of data. Australia
AUISM 1240 Validation or sanitisation is performed on all input handled by web applications. Australia
AUISM 1241 Output encoding is performed on all output produced by web applications. Australia
AUISM 1424 Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers. Australia
AUISM 1536 The following events are logged for web applications: attempted access that is denied, crashes and error messages, and search queries initiated by users. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Security - Logging Australia Y
AUISM 1757 Web application event logs are stored centrally. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Security - Logging Australia Y
AUISM 1269 Database servers and web servers are functionally separated. Australia
AUISM 1277 Data communicated between database servers and web servers is encrypted. What are the minimum encryption algorithms applied to protect all data in transit over networks, including encryption of data that is communicated between the user, web applications and system components (e.g., database systems)? Security - Technical Australia
AUISM 1270 Database servers are placed on a different network segment to user workstations. Australia
AUISM 1271 Network access controls are implemented to restrict database server communications to strictly defined network resources, such as web servers, application servers and storage area networks. Australia
AUISM 1272 If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface. Australia
AUISM 1273 Development and testing environments do not use the same database servers as production environments. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1245 All temporary installation files and logs are removed after DBMS software has been installed. Australia
AUISM 1246 DBMS software is configured according to vendor guidance. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1247 Unneeded accounts, components, services and functionality of DBMS software are disabled or removed. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1249 DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1250 The account under which DBMS software runs has limited access to non-essential areas of the database serverís file system. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1251 The ability of DBMS software to read local files from its database server is disabled. Australia
AUISM 1260 Default database administrator accounts are disabled, renamed or have their credentials changed. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1262 Database administrators have unique and identifiable accounts. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1261 Database administrator accounts are not shared across different databases. Australia
AUISM 1263 Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases. Does your organisation enforce the following controls on database management system (DBMS) software: • Follow vendor guidance for securing the database; • DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; • Least privileges; • File-based access controls; • Disable anonymous and default database administrator account; • Unique username and password for each database administrator account; • Use database administrator accounts for administrative tasks only; and • Segregate test and production environment? Security - Technical Australia
AUISM 1264 Database administrator access is restricted to defined roles rather than accounts with default administrative permissions or all permissions. Australia
AUISM 1243 A database register is developed, implemented, maintained and verified on a regular basis. Australia
AUISM 1256 File-based access controls are applied to database files. Australia
AUISM 393 Databases and their contents are classified based on the sensitivity or classification of data that they contain. Australia
AUISM 1255 Database usersí ability to access, insert, modify and remove database contents is restricted based on their work duties. Australia
AUISM 1268 The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles. Australia
AUISM 1274 Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment. Australia
AUISM 1275 All queries to databases from web applications are filtered for legitimate content and correct syntax. Australia
AUISM 1276 Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries. Australia
AUISM 1278 Web applications are designed to provide as little error information as possible about the structure of databases. Australia
AUISM 1537 The following events are logged for databases:[ul][li]access or modification of particularly important content[/li][li]addition of new users, especially privileged users[/li][li]changes to user roles or privileges[/li][li]attempts to elevate user privileges[/li][li]queries containing comments[/li][li]queries containing multiple embedded queries[/li][li]database and query alerts or failures[/li][li]database structure changes[/li][li]database administrator actions[/li][li]use of executable commands[/li][li]database logons and logoffs.[/li] Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Security - Logging Australia
AUISM 1758 Database event logs are stored centrally. Australia
AUISM 264 An email usage policy is developed, implemented and maintained. Australia
AUISM 267 Access to non-approved webmail services is blocked. Australia
AUISM 270 Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments. Australia
AUISM 271 Protective marking tools do not automatically insert protective markings into emails. Australia
AUISM 272 Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate. Australia
AUISM 1089 Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used. Australia
AUISM 565 Email servers are configured to block, log and report emails with inappropriate protective markings. Australia
AUISM 1023 The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified. Australia
AUISM 269 Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed. Australia
AUISM 569 Emails are routed via centralised email gateways. Australia
AUISM 571 When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisationís centralised email gateways. Australia
AUISM 570 Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway. Australia
AUISM 567 Email servers only relay emails destined for or originating from their domains (including subdomains). Australia
AUISM 572 Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure. Australia
AUISM 1589 MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers. Australia
AUISM 574 SPF is used to specify authorised email servers (or lack thereof) for all domains (including subdomains). Australia
AUISM 1183 A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for all domains (including subdomains). Australia
AUISM 1151 SPF is used to verify the authenticity of incoming emails. Australia
AUISM 861 DKIM signing is enabled on emails originating from an organisationís domains (including subdomains). Australia
AUISM 1026 DKIM signatures on received emails are verified. Australia
AUISM 1027 Email distribution list software used by external senders is configured such that it does not break the validity of the senderís DKIM signature. Australia
AUISM 1540 DMARC records are configured for all domains (including subdomains) such that emails are rejected if they do not pass DMARC checks. Australia
AUISM 1799 Incoming emails are rejected if they do not pass DMARC checks. Australia
AUISM 1234 Email content filtering is implemented to filter potentially harmful content in email bodies and attachments. Australia
AUISM 1502 Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway. Australia
AUISM 1024 Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means. Australia
AUISM 518 Network documentation is developed, implemented, maintained. Australia
AUISM 516 Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances. Australia
AUISM 1178 Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services. Australia
AUISM 1781 All data communicated over network infrastructure is encrypted. Australia
AUISM 1181 Networks are segregated into multiple network zones according to the criticality of servers, services and data. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1577 An organisationís networks are segregated from their service providersí networks. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1532 VLANs are not used to separate network traffic between an organisationís networks and public network infrastructure. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 529 VLANs are not used to separate network traffic between networks belonging to different security domains. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 530 Network devices managing VLANs are administered from the most trusted security domain. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 535 Network devices managing VLANs belonging to different security domains do not share VLAN trunks. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1364 Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 521 IPv6 functionality is disabled in dual-stack network devices unless it is being used. Australia
AUISM 1186 IPv6 capable network security appliances are used on IPv6 and dual-stack networks. Australia
AUISM 1428 Unless explicitly required, IPv6 tunnelling is disabled on all network devices. Australia
AUISM 1429 IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries. Australia
AUISM 1430 Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility. Australia
AUISM 520 Network access controls are implemented on networks to prevent the connection of unauthorised network devices. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1182 Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 385 Servers maintain effective functional separation with other servers allowing them to operate independently. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1479 Servers minimise communications with other servers at both the network and file system level. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1006 Security measures are implemented to prevent unauthorised access to network management traffic. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1311 SNMP version 1 and SNMP version 2 are not used on networks. Australia
AUISM 1312 All default SNMP community strings on network devices are changed and write access is disabled. Australia
AUISM 1028 A NIDS or NIPS is deployed in gateways between an organisationís networks and other networks they do not manage. Australia
AUISM 1030 A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset. Australia
AUISM 1627 Inbound network connections from anonymity networks to internet-facing services are blocked. Australia
AUISM 1628 Outbound network connections to anonymity networks are blocked. Australia
AUISM 1782 A protective DNS service is used to block access to known malicious domain names. Australia
AUISM 1800 Network devices are flashed with trusted firmware before they are used for the first time. Australia
AUISM 1304 Default accounts or credentials for network devices including for any pre-configured accounts, are changed. Australia
AUISM 534 Unused physical ports on network devices are disabled. Australia
AUISM 1801 Network devices are restarted on at least a monthly basis. Australia
AUISM 1314 All wireless devices are Wi-Fi Alliance certified. Australia
AUISM 536 Public wireless networks provided for general public use are segregated from all other organisation networks. Australia
AUISM 1315 The administrative interface on wireless access points is disabled for wireless network connections. Australia
AUISM 1710 Configuration settings for wireless access points are hardened. Australia
AUISM 1316 Default SSIDs of wireless access points are changed. Australia
AUISM 1317 SSIDs of non-public wireless networks are not readily associated with an organisation, the location of their premises or the functionality of wireless networks. Australia
AUISM 1318 SSID broadcasting is not disabled on wireless access points. Australia
AUISM 1320 MAC address filtering is not used to restrict which devices can connect to wireless networks. Australia
AUISM 1319 Static addressing is not used for assigning IP addresses on wireless networks. Australia
AUISM 1332 WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic. Australia
AUISM 1321 802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. Australia
AUISM 1711 User identity confidentiality is used if available with EAP-TLS implementations. Australia
AUISM 1322 Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks. Australia
AUISM 1324 Certificates are generated using an evaluated certificate authority or hardware security module. Australia
AUISM 1323 Certificates are required for both devices and users accessing wireless networks. Australia
AUISM 1327 Certificates are protected by encryption, user authentication, and both logical and physical access controls. Australia
AUISM 1330 The PMK caching period is not set to greater than 1440 minutes (24 hours). Australia
AUISM 1712 The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD-Approved Cryptographic Protocol. Australia
AUISM 1454 Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security. Australia
AUISM 1334 Wireless networks implement sufficient frequency separation from other wireless networks. Australia
AUISM 1335 Wireless access points enable the use of the 802.11w amendment to protect management frames. Australia
AUISM 1338 Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint for wireless networks. Australia
AUISM 1013 The effective range of wireless communications outside an organisationís area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used. Australia
AUISM 1437 Cloud service providers are used for hosting online services. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1578 An organisation is notified by cloud service providers of any change to configured regions or availability zones for online services. Are customers notified of any relocation or expansion (i.e. change of country) of: • the cloud infrastructure, including system components, user data and related data; and • any person (vendor or cloud infrastructure staff, external contractors or associates) with access to unencrypted customer data or any person with a means of accessing or extracting unencrypted data (e.g., those with access to encryption keys and encrypted customer data), prior to relocation? Security - Hosting and Location Australia Y
AUISM 1579 Cloud service providersí ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes for online services. Australia
AUISM 1580 Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones. Australia
AUISM 1441 Where a requirement for high availability exists for online services, a denial of service mitigation service is used. Australia
AUISM 1581 Continuous real-time monitoring of the availability of online services is performed. Australia
AUISM 1438 Where a high availability requirement exists for website hosting, CDNs that cache websites are used. Australia
AUISM 1439 If using CDNs, disclosing the IP addresses of web servers under an organisationís control (referred to as origin servers) is avoided and access to the origin servers is restricted to the CDNs and authorised management networks. Australia
AUISM 1431 Denial-of-service attack mitigation strategies are discussed with cloud service providers, specifically:[ul][li]their capacity to withstand denial-of-service attacks[/li][li]any costs likely to be incurred as a result of denial-of-service attacks[/li][li]thresholds for notification of denial-of-service attacks[/li][li]thresholds for turning off online services during denial-of-service attacks[/li][li]pre-approved actions that can be undertaken during denial-of-service attacks[/li][li]any arrangements with upstream service providers to block malicious network traffic as far upstream as possible.[/li] Australia
AUISM 1458 The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented. Australia
AUISM 1432 Domain names for online services are protected via registrar locking and confirming domain registration details are correct. Australia
AUISM 1435 Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Security - Technical Australia Y
AUISM 1436 Critical online services are segregated from other online services that are more likely to be targeted. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 1518 A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack. Australia
AUISM 1802 HACE does not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD. Australia
AUISM 499 All communications security and equipment-specific doctrine produced by the ACSC for the management and use of ASD-approved HACE is complied with. Australia
AUISM 507 Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained. Australia
AUISM 1080 An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used when encrypting media. Australia
AUISM 457 Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data. Australia
AUISM 460 ASD-approved HACE is used when encrypting media that contains SECRET or TOP SECRET data. Australia
AUISM 459 Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest. Australia
AUISM 469 An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure. Australia
AUISM 465 Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure. Australia
AUISM 467 ASD-approved HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure. Australia
AUISM 455 Where practical, cryptographic equipment and software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. Australia
AUISM 462 When a user authenticates to the encryption functionality of ICT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality. Australia
AUISM 501 Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material. Australia
AUISM 142 The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to an organisationís Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs. Australia
AUISM 1091 Keying material is changed when compromised or suspected of being compromised. Australia
AUISM 471 Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Security - Technical Australia
AUISM 994 ECDH and ECDSA are used in preference to DH and DSA. What are the minimum encryption algorithms applied to protect all data in transit over networks, including encryption of data that is communicated between the user, web applications and system components (e.g., database systems)? Security - Technical Australia
AUISM 472 When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Security - Technical Australia
AUISM 1759 When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Security - Technical Australia
AUISM 1629 When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3. Australia
AUISM 473 When using DSA for digital signatures, a modulus of at least 2048 bits is used. Australia
AUISM 1630 When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4. Australia
AUISM 1760 DSA is not used for digital signatures. Australia
AUISM 1446 When using elliptic curve cryptography, a curve from FIPS 186-4 is used. Australia
AUISM 474 When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Security - Technical Australia
AUISM 1761 When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve. Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? Security - Technical Australia
AUISM 1762 When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve. Australia
AUISM 475 When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve. Australia
AUISM 1763 When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve. Australia
AUISM 1764 When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve. Australia
AUISM 476 When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used, preferably 3072 bits. Australia
AUISM 1765 When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 3072 bits is used, preferably 3072 bits. Australia
AUISM 477 When using RSA for digital signatures, and for passing encryption session keys or similar keys, a different key pair is used for digital signatures and passing encrypted session keys. Australia
AUISM 1766 When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384. Australia
AUISM 1767 When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384. Australia
AUISM 1768 When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384. Australia
AUISM 1769 When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256. Australia
AUISM 1770 When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256. Australia
AUISM 479 Symmetric cryptographic algorithms are not used in Electronic Codebook Mode. Australia
AUISM 481 Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software. Australia
AUISM 1139 Only the latest version of TLS is used for TLS connections. If customer data is uploaded to the service using a mechanism such as encrypted USB, SFTP, Secure API, etc., what are the minimum encryption methodologies applied? Security - Technical Australia
AUISM 1369 AES-GCM is used for encryption of TLS connections. Australia
AUISM 1370 Only server-initiated secure renegotiation is used for TLS connections. Australia
AUISM 1372 DH or ECDH is used for key establishment of TLS connections. Australia
AUISM 1448 When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used. Australia
AUISM 1373 Anonymous DH is not used for TLS connections. Australia
AUISM 1374 SHA-2-based certificates are used for TLS connections. Australia
AUISM 1375 SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections. Australia
AUISM 1553 TLS compression is disabled for TLS connections. Australia
AUISM 1453 Perfect Forward Secrecy (PFS) is used for TLS connections. Australia
AUISM 1506 The use of SSH version 1 is disabled for SSH connections. Australia
AUISM 484 The SSH daemon is configured to:[ul][li]only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)[/li][li]have a suitable login banner (Banner x)[/li][li]have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)[/li][li]disable host-based authentication (HostbasedAuthentication no)[/li][li]disable rhosts-based authentication (IgnoreRhosts yes)[/li][li]disable the ability to login directly as root (PermitRootLogin no)[/li][li]disable empty passwords (PermitEmptyPasswords no)[/li][li]disable connection forwarding (AllowTCPForwarding no)[/li][li]disable gateway ports (GatewayPorts no)[/li][li]disable X11 forwarding (X11Forwarding no).[/li] Australia
AUISM 485 Public key-based authentication is used for SSH connections. Australia
AUISM 1449 SSH private keys are protected with a passphrase or a key encryption key. Australia
AUISM 487 When using logins without a passphrase for SSH connections, the following are disabled:[ul][li]access from IP addresses that do not require access[/li][li]port forwarding[/li][li]agent credential forwarding[/li][li]X11 display remoting[/li][li]console access.[/li] Australia
AUISM 488 If using remote access without the use of a passphrase for SSH connections, the ëforced commandí option is used to specify what command is executed and parameter checking is enabled. Australia
AUISM 489 When SSH-agent or similar key caching programs are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity. Australia
AUISM 490 Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections. Australia
AUISM 494 Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. Australia
AUISM 496 The ESP protocol is used for authentication and encryption of IPsec connections. Australia
AUISM 1233 IKE version 2 is used for key exchange when establishing IPsec connections. Australia
AUISM 1771 AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16. Australia
AUISM 1772 PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512. Australia
AUISM 998 AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating IPsec connections, preferably NONE. Australia
AUISM 999 DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group. Australia
AUISM 498 A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections. Australia
AUISM 1000 PFS is used for IPsec connections. Australia
AUISM 628 Gateways are implemented between networks belonging to different security domains. Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation Security - Technical Australia
AUISM 637 Gateways implement a demilitarised zone if external parties require access to an organisationís services. Australia
AUISM 631 Gateways only allow explicitly authorised data flows. Australia
AUISM 1192 Gateways inspect and filter data flows at the transport and above network layers. Australia
AUISM 1427 Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing. Australia
AUISM 1520 System administrators for gateways undergo appropriate employment screening and, where necessary, hold an appropriate security clearance based on the sensitivity or classification of gateways. Australia
AUISM 613 System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals. Australia
AUISM 1773 System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals. Australia
AUISM 611 System administrators for gateways are assigned the minimum privileges required to perform their duties. Australia
AUISM 616 Separation of duties is implemented in performing administrative activities for gateways. Australia
AUISM 612 System administrators for gateways are formally trained on the operation and management of gateways. Australia
AUISM 1774 Gateways are managed via a secure path isolated from all connected networks. Australia
AUISM 629 For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually-agreed third party. Australia
AUISM 619 Users authenticate to other networks accessed via gateways. Australia
AUISM 622 ICT equipment authenticates to other networks accessed via gateways. Australia
AUISM 1783 Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records. Australia
AUISM 634 The following events are logged for gateways:[ul][li]data packets and data flows permitted through gateways[/li][li]data packets and data flows attempting to leave gateways[/li][li]real-time alerts for attempted intrusions.[/li] Australia
AUISM 1775 Gateway event logs are stored centrally. Australia
AUISM 1037 Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations. Australia
AUISM 100 Gateways undergo a security assessment by an IRAP assessor at least every 24 months. Australia
AUISM 626 CDSs are implemented between SECRET or TOP SECRET networks and any other networks belonging to different security domains. Australia
AUISM 597 When planning, designing, implementing or introducing additional connectivity to CDSs, the ACSC is consulted and any directions provided by the ACSC are complied with. Australia
AUISM 635 CDSs implement isolated upward and downward network paths. Australia
AUISM 1522 CDSs implement independent security-enforcing functions for upward and downward network paths. Australia
AUISM 1521 CDSs implement protocol breaks at each network layer. Australia
AUISM 670 All security-relevant events generated by CDSs are logged. Australia
AUISM 1776 CDS event logs are stored centrally. Australia
AUISM 1523 A sample of security-relevant events relating to data transfer policies are taken at least every 3 months and assessed against security policies for CDSs to identify any operational failures. Australia
AUISM 610 Users are trained on the secure use of CDSs before access is granted. Australia
AUISM 1528 Evaluated firewalls are used between an organisationís networks and public network infrastructure. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Security - Technical Australia Y
AUISM 639 Evaluated firewalls are used between networks belonging to different security domains. Australia
AUISM 643 Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisationís networks and public network infrastructure. Australia
AUISM 645 Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation. Australia
AUISM 1157 Evaluated diodes are used for controlling the data flow of unidirectional gateways between networks. Australia
AUISM 1158 Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and any other networks complete a high assurance evaluation. Australia
AUISM 258 A web usage policy is developed, implemented and maintained. Australia
AUISM 260 All web access, including that by internal servers, is conducted through web proxies. Australia
AUISM 261 The following details are logged for websites accessed via web proxies:[ul][li]address[/li][li]date and time[/li][li]user[/li][li]amount of data uploaded and downloaded[/li][li]internal and external IP addresses.[/li] Australia
AUISM 1777 Web proxy event logs are stored centrally. Australia
AUISM 963 Web content filtering is implemented to filter potentially harmful web-based content. Australia
AUISM 961 Client-side active content is restricted by web content filters to an organisation-approved list of domain names. Australia
AUISM 1237 Web content filtering is applied to outbound web traffic where appropriate. Australia
AUISM 263 TLS traffic communicated through gateways is decrypted and inspected. Australia
AUISM 958 An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways. Australia
AUISM 1236 Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters. Australia
AUISM 1171 Attempts to access websites through their IP addresses instead of their domain names are blocked by web content filters. Australia
AUISM 659 Files imported or exported via gateways or CDSs undergo content filtering checks. Australia
AUISM 651 Files identified by content filtering checks as malicious, or that cannot be inspected, are blocked. Australia
AUISM 652 Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release. Australia
AUISM 1524 Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed. Australia
AUISM 1293 Encrypted files imported or exported via gateways or CDSs are decrypted in order to undergo content filtering checks. Australia
AUISM 1289 Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks. Australia
AUISM 1290 Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected. Australia
AUISM 1288 Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines. Australia
AUISM 1389 Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour. Australia
AUISM 649 Files imported or exported via gateways or CDSs are filtered for allowed file types. Australia
AUISM 1284 Files imported or exported via gateways or CDSs undergo content validation. Australia
AUISM 1286 Files imported or exported via gateways or CDSs undergo content conversion. Australia
AUISM 1287 Files imported or exported via gateways or CDSs undergo content sanitisation. Australia
AUISM 677 Files imported or exported via gateways or CDSs that have a digital signature or checksum are validated. Australia
AUISM 591 Evaluated peripheral switches are used when sharing peripherals between systems. Australia
AUISM 1457 Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably complete a high assurance evaluation. Australia
AUISM 1480 Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation. Australia
AUISM 663 Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained. Australia
AUISM 1535 Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems. From what countries do vendor staff, including support, administration, development and testing, and external contractors or associates, access user data and any related data (e.g., metadata, logs) collected or used by the service (including backups and recovery)? Security - Hosting and Location Australia Y
AUISM 661 Users transferring data to and from systems are held accountable for data transfers they perform. Australia
AUISM 657 When manually importing data to systems, the data is scanned for malicious and active content. At a minimum, are the following features built into the file upload functionality available within the service? - All files are scanned for Malware/Viruses during upload - All files are scanned for Malware/Viruses while at rest - All files found to contain Malware/Viruses are quarantined or deleted Privacy - Functionality Australia Y
AUISM 1778 When manually importing data to systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release. Australia
AUISM 664 Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trusted source beforehand. Australia
AUISM 675 Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trusted source. Australia
AUISM 665 Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by an organisationís Chief Information Security Officer. Australia
AUISM 1187 When manually exporting data from systems, the data is checked for unsuitable protective markings. Australia
AUISM 669 When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data. Australia
AUISM 1779 When manually exporting data from systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release. Australia
AUISM 1586 Data transfer logs are used to record all data imports and exports from systems. Australia
AUISM 1294 Data transfer logs for systems are partially verified at least monthly. Australia
AUISM 660 Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly. Australia
CIS 1.1 Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices,†MDM type tools can support this process, where appropriate. This inventory includes assets†connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterpriseís network infrastructure, even if they are†not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Devices Security - Plans and Quality United States 1
CIS 1.2 Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Devices Security - Plans and Quality United States 1
CIS 1.3 Utilize an active discovery tool to identify assets connected to the enterpriseís network. Configure the active discovery tool to execute daily, or more frequently. Devices United States 1
CIS 1.4 Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpriseís asset inventory. Review and use logs to update the enterpriseís asset inventory weekly, or more frequently. Devices United States 1
CIS 1.5 Use a passive discovery tool to identify assets connected to the enterpriseís network. Review and use scans to update the enterpriseís asset inventory at least weekly, or more frequently. Devices United States 1
CIS 2.1 Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Applications Security - Plans and Quality United States 1
CIS 2.2 Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpriseís mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum: - management direction and support for maintenance; - requirement to comply with applicable laws and regulations; - governs the development of a maintenance plan for the organisation's software, hardware, and firmware; - ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance; - ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise; - is the policy reviewed regularly and in response to security incidents? Applications Security - Plans and Quality United States 1
CIS 2.3 Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum: - management direction and support for maintenance; - requirement to comply with applicable laws and regulations; - governs the development of a maintenance plan for the organisation's software, hardware, and firmware; - ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance; - ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise; - is the policy reviewed regularly and in response to security incidents? Applications Security - Plans and Quality United States 1
CIS 2.4 Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. Applications United States 1
CIS 2.5 Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess†bi-annually, or more frequently. Applications United States 1
CIS 2.6 Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. Applications United States 1
CIS 2.7 Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess†bi-annually, or more frequently. Applications United States 1
CIS 3.1 Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a documented and implemented data management policy that outlines the following at a minimum: - Identification of data assets; - recording of data assets in a data inventory; - data asset ownership; - tracking of data sensitivity; - handling of data; - data retention limits; - disposal requirements informed by data sensitivity and retention standards; and - is reviewed and updated annually with a priority on sensitive data? Data Security - Plans and Quality United States 1
CIS 3.2 Establish and maintain a data inventory, based on the enterpriseís data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. Does your organisation have a documented and implemented data management policy that outlines the following at a minimum: - Identification of data assets; - recording of data assets in a data inventory; - data asset ownership; - tracking of data sensitivity; - handling of data; - data retention limits; - disposal requirements informed by data sensitivity and retention standards; and - is reviewed and updated annually with a priority on sensitive data? Data Security - Plans and Quality United States 1
CIS 3.3 Configure data access control lists based on a userís need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. In your organisation, are data access control lists: - Implemented; - configured based on a user's need to know; and - are these controls applied to local and remote file systems, databases and applications? Data Security - Access United States 1
CIS 3.4 Retain data according to the enterpriseís data management process. Data retention must include both minimum and maximum timelines. Does the service have a documented and implemented data retention policy including: - Minimum data retention period; - Maximum data retention period; and - The deletion of identifying or sensitive data which is no longer required? Data Security - Data Deletion and Retention United States 1
CIS 3.5 Securely dispose of data as outlined in the enterpriseís data management process. Ensure the disposal process and method are commensurate with the data sensitivity. Is deletion of data from the service: - Performed securely commensurate with the data's sensitivity; - And certified? Data Security - Data Deletion and Retention United States 1
CIS 3.6 Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including •use of a Mobile Device Management solution applied to all mobile devices and • encryption of any sensitive information transferred to mobile devices? Devices Security - Technical United States 1
CIS 3.8 Document data flows. Data flow documentation includes service provider data flows and should be based on the enterpriseís data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Data United States 1
CIS 3.9 Encrypt data on removable media. Data United States 1
CIS 3.1 Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). Does your organisation have a documented and implemented data management policy that outlines the following at a minimum: - Identification of data assets; - recording of data assets in a data inventory; - data asset ownership; - tracking of data sensitivity; - handling of data; - data retention limits; - disposal requirements informed by data sensitivity and retention standards; and - is reviewed and updated annually with a priority on sensitive data? Data Security - Plans and Quality United States 1
CIS 3.11 Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. Data United States 1
CIS 3.12 Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. Network United States 1
CIS 3.13 Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. Data United States 1
CIS 3.14 Log sensitive data access, including modification and disposal. Data United States 1
CIS 4.1 Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Applications Security - Technical United States 1
CIS 4.2 Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; Network Security - Technical United States 1
CIS 4.3 Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. Are all internal organisation systems (including operating systems) configured with a session or screen lock that: - activates after a maximum of 15 minutes of user inactivity or if manually activated by the user; - activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices; - completely conceals all information on the screen; - ensures that the screen does not enter a power saving state before the screen or session lock is activated; - requires the user to reauthenticate to unlock the system; and - denies users the ability to disable the session or screen locking mechanism? - does not display any secure information of its own Users Security - Access United States 1
CIS 4.4 Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Devices Security - Technical United States 1
CIS 4.5 Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Devices Security - Technical United States 1
CIS 4.6 Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. Within your organisation, does the secure management of enterprise assets and software occur via one or more of the following: • Version controlled infrastructure as code; or • Accessing administrative interfaces securely via SSH or HTTPS? Network Security - Access United States 1
CIS 4.7 Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. Users United States 1
CIS 4.8 Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. Devices United States 1
CIS 4.9 Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. Devices United States 1
CIS 4.1 Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft_ InTune Device Lock and Apple_ Configuration Profile maxFailedAttempts. Devices United States 1
CIS 4.11 Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. Devices United States 1
CIS 5.1 Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the personís name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Across the organisation is there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months? Users Security - Access United States 1
CIS 5.2 Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service: if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity) if using multi-factor authentication, passwords are a minimum of eight characters Users Security - Access United States 1
CIS 5.3 Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? Users Security - Access United States 1
CIS 5.4 Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the userís primary, non-privileged account. In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) Users Security - Access United States 1
CIS 5.5 Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Users United States 1
CIS 5.6 Centralize account management through a directory or identity service. Users United States 1
CIS 6.1 Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. Is there a documented and implemented process to grant access to systems, applications and data repositories for new personnel (vendor staff, external contractors and associates) or when a user changes roles? Users Security - HR United States 1
CIS 6.2 Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. Users United States 1
CIS 6.3 Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. Across your organisation, are all externally exposed enterprise or third-party applications required to enforce multi-factor authentication? Users Security - Access United States 1
CIS 6.4 Require MFA for remote network access. Does your organisation mandate multi-factor authentication for: • Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems); • System administrators; • Support staff; • Staff with privileged accounts? Users Security - Access United States 1
CIS 6.5 Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. Does your organisation mandate multi-factor authentication for: • Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems); • System administrators; • Support staff; • Staff with privileged accounts? Users Security - Access United States 1
CIS 6.6 Establish and maintain an inventory of the enterpriseís authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. Users United States 1
CIS 6.7 Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. Users United States 1
CIS 6.8 Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. Data United States 1
CIS 7.1 Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Applications Security - Processes and Testing United States 1
CIS 7.2 Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur Applications Security - Processes and Testing United States 1
CIS 7.3 Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Applications Security - Processess and Testing United States 1
CIS 7.4 Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? Applications Security - Processess and Testing United States 1
CIS 7.5 Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool. Applications United States 1
CIS 7.6 Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. Applications United States 1
CIS 7.7 Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. Applications United States 1
CIS 8.1 Establish and maintain an audit log management process that defines the enterpriseís logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Network Security - Logging United States 1
CIS 8.2 Collect audit logs. Ensure that logging, per the enterpriseís audit log management process, has been enabled across enterprise assets. Network United States 1
CIS 8.3 Ensure that logging destinations maintain adequate storage to comply with the enterpriseís audit log management process. Has your organisation implemented a centralised logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times? Network Security - Logging United States 1
CIS 8.4 Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. Network United States 1
CIS 8.5 Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. Network United States 1
CIS 8.6 Collect DNS query audit logs on enterprise assets, where appropriate and supported. Network United States 1
CIS 8.7 Collect URL request audit logs on enterprise assets, where appropriate and supported. Network United States 1
CIS 8.8 Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. Devices United States 1
CIS 8.9 Centralize, to the extent possible, audit log collection and retention across enterprise assets. Network United States 1
CIS 8.1 Retain audit logs across enterprise assets for a minimum of 90 days. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged Network Security - Logging United States 1
CIS 8.11 Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. Network United States 1
CIS 8.12 Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. Data United States 1
CIS 9.1 Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum: - management direction and support for maintenance; - requirement to comply with applicable laws and regulations; - governs the development of a maintenance plan for the organisation's software, hardware, and firmware; - ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance; - ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise; - is the policy reviewed regularly and in response to security incidents? Applications Security - Plans and Quality United States 1
CIS 4.9 Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. Devices United States 1
CIS 9.3 Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. Network United States 1
CIS 4.11 Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. Devices United States 1
CIS 9.5 To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. Network United States 1
CIS 9.6 Block unnecessary file types attempting to enter the enterprise’s email gateway. Network United States 1
CIS 9.7 Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. Network United States 1
CIS 10.1 Deploy and maintain anti-malware software on all enterprise assets. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 10.2 Configure automatic updates for anti-malware signature files on all enterprise assets. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 10.3 Disable autorun and autoplay auto-execute functionality for removable media. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 10.4 Configure anti-malware software to automatically scan removable media. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 10.6 Centrally manage anti-malware software. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 10.7 Use behavior-based anti-malware software. Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Anti-virus and anti-malware signatures are updated at least daily; Anti-virus and anti-malware scan files automatically before access; and Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? Devices Security - Technical United States 1
CIS 11.1 Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; And considers the security of backed up data? Data Security - Plans and Quality United States 1
CIS 11.2 Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; And considers the security of backed up data? Data Security - Plans and Quality United States 1
CIS 11.3 Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. Data United States 1
CIS 11.4 Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. Data United States 1
CIS 11.5 Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. Data United States 1
CIS 12.1 Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. Are patches, updates or vendor mitigations for security vulnerabilities in: - internet facing services (including operating systems of internet-facing services); - workstation, server and network device operating systems; - operating systems of other ICT equipment; and - drivers and firmware; applied within two weeks of release, or within 48 hours if an exploit exists? Network Security - Processess and Testing United States 1
CIS 12.2 Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Network United States 1
CIS 12.3 Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. Network United States 1
CIS 12.4 Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Network United States 1
CIS 12.5 Centralize network AAA. Network United States 1
CIS 12.6 Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). Network United States 1
CIS 12.7 Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. Devices United States 1
CIS 12.8 Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. Devices United States 1
CIS 13.1 Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. Network United States 1
CIS 13.2 Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. Devices United States 1
CIS 13.3 Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. Network United States 1
CIS 13.4 Perform traffic filtering between network segments, where appropriate. Network United States 1
CIS 13.5 Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. Devices United States 1
CIS 13.6 Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. Network United States 1
CIS 13.7 Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent. Devices United States 1
CIS 13.8 Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. Network United States 1
CIS 13.9 Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. Devices United States 1
CIS 13.1 Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. Network United States 1
CIS 13.11 Tune security event alerting thresholds monthly, or more frequently. Network United States 1
CIS 14.1 Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.2 Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.Ü Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.3 Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.4 Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.5 Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.6 Train workforce members to be able to recognize a potential incident and be able to report such an incident.Ü Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.7 Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.8 Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
CIS 14.9 Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP_ Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. NULL United States 1
CIS 15.1 Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. With regards to any third-party providers that make up the solution, or provide service to you, does your organisation: - have an inventory of all third-party service providers; - regularly assess and manage the risks associated with these third-party providers; - have contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies; - ensure that the contractual agreements include notification of the transfer or termination of any personnel authorised to use your organisation's systems; - monitor third party providers for compliance; and - have defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance - have a classification system for these third party providers; and - have a designated internal organisation contact for each provider? NULL Security - Product Information United States 1
CIS 15.2 Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 15.3 Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 15.4 Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. NULL United States 1
CIS 15.5 Assess service providers consistent with theenterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. NULL United States 1
CIS 15.6 Monitor service providers consistent with theenterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. Data United States 1
CIS 15.7 Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. Data United States 1
CIS 16.1 Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? Applications Security - Access United States 1
CIS 16.2 Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report.ÜThe process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.ÜAs part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities.ÜReview and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. Applications United States 1
CIS 16.3 Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. Applications United States 1
CIS 16.4 Establish and manage an updated inventory of third-party components used in development, often referred to as a bill of materials, as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. Applications United States 1
CIS 16.5 Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security.ÜAcquire these components from trusted sources or evaluate the software for vulnerabilities before use. Applications United States 1
CIS 16.6 Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. Applications United States 1
CIS 16.7 Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. Applications United States 1
CIS 16.8 Maintain separate environments for production and non-production systems. Applications United States 1
CIS 16.9 Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. Applications United States 1
CIS 16.12 Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. Applications United States 1
CIS 16.13 Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.ÜPenetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.Ü Applications United States 1
CIS 16.14 Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. Applications United States 1
CIS 17.1 Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. As part of your organisation's incident handling process does your organisation: - have one key person and at least one backup tasked with managing the organisation's incident handling process; and - have contact information for all parties that need to be informed of security incidents (e.g. staff, third party vendors, law enforcement, insurance providers, government agencies etc); and - contacts are updated annually? NULL Security - Processess and Testing United States 1
CIS 17.2 Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: - Identified, following a clear definition; - Reported by staff (if internal); - Proactively monitored; - Contained; - Investigated; - Remediated; - Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: o Date incident occurred; o Date incident discovered; o Description of the incident; o Actions taken in response to the incident; and o Name of person to whom the incident was reported? NULL Security - Processess and Testing United States 1
CIS 17.3 Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: - Identified, following a clear definition; - Reported by staff (if internal); - Proactively monitored; - Contained; - Investigated; - Remediated; - Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: o Date incident occurred; o Date incident discovered; o Description of the incident; o Actions taken in response to the incident; and o Name of person to whom the incident was reported? NULL Security - Processess and Testing United States 1
CIS 17.4 Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 17.5 Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 17.6 Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 17.7 Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum. NULL United States 1
CIS 17.8 Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. NULL United States 1
CIS 17.9 Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. NULL United States 1
CIS 18.1 Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur NULL Security - Processes and Testing United States 1
CIS 18.2 Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. Network United States 1
CIS 18.3 Remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization. Network United States 1
CIS 18.4 Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. Network United States 1
CIS 18.5 Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. NULL United States 1
CIS 9.2 Use DNS filtering services on all enterprise assets to block access to known malicious domains. Has your organisation implemented the following perimeter controls: • External firewall; • Host based firewalls or port filtering on end-user devices with default-deny rules; • IDS/IPS (Intrusion Detection System/Intrusion Prevention System); • DMZ (Demilitarised Zone) for hosting external sites; • Content filtering (including blocking of unnecessary file types); • DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; • Web Application Firewall (WAF); • Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); • Packet inspection; • Network segmentation; • VPN required for remote access; • Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; • DNS filtering and network URL based filters; and • Organisation assets are configured to use trusted DNS servers? • explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) • Authorisation and encryption on the organization's wireless network? • Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems • Blocking of split tunnelling • Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity • Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System) • Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone • Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation • Periodic scan of organisational file storage and real-time scans of files from external sources Network Security - Technical United States 1
CIS 9.4 Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. Applications United States 1
CIS 3.6 Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. Devices United States 1
NIST 800-53 AC-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori NULL Security - Plans and Quality United States 1
NIST 800-53 AC-2 a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. NULL United States 1
NIST 800-53 AC-2(1) Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 AC-2(2) Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. NULL United States 1
NIST 800-53 AC-2(3) Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 AC-2(4) Automatically audit account creation, modification, enabling, disabling, and removal actions. NULL United States 1
NIST 800-53 AC-2(5) Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. NULL United States 1
NIST 800-53 AC-2(6) Implement [Assignment: organization-defined dynamic privilege management capabilities]. NULL United States 1
NIST 800-53 AC-2(7) (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. NULL United States 1
NIST 800-53 AC-2(8) Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. NULL United States 1
NIST 800-53 AC-2(9) Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. NULL United States 1
NIST 800-53 AC-13 [Withdrawn: Incorporated into AC-2 and AU-6.] NULL United States 1
NIST 800-53 AC-2(11) Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. NULL United States 1
NIST 800-53 AC-2(12) (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 AC-2(13) Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. NULL United States 1
NIST 800-53 AC-3 Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. NULL United States 1
NIST 800-53 AC-14(1) [Withdrawn: Incorporated into AC-14.] NULL United States 1
NIST 800-53 AC-3(2) Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. NULL United States 1
NIST 800-53 AC-3(3) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. NULL United States 1
NIST 800-53 AC-3(4) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. NULL United States 1
NIST 800-53 AC-3(5) Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. NULL United States 1
NIST 800-53 AC-15 [Withdrawn: Incorporated into MP-3.] NULL United States 1
NIST 800-53 AC-3(7) Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. NULL United States 1
NIST 800-53 AC-3(8) Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. NULL United States 1
NIST 800-53 AC-3(9) Release information outside of the system only if: (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. NULL United States 1
NIST 800-53 AC-3(10) Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. NULL United States 1
NIST 800-53 AC-3(11) Restrict access to data repositories containing [Assignment: organization-defined information types]. NULL United States 1
NIST 800-53 AC-3(12) (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. NULL United States 1
NIST 800-53 AC-3(13) Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. NULL United States 1
NIST 800-53 AC-3(14) Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. NULL United States 1
NIST 800-53 AC-3(15) (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. NULL United States 1
NIST 800-53 AC-4 Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. NULL United States 1
NIST 800-53 AC-4(1) Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. NULL United States 1
NIST 800-53 AC-4(2) Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. NULL United States 1
NIST 800-53 AC-4(3) Enforce [Assignment: organization-defined information flow control policies]. NULL United States 1
NIST 800-53 AC-4(4) Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. NULL United States 1
NIST 800-53 AC-4(5) Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. NULL United States 1
NIST 800-53 AC-4(6) Enforce information flow control based on [Assignment: organization-defined metadata]. NULL United States 1
NIST 800-53 AC-4(7) Enforce one-way information flows through hardware-based flow control mechanisms. NULL United States 1
NIST 800-53 AC-4(8) (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. NULL United States 1
NIST 800-53 AC-4(9) Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. NULL United States 1
NIST 800-53 AC-4(10) Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. NULL United States 1
NIST 800-53 AC-4(11) Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. NULL United States 1
NIST 800-53 AC-4(12) When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. NULL United States 1
NIST 800-53 AC-4(13) When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. NULL United States 1
NIST 800-53 AC-4(14) When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. NULL United States 1
NIST 800-53 AC-4(15) When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. NULL United States 1
NIST 800-53 AC-17(5) [Withdrawn: Incorporated into SI-4.] NULL United States 1
NIST 800-53 AC-4(17) Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. NULL United States 1
NIST 800-53 AC-17(7) [Withdrawn: Incorporated into AC-3(10).] NULL United States 1
NIST 800-53 AC-4(19) When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. NULL United States 1
NIST 800-53 AC-4(20) Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. NULL United States 1
NIST 800-53 AC-4(21) Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. NULL United States 1
NIST 800-53 AC-4(22) Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. NULL United States 1
NIST 800-53 AC-4(23) When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. NULL United States 1
NIST 800-53 AC-4(24) When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. NULL United States 1
NIST 800-53 AC-4(25) When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. NULL United States 1
NIST 800-53 AC-4(26) When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. NULL United States 1
NIST 800-53 AC-4(27) When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. NULL United States 1
NIST 800-53 AC-4(28) When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. NULL United States 1
NIST 800-53 AC-4(29) When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. NULL United States 1
NIST 800-53 AC-4(30) When transferring information between different security domains, implement content filtering mechanisms using multiple processes. NULL United States 1
NIST 800-53 AC-4(31) When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. NULL United States 1
NIST 800-53 AC-4(32) When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. NULL United States 1
NIST 800-53 AC-5 a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. NULL United States 1
NIST 800-53 AC-6 Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. NULL United States 1
NIST 800-53 AC-6(1) Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]. NULL United States 1
NIST 800-53 AC-6(2) Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. NULL United States 1
NIST 800-53 AC-6(3) Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. NULL United States 1
NIST 800-53 AC-6(4) Provide separate processing domains to enable finer-grained allocation of user privileges. NULL United States 1
NIST 800-53 AC-6(5) Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 AC-6(6) Prohibit privileged access to the system by non-organizational users. NULL United States 1
NIST 800-53 AC-6(7) (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. NULL United States 1
NIST 800-53 AC-6(8) Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. NULL United States 1
NIST 800-53 AC-6(9) Log the execution of privileged functions. NULL United States 1
NIST 800-53 AC-6(10) Prevent non-privileged users from executing privileged functions. NULL United States 1
NIST 800-53 AC-7 a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded. NULL United States 1
NIST 800-53 AC-17(8) [Withdrawn: Incorporated into CM-7.] NULL United States 1
NIST 800-53 AC-7(2) Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. NULL United States 1
NIST 800-53 AC-7(3) Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. NULL United States 1
NIST 800-53 AC-7(4) (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 AC-8 a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. NULL United States 1
NIST 800-53 AC-9 Notify the user, upon successful logon to the system, of the date and time of the last logon. NULL United States 1
NIST 800-53 AC-9(1) Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. NULL United States 1
NIST 800-53 AC-9(2) Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 AC-9(3) Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 AC-9(4) Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. NULL United States 1
NIST 800-53 AC-10 Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. NULL United States 1
NIST 800-53 AC-11 a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. NULL United States 1
NIST 800-53 AC-11(1) Conceal, via the device lock, information previously visible on the display with a publicly viewable image. NULL United States 1
NIST 800-53 AC-12 Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. NULL United States 1
NIST 800-53 AC-12(1) Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. NULL United States 1
NIST 800-53 AC-12(2) Display an explicit logout message to users indicating the termination of authenticated communications sessions. NULL United States 1
NIST 800-53 AC-12(3) Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. NULL United States 1
NIST 800-53 AC-18(2) [Withdrawn: Incorporated into SI-4.] NULL United States 1
NIST 800-53 AC-14 a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. NULL United States 1
NIST 800-53 AC-19(1) [Withdrawn: Incorporated into MP-7.] NULL United States 1
NIST 800-53 AC-19(2) [Withdrawn: Incorporated into MP-7.] NULL United States 1
NIST 800-53 AC-16 a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]; d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; e. Audit changes to attributes; and f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 AC-16(1) Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. NULL United States 1
NIST 800-53 AC-16(2) Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. NULL United States 1
NIST 800-53 AC-16(3) Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. NULL United States 1
NIST 800-53 AC-16(4) Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). NULL United States 1
NIST 800-53 AC-16(5) Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. NULL United States 1
NIST 800-53 AC-16(6) Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. NULL United States 1
NIST 800-53 AC-16(7) Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. NULL United States 1
NIST 800-53 AC-16(8) Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. NULL United States 1
NIST 800-53 AC-16(9) Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. NULL United States 1
NIST 800-53 AC-16(10) Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. NULL United States 1
NIST 800-53 AC-17 a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. NULL United States 1
NIST 800-53 AC-17(1) Employ automated mechanisms to monitor and control remote access methods. NULL United States 1
NIST 800-53 AC-17(2) Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. NULL United States 1
NIST 800-53 AC-17(3) Route remote accesses through authorized and managed network access control points. NULL United States 1
NIST 800-53 AC-17(4) (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. NULL United States 1
NIST 800-53 AC-19(3) [Withdrawn: Incorporated into MP-7.] NULL United States 1
NIST 800-53 AC-17(6) Protect information about remote access mechanisms from unauthorized use and disclosure. NULL United States 1
NIST 800-53 AC-2(10) [Withdrawn: Incorporated into AC-2k.] NULL United States 1
NIST 800-53 AC-3(1) [Withdrawn: Incorporated into AC-6.] NULL United States 1
NIST 800-53 AC-17(9) Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 AC-17(10) Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. NULL United States 1
NIST 800-53 AC-18 a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. NULL United States 1
NIST 800-53 AC-18(1) Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. NULL United States 1
NIST 800-53 AC-3(6) [Withdrawn: Incorporated into MP-4 and SC-28.] NULL United States 1
NIST 800-53 AC-18(3) Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. NULL United States 1
NIST 800-53 AC-18(4) Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. NULL United States 1
NIST 800-53 AC-18(5) Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. NULL United States 1
NIST 800-53 AC-19 a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. NULL United States 1
NIST 800-53 AC-4(16) [Withdrawn: Incorporated into AC-4.] NULL United States 1
NIST 800-53 AC-4(18) [Withdrawn: Incorporated into AC-16.] NULL United States 1
NIST 800-53 AC-7(1) [Withdrawn: Incorporated into AC-7.] NULL United States 1
NIST 800-53 AC-19(4) (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified systems is prohibited; (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]. NULL United States 1
NIST 800-53 AC-19(5) Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. NULL United States 1
NIST 800-53 AC-20 a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. NULL United States 1
NIST 800-53 AC-20(1) Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. NULL United States 1
NIST 800-53 AC-20(2) Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. NULL United States 1
NIST 800-53 AC-20(3) Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. NULL United States 1
NIST 800-53 AC-20(4) Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. NULL United States 1
NIST 800-53 AC-20(5) Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. NULL United States 1
NIST 800-53 AC-21 a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. NULL United States 1
NIST 800-53 AC-21(1) Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. NULL United States 1
NIST 800-53 AC-21(2) Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. NULL United States 1
NIST 800-53 AC-22 a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. NULL United States 1
NIST 800-53 AC-23 Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. NULL United States 1
NIST 800-53 AC-24 [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. NULL United States 1
NIST 800-53 AC-24(1) Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. NULL United States 1
NIST 800-53 AC-24(2) Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. NULL United States 1
NIST 800-53 AC-25 Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. NULL United States 1
NIST 800-53 AT-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented security training and awareness policy that outlines the following at a minimum: management direction and support for information security; requirement to comply with applicable laws and regulations; security training and awareness processes to be adopted; requirement for communication to management to ensure they maintain an awareness of, and focus on, addressing privacy and security issues? requirement for communication to management to ensure they maintain an awareness of, and focus on, addressing privacy and security issues? [moved from Q7] Is the policy reviewed regularly and in response to security incidents? NULL Security - Plans and Quality United States 1
NIST 800-53 AT-2 a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following [Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. NULL United States 1
NIST 800-53 AT-2(1) Provide practical exercises in literacy training that simulate events and incidents. NULL United States 1
NIST 800-53 AT-2(2) Provide literacy training on recognizing and reporting potential indicators of insider threat. NULL United States 1
NIST 800-53 AT-2(3) Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. NULL United States 1
NIST 800-53 AT-2(4) Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. NULL United States 1
NIST 800-53 AT-2(5) Provide literacy training on the advanced persistent threat. NULL United States 1
NIST 800-53 AT-2(6) (a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations. NULL United States 1
NIST 800-53 AT-3 a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. NULL United States 1
NIST 800-53 AT-3(1) Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. NULL United States 1
NIST 800-53 AT-3(2) Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. NULL United States 1
NIST 800-53 AT-3(3) Provide practical exercises in security and privacy training that reinforce training objectives. NULL United States 1
NIST 800-53 AT-3(4) [Withdrawn: Moved to AT-2(4)]. NULL United States 1
NIST 800-53 AT-3(5) Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. NULL United States 1
NIST 800-53 AT-4 a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum: o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); o The content to be delivered for each awareness session such as: o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; o Actions to maintain security, privacy and online safety, including practical office/desktop practices; o Actions to respond to suspected security, privacy and online safety incidents; o Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; o Data identification and storage, including the safe transfer of data, archival and destruction; o Disciplinary actions for significant security and privacy breaches by staff; o How to recognise and report indicators of potential insider threats to security by staff.; o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and o Covers authentication best practices including MFA, password composition and managing credentials; o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Security - HR United States 1
NIST 800-53 AT-5 [Withdrawn: Incorporated into PM-15.] NULL United States 1
NIST 800-53 AT-6 Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. NULL United States 1
NIST 800-53 AU-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori NULL Security - Plans and Quality United States 1
NIST 800-53 AU-2 a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - Used or ascribed a unique identifier of the user who has performed the activity being logged NULL Security - Logging United States 1
NIST 800-53 AU-10(5) [Withdrawn: Incorporated into SI-7.] NULL United States 1
NIST 800-53 AU-14(2) [Withdrawn: Incorporated into AU-14.] NULL United States 1
NIST 800-53 AU-15 [Withdrawn: Moved to AU-5(5).] NULL United States 1
NIST 800-53 AU-2(1) [Withdrawn: Incorporated into AU-12.] NULL United States 1
NIST 800-53 AU-3 Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event. NULL United States 1
NIST 800-53 AU-3(1) Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. NULL United States 1
NIST 800-53 AU-2(2) [Withdrawn: Incorporated into AU-12.] NULL United States 1
NIST 800-53 AU-3(3) Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. NULL United States 1
NIST 800-53 AU-4 Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. NULL United States 1
NIST 800-53 AU-4(1) Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. NULL United States 1
NIST 800-53 AU-5 a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: [Assignment: organization-defined additional actions]. NULL United States 1
NIST 800-53 AU-5(1) Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. NULL United States 1
NIST 800-53 AU-5(2) Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. NULL United States 1
NIST 800-53 AU-5(3) Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. NULL United States 1
NIST 800-53 AU-5(4) Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. NULL United States 1
NIST 800-53 AU-5(5) Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. NULL United States 1
NIST 800-53 AU-6 a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. Does your organisation have a documented and implemented event log auditing procedure which outlines, at a minimum: • Schedule of audits (annual or real-time for sensitive data); • Definitions of security violations; • Actions to be taken when violations are detected; and • Reporting requirements? NULL Security - Logging United States 1
NIST 800-53 AU-6(1) Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 AU-2(3) [Withdrawn: Incorporated into AU-2.] NULL United States 1
NIST 800-53 AU-6(3) Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. NULL United States 1
NIST 800-53 AU-6(4) Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. NULL United States 1
NIST 800-53 AU-6(5) Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. NULL United States 1
NIST 800-53 AU-6(6) Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. NULL United States 1
NIST 800-53 AU-6(7) Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. NULL United States 1
NIST 800-53 AU-6(8) Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. NULL United States 1
NIST 800-53 AU-6(9) Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. NULL United States 1
NIST 800-53 AU-2(4) [Withdrawn: Incorporated into AC-6(9).] NULL United States 1
NIST 800-53 AU-7 Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. NULL United States 1
NIST 800-53 AU-7(1) Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. NULL United States 1
NIST 800-53 AU-3(2) [Withdrawn: Incorporated into PL-9.] NULL United States 1
NIST 800-53 AU-8 a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. NULL United States 1
NIST 800-53 AU-6(10) [Withdrawn: Incorporated into AU-6.] NULL United States 1
NIST 800-53 AU-6(2) [Withdrawn: Incorporated into SI-4.] NULL United States 1
NIST 800-53 AU-9 a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. NULL United States 1
NIST 800-53 AU-9(1) Write audit trails to hardware-enforced, write-once media. NULL United States 1
NIST 800-53 AU-9(2) Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. NULL United States 1
NIST 800-53 AU-9(3) Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. NULL United States 1
NIST 800-53 AU-9(4) Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. NULL United States 1
NIST 800-53 AU-9(5) Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. NULL United States 1
NIST 800-53 AU-9(6) Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. NULL United States 1
NIST 800-53 AU-9(7) Store audit information on a component running a different operating system than the system or component being audited. NULL United States 1
NIST 800-53 AU-10 Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. NULL United States 1
NIST 800-53 AU-10(1) (a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (b) Provide the means for authorized individuals to determine the identity of the producer of the information. NULL United States 1
NIST 800-53 AU-10(2) (a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. NULL United States 1
NIST 800-53 AU-10(3) Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. NULL United States 1
NIST 800-53 AU-10(4) (a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. NULL United States 1
NIST 800-53 AU-7(2) [Withdrawn: Incorporated into AU-7(1).] NULL United States 1
NIST 800-53 AU-11 Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. NULL United States 1
NIST 800-53 AU-11(1) Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. NULL United States 1
NIST 800-53 AU-12 a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. NULL United States 1
NIST 800-53 AU-12(1) Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. NULL United States 1
NIST 800-53 AU-12(2) Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. NULL United States 1
NIST 800-53 AU-12(3) Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. NULL United States 1
NIST 800-53 AU-12(4) Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. NULL United States 1
NIST 800-53 AU-13 a. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and b. If an information disclosure is discovered: 1. Notify [Assignment: organization-defined personnel or roles]; and 2. Take the following additional actions: [Assignment: organization-defined additional actions]. NULL United States 1
NIST 800-53 AU-13(1) Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 AU-13(2) Review the list of open-source information sites being monitored [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 AU-13(3) Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner. NULL United States 1
NIST 800-53 AU-14 a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. NULL United States 1
NIST 800-53 AU-14(1) Initiate session audits automatically at system start-up. NULL United States 1
NIST 800-53 AU-8(1) [Withdrawn: Moved to SC-45(1).] NULL United States 1
NIST 800-53 AU-14(3) Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. NULL United States 1
NIST 800-53 AU-8(2) [Withdrawn: Moved to SC-45(2).] NULL United States 1
NIST 800-53 AU-16 Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. NULL United States 1
NIST 800-53 AU-16(1) Preserve the identity of individuals in cross-organizational audit trails. NULL United States 1
NIST 800-53 AU-16(2) Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. NULL United States 1
NIST 800-53 AU-16(3) Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries. NULL United States 1
NIST 800-53 CA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum: - Scope and categorisation of information assets and systems; - Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on); - Selected and implemented controls to manage risks with the following details recorded in a risk register: o Identified security risks, categories and risk ratings; o Risk owner(s); o Mitigation actions; o Accepted risks (where applicable) and; o Residual risk ratings after implementing mitigation actions Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis the framework is to be reviewed regularly and in response to security incidents? NULL Security - Plans and Quality United States 1
NIST 800-53 CA-2 a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. NULL United States 1
NIST 800-53 CA-2(1) Employ independent assessors or assessment teams to conduct control assessments. Select the privacy related compliance certifications or assessments that have been completed for the service and your organisation, or another organisation contracted by you to perform the development, maintenance and/or support of your solution (excluding the infrastructure provider e.g., AWS, Azure, Sendgrid) NULL Security - Compliance Controls United States 1
NIST 800-53 CA-2(2) Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. NULL United States 1
NIST 800-53 CA-2(3) Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. NULL United States 1
NIST 800-53 CA-3 a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency]. Which security and privacy compliance certifications do recipient third party systems hold? NULL Privacy - Functionality United States 1
NIST 800-53 CA-3(1) [Withdrawn: Moved to SC-7(25).] NULL United States 1
NIST 800-53 CA-3(2) [Withdrawn: Moved to SC-7(26).] NULL United States 1
NIST 800-53 CA-3(3) [Withdrawn: Moved to SC-7(27).] NULL United States 1
NIST 800-53 CA-3(4) [Withdrawn: Moved to SC-7(28).] NULL United States 1
NIST 800-53 CA-3(5) [Withdrawn: Moved to SC-7(5).] NULL United States 1
NIST 800-53 CA-3(6) Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. NULL United States 1
NIST 800-53 CA-3(7) (a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and (b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. NULL United States 1
NIST 800-53 CA-4 [Withdrawn: Incorporated into CA-2.] NULL United States 1
NIST 800-53 CA-5 a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. NULL United States 1
NIST 800-53 CA-5(1) Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CA-6 a. Assign a senior official as the authorizing official for the system; b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; c. Ensure that the authorizing official for the system, before commencing operations: 1. Accepts the use of common controls inherited by the system; and 2. Authorizes the system to operate; d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; e. Update the authorizations [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CA-6(1) Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. NULL United States 1
NIST 800-53 CA-6(2) Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. NULL United States 1
NIST 800-53 CA-7 Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur NULL Security - Processes and Testing United States 1
NIST 800-53 CA-7(1) Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. Select the privacy related compliance certifications or assessments that have been completed for the service and your organisation, or another organisation contracted by you to perform the development, maintenance and/or support of your solution (excluding the infrastructure provider e.g., AWS, Azure, Sendgrid) NULL Security - Compliance Controls United States 1
NIST 800-53 CA-7(2) [Withdrawn: Incorporated into CA-2.] NULL United States 1
NIST 800-53 CA-7(3) Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. NULL United States 1
NIST 800-53 CA-7(4) Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (a) Effectiveness monitoring; (b) Compliance monitoring; and (c) Change monitoring. NULL United States 1
NIST 800-53 CA-7(5) Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. NULL United States 1
NIST 800-53 CA-7(6) Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CA-8 Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur NULL Security - Processes and Testing United States 1
NIST 800-53 CA-8(1) Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. NULL United States 1
NIST 800-53 CA-8(2) Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. NULL United States 1
NIST 800-53 CA-8(3) Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. NULL United States 1
NIST 800-53 CA-9 a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; NULL Security - Technical United States 1
NIST 800-53 CA-9(1) Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. NULL United States 1
NIST 800-53 CM-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c. Review and update the current configuration management: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Security - Plans and Quality United States 1
NIST 800-53 CM-2 a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded. NULL United States 1
NIST 800-53 CM-11(1) [Withdrawn: Incorporated into CM-8(3).] NULL United States 1
NIST 800-53 CM-2(2) Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-2(3) Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. NULL United States 1
NIST 800-53 CM-2(1) [Withdrawn: Incorporated into CM-2.] Does your organisation have a documented and implemented system hardening process which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organisation systems; Ensures only required and authorised software is installed and used; NULL Security - Technical United States 1
NIST 800-53 CM-2(4) [Withdrawn: Incorporated into CM-7(4).] NULL United States 1
NIST 800-53 CM-2(6) Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. NULL United States 1
NIST 800-53 CM-2(7) (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. Does your organisation enforce enhanced security configurations for organisation systems and components moving: Physically to high-risk areas; and Off-site for maintenance; NULL Security - Technical United States 1
NIST 800-53 CM-3 a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]]. NULL United States 1
NIST 800-53 CM-3(1) Use [Assignment: organization-defined automated mechanisms] to: (a) Document proposed changes to the system; (b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval; (c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period]; (d) Prohibit changes to the system until designated approvals are received; (e) Document all changes to the system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed. NULL United States 1
NIST 800-53 CM-3(2) Test, validate, and document changes to the system before finalizing the implementation of the changes. Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalised NULL Security - Plans and Quality United States 1
NIST 800-53 CM-3(3) Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-3(4) Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. NULL United States 1
NIST 800-53 CM-3(5) Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. NULL United States 1
NIST 800-53 CM-3(6) Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. NULL United States 1
NIST 800-53 CM-3(7) Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. NULL United States 1
NIST 800-53 CM-3(8) Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. NULL United States 1
NIST 800-53 CM-4 Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. NULL United States 1
NIST 800-53 CM-4(1) Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. NULL United States 1
NIST 800-53 CM-4(2) After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. NULL United States 1
NIST 800-53 CM-5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. NULL United States 1
NIST 800-53 CM-5(1) (a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and (b) Automatically generate audit records of the enforcement actions. NULL United States 1
NIST 800-53 CM-2(5) [Withdrawn: Incorporated into CM-7(5).] NULL United States 1
NIST 800-53 IR-5 Track and document incidents. NULL United States 1
NIST 800-53 IR-5(1) Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 IR-6(1) (a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-5(6) Limit privileges to change software resident within software libraries. NULL United States 1
NIST 800-53 IR-6(3) [Withdrawn: Moved to CM-14.] NULL United States 1
NIST 800-53 IR-7 a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. NULL United States 1
NIST 800-53 IR-7(1) Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 IR-7(2) Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. NULL United States 1
NIST 800-53 IR-8 [Withdrawn: Incorporated into SI-7.] Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: - Identified, following a clear definition; - Reported by staff (if internal); - Proactively monitored; - Contained; - Investigated; - Remediated; - Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: o Date incident occurred; o Date incident discovered; o Description of the incident; o Actions taken in response to the incident; and o Name of person to whom the incident was reported? NULL Security - Processess and Testing United States 1
NIST 800-53 IR-8(1) [Withdrawn: Incorporated into SI-7.] NULL United States 1
NIST 800-53 IR-9 a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. NULL United States 1
NIST 800-53 IR-10 [Withdrawn: Moved to IR-4(11).] NULL United States 1
NIST 800-53 IR-9(2) Provide information spillage response training [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-7(3) Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. NULL United States 1
NIST 800-53 CM-7(4) (a) Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-7(5) (a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-7(6) Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. NULL United States 1
NIST 800-53 CM-7(7) Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is: (a) Obtained from sources with limited or no warranty; and/or (b) Without the provision of source code. NULL United States 1
NIST 800-53 CM-7(8) (a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and (b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. NULL United States 1
NIST 800-53 CM-7(9) (a) Identify [Assignment: organization-defined hardware components authorized for system use]; (b) Prohibit the use or connection of unauthorized hardware components; (c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-8 a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Security - Plans and Quality United States 1
NIST 800-53 CM-8(1) Update the inventory of system components as part of component installations, removals, and system updates. NULL United States 1
NIST 800-53 CM-8(2) Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-8(3) (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. NULL United States 1
NIST 800-53 CM-8(4) Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. NULL United States 1
NIST 800-53 CM-6(4) [Withdrawn: Incorporated into CM-4.] NULL United States 1
NIST 800-53 CM-8(6) Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. NULL United States 1
NIST 800-53 CM-8(7) Provide a centralized repository for the inventory of system components. NULL United States 1
NIST 800-53 CM-8(8) Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 MA-3(2) (a) Assign system components to a system; and (b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment. NULL United States 1
NIST 800-53 CM-9 Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Security - Plans and Quality United States 1
NIST 800-53 CM-9(1) Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. NULL United States 1
NIST 800-53 CM-10 a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. NULL United States 1
NIST 800-53 CM-10(1) Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. NULL United States 1
NIST 800-53 CM-11 a. Establish [Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and c. Monitor policy compliance [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-8(5) [Withdrawn: Incorporated into CM-8.] Does your organisation have a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Security - Plans and Quality United States 1
NIST 800-53 CM-11(2) Allow user installation of software only with explicit privileged status. NULL United States 1
NIST 800-53 CM-11(3) Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-12 a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored. NULL United States 1
NIST 800-53 CM-12(1) Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. NULL United States 1
NIST 800-53 CM-13 Develop and document a map of system data actions. NULL United States 1
NIST 800-53 CM-14 Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. NULL United States 1
NIST 800-53 CP-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 CP-2 a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification. NULL United States 1
NIST 800-53 CP-2(1) Coordinate contingency plan development with organizational elements responsible for related plans. NULL United States 1
NIST 800-53 CP-2(2) Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. NULL United States 1
NIST 800-53 CP-2(3) Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. NULL United States 1
NIST 800-53 CP-10(1) [Withdrawn: Incorporated into CP-4.] NULL United States 1
NIST 800-53 CP-2(5) Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. NULL United States 1
NIST 800-53 CP-2(6) Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. NULL United States 1
NIST 800-53 CP-2(7) Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. NULL United States 1
NIST 800-53 CP-2(8) Identify critical system assets supporting [Selection: all; essential] mission and business functions. NULL United States 1
NIST 800-53 CP-3 a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 CP-3(1) Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. NULL United States 1
NIST 800-53 CP-3(2) Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. NULL United States 1
NIST 800-53 CP-4 a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed. NULL United States 1
NIST 800-53 CP-4(1) Coordinate contingency plan testing with organizational elements responsible for related plans. NULL United States 1
NIST 800-53 CP-4(2) Test the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alternate processing site to support contingency operations. NULL United States 1
NIST 800-53 CP-4(3) Test the contingency plan using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CP-4(4) Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. NULL United States 1
NIST 800-53 CP-4(5) Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. NULL United States 1
NIST 800-53 CP-10(3) [Withdrawn: Addressed through tailoring.] NULL United States 1
NIST 800-53 CP-6 a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. NULL United States 1
NIST 800-53 CP-6(1) Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. NULL United States 1
NIST 800-53 CP-6(2) Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. NULL United States 1
NIST 800-53 CP-6(3) Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. NULL United States 1
NIST 800-53 CP-7 a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. NULL United States 1
NIST 800-53 CP-7(1) Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. NULL United States 1
NIST 800-53 CP-7(2) Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. NULL United States 1
NIST 800-53 CP-7(3) Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). NULL United States 1
NIST 800-53 CP-7(4) Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. NULL United States 1
NIST 800-53 CP-10(5) [Withdrawn: Incorporated into SI-13.] NULL United States 1
NIST 800-53 CP-7(6) Plan and prepare for circumstances that preclude returning to the primary processing site. NULL United States 1
NIST 800-53 CP-8 Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. NULL United States 1
NIST 800-53 CP-8(1) (a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. NULL United States 1
NIST 800-53 CP-8(2) Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. NULL United States 1
NIST 800-53 CP-8(3) Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. NULL United States 1
NIST 800-53 CP-8(4) (a) Require primary and alternate telecommunications service providers to have contingency plans; (b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CP-8(5) Test alternate telecommunication services [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CP-9 a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. NULL United States 1
NIST 800-53 CP-9(1) Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. NULL United States 1
NIST 800-53 CP-9(2) Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. NULL United States 1
NIST 800-53 CP-9(3) Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. NULL United States 1
NIST 800-53 CP-2(4) [Withdrawn: Incorporated into CP-2(3).] NULL United States 1
NIST 800-53 CP-9(5) Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. NULL United States 1
NIST 800-53 CP-9(6) Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. NULL United States 1
NIST 800-53 CP-9(7) Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. NULL United States 1
NIST 800-53 CP-9(8) Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. NULL United States 1
NIST 800-53 CP-10 Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. NULL United States 1
NIST 800-53 CP-5 [Withdrawn: Incorporated into CP-2.] NULL United States 1
NIST 800-53 CP-10(2) Implement transaction recovery for systems that are transaction-based. NULL United States 1
NIST 800-53 CP-7(5) Withdrawn: Incorporated into CP-7.] NULL United States 1
NIST 800-53 CP-10(4) Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. NULL United States 1
NIST 800-53 CP-9(4) [Withdrawn: Incorporated into CP-9.] NULL United States 1
NIST 800-53 CP-10(6) Protect system components used for recovery and reconstitution. NULL United States 1
NIST 800-53 CP-11 Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. NULL United States 1
NIST 800-53 CP-12 When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. NULL United States 1
NIST 800-53 CP-13 Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. NULL United States 1
NIST 800-53 IA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] identification and authentication policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c. Review and update the current identification and authentication: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented identification and authentication policy that outlines the following at a minimum: - management direction and support for identification and authentication; - requirement to comply with applicable laws and regulations; - policy on user identifiers; - policy on passwords and password updates; - policy on one-factor and multi-factor authentication security and usage; and - is the policy reviewed regularly and in response to security incidents? NULL Security - Plans and Quality United States 1
NIST 800-53 IA-2 Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. NULL United States 1
NIST 800-53 IA-2(1) Implement multi-factor authentication for access to privileged accounts. NULL United States 1
NIST 800-53 IA-2(2) Implement multi-factor authentication for access to non-privileged accounts. NULL United States 1
NIST 800-53 IA-2(11) [Withdrawn: Incorporated into IA-2(6).] NULL United States 1
NIST 800-53 IA-2(3) [Withdrawn: Incorporated into IA-2(1).] NULL United States 1
NIST 800-53 IA-2(5) When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. NULL United States 1
NIST 800-53 IA-2(6) Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]. NULL United States 1
NIST 800-53 IA-2(4) [Withdrawn: Incorporated into IA-2(2).] NULL United States 1
NIST 800-53 IA-2(8) Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. NULL United States 1
NIST 800-53 IA-2(7) [Withdrawn: Incorporated into IA-2(6).] NULL United States 1
NIST 800-53 IA-2(10) Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. NULL United States 1
NIST 800-53 IA-2(9) [Withdrawn: Incorporated into IA-2(8).] NULL United States 1
NIST 800-53 IA-2(12) Accept and electronically verify Personal Identity Verification-compliant credentials. NULL United States 1
NIST 800-53 IA-2(13) Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. NULL United States 1
NIST 800-53 IA-3 Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. NULL United States 1
NIST 800-53 IA-3(1) Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. NULL United States 1
NIST 800-53 IA-3(2) Withdrawn: Incorporated into IA-3(1).] NULL United States 1
NIST 800-53 IA-3(3) (a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and (b) Audit lease information when assigned to a device. NULL United States 1
NIST 800-53 IA-3(4) Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. NULL United States 1
NIST 800-53 IA-4 Manage system identifiers by: a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; b. Selecting an identifier that identifies an individual, group, role, service, or device; c. Assigning the identifier to the intended individual, group, role, service, or device; and d. Preventing reuse of identifiers for [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 IA-4(1) Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. NULL United States 1
NIST 800-53 IA-4(2) [Withdrawn: Incorporated into IA-12(1).] NULL United States 1
NIST 800-53 IA-4(3) [Withdrawn: Incorporated into IA-12(2).] NULL United States 1
NIST 800-53 IA-4(4) Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. NULL United States 1
NIST 800-53 IA-4(5) Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy]. NULL United States 1
NIST 800-53 IA-4(6) Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. NULL United States 1
NIST 800-53 IA-4(7) [Withdrawn: Incorporated into IA-12(4).] NULL United States 1
NIST 800-53 IA-4(8) Generate pairwise pseudonymous identifiers. NULL United States 1
NIST 800-53 IA-4(9) Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage]. NULL United States 1
NIST 800-53 IA-5 Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. NULL United States 1
NIST 800-53 IA-5(1) For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. NULL United States 1
NIST 800-53 IA-5(2) (a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; and (b) When public key infrastructure (PKI) is used: (1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) Implement a local cache of revocation data to support path discovery and validation. NULL United States 1
NIST 800-53 IA-5(11) [Withdrawn: Incorporated into IA-2(1) and IA-2(2).] NULL United States 1
NIST 800-53 IA-5(3) [Withdrawn: Incorporated into IA-12(4).] NULL United States 1
NIST 800-53 IA-5(5) Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. NULL United States 1
NIST 800-53 IA-5(6) Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. NULL United States 1
NIST 800-53 IA-5(7) Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. NULL United States 1
NIST 800-53 IA-5(8) Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. NULL United States 1
NIST 800-53 IA-5(9) Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. NULL United States 1
NIST 800-53 IA-5(10) Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules]. NULL United States 1
NIST 800-53 IA-5(4) [Withdrawn: Incorporated into IA-5(1).] NULL United States 1
NIST 800-53 IA-5(12) For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. NULL United States 1
NIST 800-53 IA-5(13) Prohibit the use of cached authenticators after [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 IA-5(14) For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. NULL United States 1
NIST 800-53 IA-5(15) Use only General Services Administration-approved products and services for identity, credential, and access management. NULL United States 1
NIST 800-53 IA-5(16) Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 IA-5(17) Employ presentation attack detection mechanisms for biometric-based authentication. NULL United States 1
NIST 800-53 IA-5(18) (a) Employ [Assignment: organization-defined password managers] to generate and manage passwords; and (b) Protect the passwords using [Assignment: organization-defined controls]. NULL United States 1
NIST 800-53 IA-6 Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. NULL United States 1
NIST 800-53 IA-7 Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. NULL United States 1
NIST 800-53 IA-8 Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. NULL United States 1
NIST 800-53 IA-8(1) Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. NULL United States 1
NIST 800-53 IA-8(2) (a) Accept only external authenticators that are NIST-compliant; and (b) Document and maintain a list of accepted external authenticators. NULL United States 1
NIST 800-53 IA-8(3) [Withdrawn: Incorporated into IA-8(2).] NULL United States 1
NIST 800-53 IA-8(4) Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. NULL United States 1
NIST 800-53 IA-8(5) Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. NULL United States 1
NIST 800-53 IA-8(6) Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. NULL United States 1
NIST 800-53 IA-9 Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications. NULL United States 1
NIST 800-53 PE-10 [Withdrawn: Incorporated into IA-9.] NULL United States 1
NIST 800-53 IA-9(2) [Withdrawn: Incorporated into IA-9.] NULL United States 1
NIST 800-53 IA-10 Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. NULL United States 1
NIST 800-53 IA-11 Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. NULL United States 1
NIST 800-53 IA-12 a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; b. Resolve user identities to a unique individual; and c. Collect, validate, and verify identity evidence. NULL United States 1
NIST 800-53 IA-12(1) Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization. NULL United States 1
NIST 800-53 IA-12(2) Require evidence of individual identification be presented to the registration authority. NULL United States 1
NIST 800-53 IA-12(3) Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification]. NULL United States 1
NIST 800-53 IA-12(4) Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. NULL United States 1
NIST 800-53 IA-12(5) Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. NULL United States 1
NIST 800-53 IA-12(6) Accept externally-proofed identities at [Assignment: organization-defined identity assurance level]. NULL United States 1
NIST 800-53 IR-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori NULL Security - Plans and Quality United States 1
NIST 800-53 IR-2 a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 IR-2(1) Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. NULL United States 1
NIST 800-53 IR-2(2) Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 IR-2(3) Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. NULL United States 1
NIST 800-53 IR-3 Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. NULL United States 1
NIST 800-53 IR-3(1) Test the incident response capability using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 IR-3(2) Coordinate incident response testing with organizational elements responsible for related plans. NULL United States 1
NIST 800-53 IR-3(3) Use qualitative and quantitative data from testing to: (a) Determine the effectiveness of incident response processes; (b) Continuously improve incident response processes; and (c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. NULL United States 1
NIST 800-53 IR-4 a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. NULL United States 1
NIST 800-53 IR-4(1) Support the incident handling process using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 IR-4(2) Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration]. NULL United States 1
NIST 800-53 IR-4(3) Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents]. NULL United States 1
NIST 800-53 IR-4(4) Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. NULL United States 1
NIST 800-53 IR-4(5) Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected. NULL United States 1
NIST 800-53 IR-4(6) Implement an incident handling capability for incidents involving insider threats. NULL United States 1
NIST 800-53 IR-4(7) Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities]. NULL United States 1
NIST 800-53 IR-4(8) Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses. NULL United States 1
NIST 800-53 IR-4(9) Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents. NULL United States 1
NIST 800-53 IR-4(10) Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. NULL United States 1
NIST 800-53 IR-4(11) Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 IR-4(12) Analyze malicious code and/or other residual artifacts remaining in the system after the incident. NULL United States 1
NIST 800-53 CM-5(1) Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources]. NULL United States 1
NIST 800-53 IR-4(14) Establish and maintain a security operations center. NULL United States 1
NIST 800-53 IR-4(15) (a) Manage public relations associated with an incident; and (b) Employ measures to repair the reputation of the organization. NULL United States 1
NIST 800-53 CM-5(4) Track and document incidents. NULL United States 1
NIST 800-53 IR-5(1) Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-5(5) (a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-5(6) Limit privileges to change software resident within software libraries. NULL United States 1
NIST 800-53 CM-5(3) [Withdrawn: Moved to CM-14.] NULL United States 1
NIST 800-53 CM-6 a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. NULL United States 1
NIST 800-53 CM-6(1) Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CM-6(2) Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. NULL United States 1
NIST 800-53 CM-5(7) [Withdrawn: Incorporated into SI-7.] NULL United States 1
NIST 800-53 CM-6(3) [Withdrawn: Incorporated into SI-7.] NULL United States 1
NIST 800-53 CM-7 a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. NULL United States 1
NIST 800-53 CM-7(1) (a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. NULL United States 1
NIST 800-53 CM-7(2) Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. NULL United States 1
NIST 800-53 CM-7(3) Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. NULL United States 1
NIST 800-53 CM-7(5) (a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-7(7) Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is: (a) Obtained from sources with limited or no warranty; and/or (b) Without the provision of source code. NULL United States 1
NIST 800-53 CM-7(8) (a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and (b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. NULL United States 1
NIST 800-53 CM-8 a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CM-8(2) Update the inventory of system components as part of component installations, removals, and system updates. NULL United States 1
NIST 800-53 CM-8(4) (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. NULL United States 1
NIST 800-53 CM-8(6) [Withdrawn: Incorporated into CM-4.] NULL United States 1
NIST 800-53 CM-8(8) Provide a centralized repository for the inventory of system components. NULL United States 1
NIST 800-53 CM-8(9) (a) Assign system components to a system; and (b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment. NULL United States 1
NIST 800-53 CM-9 Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. NULL United States 1
NIST 800-53 CM-9(1) Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. NULL United States 1
NIST 800-53 CM-10 a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. NULL United States 1
NIST 800-53 CM-10(1) Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. NULL United States 1
NIST 800-53 CM-11 a. Establish [Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and c. Monitor policy compliance [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 MA-4 a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. NULL United States 1
NIST 800-53 CM-11(2) Allow user installation of software only with explicit privileged status. NULL United States 1
NIST 800-53 CM-12 [Withdrawn: Incorporated into MA-1 and MA-4.] NULL United States 1
NIST 800-53 CM-12(1) Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. NULL United States 1
NIST 800-53 CM-13 Develop and document a map of system data actions. NULL United States 1
NIST 800-53 CM-14 Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. NULL United States 1
NIST 800-53 CP-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 CP-2 a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification. NULL United States 1
NIST 800-53 CP-2(1) Coordinate contingency plan development with organizational elements responsible for related plans. NULL United States 1
NIST 800-53 CP-2(2) Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. NULL United States 1
NIST 800-53 CP-10(1) Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. NULL United States 1
NIST 800-53 CP-2(5) Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. NULL United States 1
NIST 800-53 CP-2(7) Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. NULL United States 1
NIST 800-53 CP-3 Identify critical system assets supporting [Selection: all; essential] mission and business functions. NULL United States 1
NIST 800-53 CP-3(2) Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. NULL United States 1
NIST 800-53 CP-4 a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed. NULL United States 1
NIST 800-53 CP-4(2) Test the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alternate processing site to support contingency operations. NULL United States 1
NIST 800-53 CP-4(4) Test the contingency plan using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 CP-4(5) Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. NULL United States 1
NIST 800-53 CP-6 a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. NULL United States 1
NIST 800-53 CP-6(2) Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. NULL United States 1
NIST 800-53 CP-7 a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. NULL United States 1
NIST 800-53 CP-7(2) Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. NULL United States 1
NIST 800-53 CP-7(3) Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). NULL United States 1
NIST 800-53 CP-10(5) [Withdrawn: Incorporated into SI-13.] NULL United States 1
NIST 800-53 CP-8 Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. NULL United States 1
NIST 800-53 CP-8(2) (a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. NULL United States 1
NIST 800-53 CP-8(3) Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. NULL United States 1
NIST 800-53 CP-8(5) Test alternate telecommunication services [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 CP-9(1) Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. NULL United States 1
NIST 800-53 CP-9(3) Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. NULL United States 1
NIST 800-53 CP-9(5) Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. NULL United States 1
NIST 800-53 CP-9(7) Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. NULL United States 1
NIST 800-53 MP-6(1) Review, approve, track, document, and verify media sanitization and disposal actions. NULL United States 1
NIST 800-53 MP-6(2) Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved. NULL United States 1
NIST 800-53 MP-6(3) Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. NULL United States 1
NIST 800-53 MP-6(4) [Withdrawn: Incorporated into MP-6.] NULL United States 1
NIST 800-53 MP-6(5) [Withdrawn: Incorporated into MP-6.] NULL United States 1
NIST 800-53 MP-6(6) [Withdrawn: Incorporated into MP-6.] NULL United States 1
NIST 800-53 MP-6(7) Enforce dual authorization for the sanitization of [Assignment: organization-defined system media]. NULL United States 1
NIST 800-53 MP-6(8) Provide the capability to purge or wipe information from [Assignment: organization-defined systems or system components] [Selection: remotely; under the following conditions: [Assignment: organization-defined conditions]]. NULL United States 1
NIST 800-53 MP-7 a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. NULL United States 1
NIST 800-53 MP-7(1) [Withdrawn: Incorporated into MP-7.] NULL United States 1
NIST 800-53 MP-7(2) Prohibit the use of sanitization-resistant media in organizational systems. NULL United States 1
NIST 800-53 MP-8 a. Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; b. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information; c. Identify [Assignment: organization-defined system media requiring downgrading]; and d. Downgrade the identified system media using the established process. NULL United States 1
NIST 800-53 MP-8(1) Document system media downgrading actions. NULL United States 1
NIST 800-53 MP-8(2) Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved. NULL United States 1
NIST 800-53 MP-8(3) Downgrade system media containing controlled unclassified information prior to public release. NULL United States 1
NIST 800-53 MP-8(4) Downgrade system media containing classified information prior to release to individuals without required access authorizations. NULL United States 1
NIST 800-53 IA-2(5) When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. NULL United States 1
NIST 800-53 IA-2(4) [Withdrawn: Incorporated into IA-2(2).] NULL United States 1
NIST 800-53 IA-2(7) Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. NULL United States 1
NIST 800-53 IA-2(10) Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. NULL United States 1
NIST 800-53 IA-2(12) Accept and electronically verify Personal Identity Verification-compliant credentials. NULL United States 1
NIST 800-53 IA-3 Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. NULL United States 1
NIST 800-53 IA-3(1) Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. NULL United States 1
NIST 800-53 IA-3(3) (a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and (b) Audit lease information when assigned to a device. NULL United States 1
NIST 800-53 IA-3(4) Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. NULL United States 1
NIST 800-53 IA-4(1) Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. NULL United States 1
NIST 800-53 IA-4(3) [Withdrawn: Incorporated into IA-12(1).] NULL United States 1
NIST 800-53 IA-4(4) Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. NULL United States 1
NIST 800-53 IA-4(7) Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. NULL United States 1
NIST 800-53 IA-4(8) Generate pairwise pseudonymous identifiers. NULL United States 1
NIST 800-53 IA-5 Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. NULL United States 1
NIST 800-53 IA-5(2) For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. NULL United States 1
NIST 800-53 IA-5(11) [Withdrawn: Incorporated into IA-2(1) and IA-2(2).] NULL United States 1
NIST 800-53 IA-5(6) Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. NULL United States 1
NIST 800-53 IA-5(7) Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. NULL United States 1
NIST 800-53 IA-5(9) Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. NULL United States 1
NIST 800-53 IA-5(4) [Withdrawn: Incorporated into IA-5(1).] NULL United States 1
NIST 800-53 IA-5(13) For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. NULL United States 1
NIST 800-53 IA-5(15) For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. NULL United States 1
NIST 800-53 IA-5(17) Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 IA-5(18) [Withdrawn: Incorporated into CA-8.] NULL United States 1
NIST 800-53 IA-7 Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. NULL United States 1
NIST 800-53 IA-8(1) Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. NULL United States 1
NIST 800-53 IA-8(3) (a) Accept only external authenticators that are NIST-compliant; and (b) Document and maintain a list of accepted external authenticators. NULL United States 1
NIST 800-53 IA-8(4) Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. NULL United States 1
NIST 800-53 IA-8(5) Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. NULL United States 1
NIST 800-53 IA-9 Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. NULL United States 1
NIST 800-53 IA-9(1) [Withdrawn: Incorporated into IA-9.] NULL United States 1
NIST 800-53 PE-10 a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations; b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and c. Protect emergency power shutoff capability from unauthorized activation. NULL United States 1
NIST 800-53 PE-5(3) [Withdrawn: Incorporated into PE-22.] NULL United States 1
NIST 800-53 PE-11 Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. NULL United States 1
NIST 800-53 PE-11(1) Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. NULL United States 1
NIST 800-53 PE-11(2) Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: (a) Self-contained; (b) Not reliant on external power generation; and (c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. NULL United States 1
NIST 800-53 PE-12 Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. NULL United States 1
NIST 800-53 PE-12(1) Provide emergency lighting for all areas within the facility supporting essential mission and business functions. NULL United States 1
NIST 800-53 PE-13 Employ and maintain fire detection and suppression systems that are supported by an independent energy source. NULL United States 1
NIST 800-53 PE-13(1) Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. NULL United States 1
NIST 800-53 PE-13(2) (a) Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and (b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. NULL United States 1
NIST 800-53 PE-7 [Withdrawn: Incorporated into PE-2 and PE-3.] NULL United States 1
NIST 800-53 PE-13(4) Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 PE-14 a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and b. Monitor environmental control levels [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PE-14(1) Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls]. NULL United States 1
NIST 800-53 PE-14(2) Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 PE-15 Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. NULL United States 1
NIST 800-53 IR-2 a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 IR-2(1) Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. NULL United States 1
NIST 800-53 IR-2(2) Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 SI-4(24) Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. NULL United States 1
NIST 800-53 SI-5 Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. NULL United States 1
NIST 800-53 SI-6 Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 SI-4(8) [Withdrawn: Incorporated into SI-4.] NULL United States 1
NIST 800-53 SI-6(3) Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. NULL United States 1
NIST 800-53 SI-7(1) Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. NULL United States 1
NIST 800-53 SI-7(3) Employ centrally managed integrity verification tools. NULL United States 1
NIST 800-53 SI-7(5) Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered. NULL United States 1
NIST 800-53 PL-2 a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; c. Review the plans [Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. NULL United States 1
NIST 800-53 PL-2(1) [Withdrawn: Incorporated into PL-7.] NULL United States 1
NIST 800-53 PL-2(2) [Withdrawn: Incorporated into PL-8.] NULL United States 1
NIST 800-53 PL-2(3) [Withdrawn: Incorporated into PL-2.] Does your organisation have a documented and implemented systems and services acquisition policy that outlines the following at a minimum: - management direction and support for planning around systems and services acquisition; - requirement to comply with applicable laws and regulations; - policy that governs the acquisition of resources, including: security and privacy requirements and acceptance criteria; - requiring the developer of the system or service to provide: a description of the functional properties of any security controls; relevant design and implementation information for -security controls; a listing of all functions, ports, protocols and services in use; conformance with NIST FIPS-201-3 for any Personal Identity Verification functionality (smart card or equivalent for access to premises) - requirement for administrator documentation covering addressing in configuration, use and maintenance, and known vulnerabilities; - requirement for user documentation covering security and privacy functionality they can access, secure user interaction, and user responsibilities; - logging of attempts to obtain documentation that have been unsuccessful; and - is the policy reviewed regularly and in response to security incidents? NULL Security - Plans and Quality United States 1
NIST 800-53 PL-3 [Withdrawn: Incorporated into PL-2.] NULL United States 1
NIST 800-53 PL-4 a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated]. Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? NULL Security - HR United States 1
NIST 800-53 PL-4(1) Include in the rules of behavior, restrictions on: (a) Use of social media, social networking sites, and external sites/applications; (b) Posting organizational information on public websites; and (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? NULL Security - HR United States 1
NIST 800-53 PL-5 [Withdrawn: Incorporated into RA-8.] NULL United States 1
NIST 800-53 PL-6 [Withdrawn: Incorporated into PL-2.] NULL United States 1
NIST 800-53 PL-7 a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and b. Review and update the CONOPS [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PL-8 a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. Describe how the architectures are integrated into and support the enterprise architecture; and 4. Describe any assumptions about, and dependencies on, external systems and services; b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. Does the service's application development have the following characteristics:
  • Environments are separated into at least development, testing and production environments;
  • Development and modification of software only takes place in development environments;
  • Unauthorised access to the authoritative software source is prevented;
  • Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
  • Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
  • Privacy-by-design principles;
  • Threat modelling is used in support of application development; and
  • Alignment to a security and privacy architecture that has been drawn up for the system?
NULL Security - Plans and Quality United States 1
NIST 800-53 PL-8(1) Design the security and privacy architectures for the system using a defense-in-depth approach that: (a) Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner. NULL United States 1
NIST 800-53 PL-8(2) Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. NULL United States 1
NIST 800-53 PL-9 Centrally manage [Assignment: organization-defined controls and related processes]. NULL United States 1
NIST 800-53 PL-10 Select a control baseline for the system. NULL United States 1
NIST 800-53 PL-11 Tailor the selected control baseline by applying specified tailoring actions. NULL United States 1
NIST 800-53 PM-1 a. Develop and disseminate an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects the coordination among organizational entities responsible for information security; and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Protect the information security program plan from unauthorized disclosure and modification. NULL United States 1
NIST 800-53 PM-2 Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. NULL United States 1
NIST 800-53 PM-3 a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and c. Make available for expenditure, the planned information security and privacy resources. NULL United States 1
NIST 800-53 PM-4 a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: 1. Are developed and maintained; 2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with established reporting requirements. b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. NULL United States 1
NIST 800-53 PM-5 Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. NULL United States 1
NIST 800-53 PM-5(1) Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. NULL United States 1
NIST 800-53 PM-6 Develop, monitor, and report on the results of information security and privacy measures of performance. NULL United States 1
NIST 800-53 PM-7 Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. NULL United States 1
NIST 800-53 PM-7(1) Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. NULL United States 1
NIST 800-53 PM-8 Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. NULL United States 1
NIST 800-53 PM-9 a. Develops a comprehensive strategy to manage: 1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. NULL United States 1
NIST 800-53 PM-10 a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Integrate the authorization processes into an organization-wide risk management program. NULL United States 1
NIST 800-53 PM-11 a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-12 Implement an insider threat program that includes a cross-discipline insider threat incident handling team. NULL United States 1
NIST 800-53 PM-13 Establish a security and privacy workforce development and improvement program. NULL United States 1
NIST 800-53 PM-14 a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. NULL United States 1
NIST 800-53 PM-15 Establish and institutionalize contact with selected groups and associations within the security and privacy communities: a. To facilitate ongoing security and privacy education and training for organizational personnel; b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and c. To share current security and privacy information, including threats, vulnerabilities, and incidents. NULL United States 1
NIST 800-53 PM-16 Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. NULL United States 1
NIST 800-53 PM-16(1) Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. NULL United States 1
NIST 800-53 PM-17 a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-18 a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: 1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; 2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; 3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; 4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; 5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and 6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. NULL United States 1
NIST 800-53 PM-19 Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. NULL United States 1
NIST 800-53 PM-20 Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; b. Ensures that organizational privacy practices and reports are publicly available; and c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. NULL United States 1
NIST 800-53 PM-20(1) Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: (a) Are written in plain language and organized in a way that is easy to understand and navigate; (b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. NULL United States 1
NIST 800-53 PM-21 a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. NULL United States 1
NIST 800-53 PM-22 Develop and document organization-wide policies and procedures for: a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; b. Correcting or deleting inaccurate or outdated personally identifiable information; c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and d. Appeals of adverse decisions on correction or deletion requests. NULL United States 1
NIST 800-53 PM-23 Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]. NULL United States 1
NIST 800-53 PM-24 Establish a Data Integrity Board to: a. Review proposals to conduct or participate in a matching program; and b. Conduct an annual review of all matching programs in which the agency has participated. NULL United States 1
NIST 800-53 PM-25 a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and d. Review and update policies and procedures [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-26 Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: a. Mechanisms that are easy to use and readily accessible by the public; b. All information necessary for successfully filing complaints; c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 PM-27 a. Develop [Assignment: organization-defined privacy reports] and disseminate to: 1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and 2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and b. Review and update privacy reports [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-28 a. Identify and document: 1. Assumptions affecting risk assessments, risk responses, and risk monitoring; 2. Constraints affecting risk assessments, risk responses, and risk monitoring; 3. Priorities and trade-offs considered by the organization for managing risk; and 4. Organizational risk tolerance; b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and c. Review and update risk framing considerations [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-29 a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. NULL United States 1
NIST 800-53 PM-30 a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; 1. Implement the supply chain risk management strategy consistently across the organization; and (a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. NULL United States 1
NIST 800-53 PM-30(1) Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. NULL United States 1
NIST 800-53 PM-31 Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PM-32 Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. NULL United States 1
NIST 800-53 PS-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented information security policy that outlines the following at a minimum: - management direction and support for information security; - requirement to comply with applicable laws and regulations; - information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for Is the policy reviewed regularly and in response to security incidents? - which events are logged - policies relating to incident response, including a roadmap for an incident response capability if not already implemented - personnel security - physical and environmental protections - system boundaries, environments of operation, and relationships/connections to other systems; and - policies relating to preserving system and information integrity, including system monitori NULL Security - Plans and Quality United States 1
NIST 800-53 PS-2 a. Assign a risk designation to all organizational positions; b. Establish screening criteria for individuals filling those positions; and c. Review and update position risk designations [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PS-3 a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. NULL United States 1
NIST 800-53 PS-3(1) Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. NULL United States 1
NIST 800-53 PS-3(2) Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. NULL United States 1
NIST 800-53 PS-3(3) Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. NULL United States 1
NIST 800-53 PS-3(4) Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements]. NULL United States 1
NIST 800-53 PS-4 Upon termination of individual employment: a. Disable system access within [Assignment: organization-defined time period]; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual. NULL United States 1
NIST 800-53 PS-4(1) (a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. NULL United States 1
NIST 800-53 PS-4(2) Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. NULL United States 1
NIST 800-53 PS-5 a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 PS-6 a. Develop and document access agreements for organizational systems; b. Review and update the access agreements [Assignment: organization-defined frequency]; and c. Verify that individuals requiring access to organizational information and systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? NULL Security - HR United States 1
NIST 800-53 PS-6(1) [Withdrawn: Incorporated into PS-3.] NULL United States 1
NIST 800-53 PS-6(2) Verify that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official government duties; (b) Satisfy associated personnel security criteria; and (c) Have read, understood, and signed a nondisclosure agreement. NULL United States 1
NIST 800-53 PS-6(3) (a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. NULL United States 1
NIST 800-53 PS-7 a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements. With regards to any third-party providers that make up the solution, or provide service to you, does your organisation: - have an inventory of all third-party service providers; - regularly assess and manage the risks associated with these third-party providers; - have contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies; - ensure that the contractual agreements include notification of the transfer or termination of any personnel authorised to use your organisation's systems; - monitor third party providers for compliance; and - have defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance - have a classification system for these third party providers; and - have a designated internal organisation contact for each provider? NULL Security - Product Information United States 1
NIST 800-53 PS-8 a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Within your organisation, where agreements are required to be signed by vendor staff, external contractors and associates who have access to user data or user content are: - the individuals required to re-sign those agreements when they are updated; and - do those agreements provide for sanctions for failure to comply; and - is there formal notification given when a sanctions process is initiated? NULL Security - HR United States 1
NIST 800-53 PS-9 Incorporate security and privacy roles and responsibilities into organizational position descriptions. NULL United States 1
NIST 800-53 PT-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personally identifiable information processing and transparency policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c. Review and update the current personally identifiable information processing and transparency: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. NULL United States 1
NIST 800-53 PT-2 a. Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined processing] of personally identifiable information; and b. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is authorized. NULL United States 1
NIST 800-53 PT-2(1) Attach data tags containing [Assignment: organization-defined authorized processing] to [Assignment: organization-defined elements of personally identifiable information]. NULL United States 1
NIST 800-53 PT-2(2) Manage enforcement of the authorized processing of personally identifiable information using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 PT-3 a. Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable information; b. Describe the purpose(s) in the public privacy notices and policies of the organization; c. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and d. Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements]. NULL United States 1
NIST 800-53 PT-3(1) Attach data tags containing the following purposes to [Assignment: organization-defined elements of personally identifiable information]: [Assignment: organization-defined processing purposes]. NULL United States 1
NIST 800-53 PT-3(2) Track processing purposes of personally identifiable information using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 PT-4 Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. NULL United States 1
NIST 800-53 PT-4(1) Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. NULL United States 1
NIST 800-53 PT-4(2) Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined frequency] and in conjunction with [Assignment: organization-defined personally identifiable information processing]. NULL United States 1
NIST 800-53 PT-4(3) Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processing of their personally identifiable information. NULL United States 1
NIST 800-53 PT-5 Provide notice to individuals about the processing of personally identifiable information that: a. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency]; b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; c. Identifies the authority that authorizes the processing of personally identifiable information; d. Identifies the purposes for which personally identifiable information is to be processed; and e. Includes [Assignment: organization-defined information]. NULL United States 1
NIST 800-53 PT-5(1) Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 PT-5(2) Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. NULL United States 1
NIST 800-53 PT-6 For systems that process information that will be maintained in a Privacy Act system of records: a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; b. Publish system of records notices in the Federal Register; and c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy. NULL United States 1
NIST 800-53 PT-6(1) Review all routine uses published in the system of records notice at [Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. NULL United States 1
NIST 800-53 PT-6(2) Review all Privacy Act exemptions claimed for the system of records at [Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. NULL United States 1
NIST 800-53 PT-7 Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information. NULL United States 1
NIST 800-53 PT-7(1) When a system processes Social Security numbers: (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; (b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and (c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. NULL United States 1
NIST 800-53 PT-7(2) Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. NULL United States 1
NIST 800-53 PT-8 When a system or organization processes information for the purpose of conducting a matching program: a. Obtain approval from the Data Integrity Board to conduct the matching program; b. Develop and enter into a computer matching agreement; c. Publish a matching notice in the Federal Register; d. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. NULL United States 1
NIST 800-53 RA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum: - Scope and categorisation of information assets and systems; - Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on); - Selected and implemented controls to manage risks with the following details recorded in a risk register: o Identified security risks, categories and risk ratings; o Risk owner(s); o Mitigation actions; o Accepted risks (where applicable) and; o Residual risk ratings after implementing mitigation actions Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis the framework is to be reviewed regularly and in response to security incidents? NULL Security - Plans and Quality United States 1
NIST 800-53 RA-2 a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. NULL United States 1
NIST 800-53 RA-2(1) Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. NULL United States 1
NIST 800-53 RA-3 a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. NULL United States 1
NIST 800-53 RA-3(1) (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. NULL United States 1
NIST 800-53 RA-3(2) Use all-source intelligence to assist in the analysis of risk. NULL United States 1
NIST 800-53 RA-3(3) Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. NULL United States 1
NIST 800-53 RA-3(4) Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]. NULL United States 1
NIST 800-53 RA-4 [Withdrawn: Incorporated into RA-3.] NULL United States 1
NIST 800-53 RA-5 a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. NULL United States 1
NIST 800-53 RA-5(1) [Withdrawn: Incorporated into RA-5.] Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur NULL Security - Processes and Testing United States 1
NIST 800-53 RA-5(2) Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes: - conducting vulnerability scans for systems at least monthly - conductingpenetration tests for systems after a major change or at least annually - analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls - using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review - conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur NULL Security - Processes and Testing United States 1
NIST 800-53 RA-5(3) Define the breadth and depth of vulnerability scanning coverage. NULL United States 1
NIST 800-53 RA-5(4) Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. NULL United States 1
NIST 800-53 RA-5(5) Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities]. NULL United States 1
NIST 800-53 RA-5(6) Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. NULL United States 1
NIST 800-53 RA-5(7) [Withdrawn: Incorporated into CM-8.] NULL United States 1
NIST 800-53 RA-5(8) Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. NULL United States 1
NIST 800-53 RA-5(9) [Withdrawn: Incorporated into CA-8.] NULL United States 1
NIST 800-53 RA-5(10) Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. NULL United States 1
NIST 800-53 RA-5(11) Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? NULL Security - Processes and Testing United States 1
NIST 800-53 RA-6 Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]]. NULL United States 1
NIST 800-53 RA-7 Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. NULL United States 1
NIST 800-53 RA-8 Conduct privacy impact assessments for systems, programs, or other activities before: a. Developing or procuring information technology that processes personally identifiable information; and b. Initiating a new collection of personally identifiable information that: 1. Will be processed using information technology; and 2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. NULL United States 1
NIST 800-53 RA-9 Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. NULL United States 1
NIST 800-53 RA-10 a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency]. NULL United States 1
NIST 800-53 SA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services acquisition policy that: (a) Addresses purpose, scope, roles, responsibil